The password paradigm at Identiverse 2022
We know there are problems with passwords. It seems no matter what we do to make them more secure – criminals are one step ahead of us. From shifting advice on creating a good password (make it one you can remember, use an algorithm, make it a passphrase, don’t use 12345!) to using a password manager. Passwords are an attractive attack target. From the Morris Worm to today’s database breaches that feed the dark web commerce – passwords are seen as a problem to be solved. But there are two main theories on how to solve that problem – improve passwords or do away with them all together.
One of the main themes at Identiverse and in the IAM community right now has to do with the password paradigm. Can passwords be improved or should we embrace a new passwordless paradigm with biometrics? Spoiler: I think we can both improve passwords and explore a passwordless paradigm. Here’s the roundup of these sessions at Identiverse 2022.
Andrew Shikiar the executive director at FIDO Alliance held ‘The State of Passwordless Authentication’ describing the paradigm shift from knowledge-based credentials (what’s in your head) to possession based credentials (what’s in your hand). FIDO’s goal is to reduce the possibility of credential based attacks.
Jackie Comp and Rolf Lindemann, both from Nok Nok Labs, gave real world examples during their session ‘Where to Start Your Passwordless Customer Journey? Five Real Deployment Use Cases and Best Practices.’ Tim Cappalli and Scott Bingham from Microsoft presented ‘Hey FIDO, Meet Passkey!’ Passkeys are designed to help scale FIDO adoption in the consumer space.
Tom Sheffield, senior director, Cybersecurity at Target shared real world experience implementing FIDO in his ‘Insights from Target’s Enterprise Journey to Adopt FIDO.’
Improving the password
While we dream of a new passwordless world, passwords aren’t going away anytime soon. Multi Factor authentication is useful, but can be a challenge to execute to a broad customer base.
Ian Glazer, SVP Identity at Salesforce, shared his ‘Lessons on the Road to Complete Customer MFA Adoption’ on the challenges of launching MFA to Salesforce customers. It’s an inspiring story sharing the challenges and successes of the Salesforce journey.
Mike Schwartz from Gluu made a compelling case for the password in his ‘Bring Back the Password — But Do it Right This Time.’ Schwartz points out that passwords are not going away anytime soon, and there are ways we can improve them using MFA. He says that fixing passwords is about fixing the UI of authentication to make it easy for users to continuously authenticate. His solution utilizes keyboard dynamics as a behavioral biometric.
To solve the password problem, we need to improve current solutions and build better ones simultaneously — and in order to give customers the most secure experience, both sides need to collaborate and learn from each other. If you missed Identiverse, these sessions will be available on demand in the coming months.
About the author
Heather Vescent is a digital identity industry thought leader and futurist with more than a decade of experience delivering strategic intelligence consulting to governments, corporations and entrepreneurs. Vescent’s research has been covered in the New York Times, CNN, American Banker, CNBC, Fox and the Atlantic. She is co-author of the The Secrets of Spies, The Cyber Attack Survival Manual and The Comprehensive Guide to Self Sovereign Identity.