Cyber panel urges MFA, passwordless access, internal awareness to thwart digital ID attacks
A panel of cybersecurity experts at the Identity Defined Security Alliance’s Identity Management Day 2022 recommend mass adoption of multi-factor authentication (MFA) and passwordless solutions, and emphasize education about digital identity-based attacks to prevent the ever-growing scourge of security breaches.
At the event’s panel for preventing identity-related attacks, the experts sought to answer why progress on preventing digital identity-related breaches remains stalled, and how organizations and individuals can close the gaps.
Panel leader Sean Deuby, director of services at Semperis, proposed to the group that humans are the weakest link in the identity security chain. Clint Maples, the chief information security officer at Robert Half, says this question arises because “we made it this way.” Maples says computer systems and authorization are “terrible” because they are complicated and need too many steps, which means identity and authentication must be centered around only making the right decisions.
Maples adds that identity-focused attacks have doubled from 2020 to 2021 into the second most common attack next to security errors from vulnerabilities, and anticipates them overtaking as number one, highlighting the importance of improving how security and authentication is performed and making it easier.
Manish Gupta, director of global cybersecurity services at Starbucks, believes it is a broader challenge of re-training people accustomed to one way of using computers. Regulations, cultural differences, and technical challenges around the world were also listed as roadblocks to identity-related security. Gupta names examples like a preference for QR codes over MFA and Google not being available in China, which means no Google Play Store to download identity apps for Android smartphones. Environmental circumstances that interfere with remote transactions using facial recognition can even include thick walls and basements on top of masks.
Tom Sheffield, the senior director of cybersecurity at Target, observes that “The gaps are where we fall down.” To plug them, he says that identity must be built on a foundation of governance that enforces MFA, requires strong passwords, protects shared accounts, and deploys robust lifecycle capabilities. Sheffield emphasizes the need to be vocal about the importance of said governance capabilities and advocate for their necessity to their clients. Then, he suggests, the cybersecurity experts find the holes to fill.
“We have a skills gap and we still have a perception that this entire thing is horribly complex,” comments Martin Kuppinger, the founder and principal analyst of KuppingerCole, about cybersecurity in small-medium organizations. “We must invest in educating about the many of things we can do about identity security,” he adds, mentioning MFA as a simplified process for identity security that is helping in this movement.
The panelists frequently named MFA as a must-have for today’s cybersecurity offerings. Maples says an MFA with a FIDO token would be something he would “love” to see, because of the threat of ‘MFA bombing attacks’ to prey on people’s impatience and the weak security of SMS authentication that show an alternative is needed. “MFA all things, get rid of system passwords,” he concludes, throwing his support for passwordless solutions as well.
Sheffield says any MFA is better than none, citing analysis from Microsoft that says 99.9 percent of account compromised attacks could be addressed by MFA, and says there was success with FIDO registrations and biometric logins like fingerprint readers on laptops at Target. But he notes that the critical part is recognizing where endpoints and vulnerabilities are and then MFA should be rolled out in phases that identify the risks, as well as simplifying the security environment to minimize the attack surface.
“At the end of the day, it’s up to us as identity and cybersecurity professionals though, to do more than just education, more than awareness. We have to do more in our space to help make it really hard, if not impossible, to make the wrong decision. How do you make the right decision the only decision possible?” says Sheffield, referring to secure-by-design principles.
To prevent being the next victim of a cybersecurity attack, Gupta says, “We have to walk away today by making a start of a movement where passwords are considered déclassé,” with passwordless solutions.
Sheffield tells the panel and audience to know its business, threats, risk, users, and customers versus the current headlines. “For some people, you have to ignore that hype right now and focus on where you are on your journey and where your risks are today, and then implement and prioritize against your risks and your level of risk and then forward from there. And then from some point, zero-trust or passwordless may be the solution to get to, but if you’re not there today, you will be doing yourself a disservice if you don’t close your immediate risks right in front of you.”
The IDSA also unveiled the Identity Management Award winners at the second annual event. Allstate and West-Mark were awarded for ‘Identity Management Project of the Year’ in the enterprise and SMB categories, respectively, while Adobe won for ‘Best Identity-based Zero Trust Initiative,’ and Comcast Executive Director of Identity and Access Management Rajnish Bhatia.