Today’s interview is with Steve Sidhu, owner of CSS Partners LLC, whose tenure in the tech space spans nearly 40 years. Half of that experience was in cybersecurity and identity, working for global organizations such as CA, HP Consulting, and Ernst & Young.
We at Vietnam Insider had the privilege of interviewing him previously on topics such as effective sales and digital transformation.
In this interview, we wanted to tap into his experience with passwordless and the significant increase in phishing attacks, scams/SMS and the way forward. As we all know, passwords have been around since 1960 and with the advent of the smartphone, more and more applications have forced users to remember passwords and sometimes individuals share them from work to even staff life.
We hear so much attention to phishing attacks related to passwords through social media and other channels and these stories or articles are the catalyst to move the society towards passwordless. Can you provide us with more information on global level data related to these attacks and the cost to the business?
On phishing attacks, there is a lot of data available from different organizations, but I have presented an abbreviated version. Let’s look at some data to put things in perspective.
Next report from IBM highlights the cost to a company in terms of data breaches. It is quite overwhelming and yet some organizations are still sometimes unable to reach the goal.
Source: IBM Security “Cost of a Data Breach Report 2022”
What is the market size of passwordless in 2025/2026? In which regions do you expect to see many instances of passwordless deployment?
A study by Kuppingercole estimates that the market will reach USD 6.6 billion by 2025, with their analysts predicting the compound annual growth rate (CAGR) to rise to 31.1%.
Published October 27, 2022
In my view, North America, EMEA, Japan and Korea are highly visible markets that are early adopters and others will follow in the near future.
Another Future Market Insight study below shows the BFSI industry leader with North America having the larger market share for FIDO authentication.
What industry standards exist for secure authentication protocols today? Who are these organizations?
A leading organization driving a secure authentication protocol is the FIDO Alliance, a global non-profit organization that has been working since 2012 to make the internet more secure. FIDO Alliance was founded by Nok Nok Labs, Infineon, Validity Sensors PayPal, Lenovo and Agnitio. After that, FIDO (Fast Identity Online) was publicly launched in 2012 with the aim of reducing dependency on passwords. In 2014 FIDO released two protocols namely; FIDO Universal Authentication Framework and FIDO Universal 2nd Factor. Since 2018, FIDO has introduced FIDO2 which includes Webauthn and Client to Authenticator Protocol (CTAP) and is simply an asymmetric key pair that matches both the private and public key. The purpose of the FIDO Alliance is to eliminate the password with greater security, remove problems such as password resets, friction, and improve legal compliance and standards compliance, ease of use, and strong authentication. Organizations can now replace passwords with stronger hardware-based FIDO2 security keys or biometrics such as fingerprints or facial recognition to significantly reduce phishing attacks.
With the introduction of passkeys by Apple, Microsoft and Google are using this as a password replacement for user convenience, making logging into websites and apps more secure across a user’s devices. A user can access their FIDO credentials on more than one device without having to register again. For more information, please refer to: https://fidoalliance.org/
Can you explain what phishing is and we hear that two-factor authentication and multi-factor authentication can potentially be bypassed; is this true?
Let’s define first; What is Phishing? The act of sending an email or SMS from a trusted source for the purpose of obtaining personal information, such as passwords, credit card numbers, or other sensitive data that may be used at a particular time.
We had seen that the market had many solutions for 2FA and MFA from the late 1980s with the willingness of companies to adopt 2FA/MFA methods. 2FA involved entering a login name and password (something the user knows), followed by a second step where the user receives an OTP or code via or an authenticator app on their phone, which they must enter to login (something that belongs to you).
The advantage of using 2FA/MFA against phishing attacks was that the attacker made little use of the stolen usernames and passwords. During authentication, it asked for a second or several factors directly from the user’s device, such as a PIN or biometrics, which prevented attackers from gaining access.
It is important to note that 2FA can no longer be guaranteed against phishing attacks. There are many ways hackers can bypass the system and gain access to an account. The first way is to bypass 2FA protection by guessing the password or using a brute force attack. The second way is more serious, where the hacker pretends to be a customer service representative through social engineering and asks for the user’s 2FA code, or even calls the bank and pretends to be the user asking for their online banking information.
The third way is to trick the user into typing their MFA provided credentials (OTP) into a bogus website.
Or even run BiTM or MiTM phishing attacks. Tools are available to bypass 2FA and deprecated MFA.
Finally, even if the customer receives a phishing text message telling him to click on the link because his card has been used in another country. When the customer clicks on the link and actually signs up, they are directed to a spoofing IP address that is a duplicate of the bank’s web page, with the hacker taking over the account.
The banking industry is experiencing the highest incident rate of phishing attacks and such instances have already occurred in a reasonable percentage of banks and it is now time for financial organizations to step forward and deploy true passwordless to address this looming problem. to fight.
Industry answer is FIDO2 authentication, which provides users with strong authentication where the end users can authenticate through the browser or an external authenticator, be it hardware or software keys. Something you have, something you know, and something the user provides the strong security to eliminate phishing, credential gobbling, man-in-the-middle attacks, and misuse of stolen credentials. Passwordless authentication not only has cost advantages, but also offers the highest level of authentication security.
What were the main factors limiting an organization’s ability to move to passwordless?
In my observations and professional opinion, here are some factors as follows:
- Organizations’ digital strategy may lack passwordless as a forward key initiative;
- Spending priority or simply no budget;
- Maturity level in terms of passwordless;
- Positioning and prioritizing passwordless based on their current versus possible projected solution;
- Does the company rely heavily on 2FA, OTPs or hardware tokens? ;
- Clear demonstration of ROI, TCO and NPV to management; and
- Ease of implementation
In my opinion, much of the resistance limiting an organization in implementing passwordless may depend on geography, passwordless maturity, and internal reasons within an organization.
Who do you think are the main global players providing passwordless authentication solutions?
In my opinion, the main players in the market that provide passwordless solutions are namely; HYPR, Transmit Security, Yubico, HID Global, SecureAuth, Thales, Daon, 1Kosmos, MiTek, Feitian, Onfido, LogonID, Authentrend just to name a few. These organizations have been providing solutions to the market on a global level for quite some time now.
Should organizations engage a consulting firm to develop business case studies to justify deploying passwordless?
Yes, the main purpose of hiring a consultancy is mainly:
- Help understand the current state, digital strategy, problem areas and recommend solutions best suited to a future capability supplier neutral.
- The goal is to present to management and the board of directors the tangible benefits that passwordless brings to the organization to eliminate all possible risks, including ROSI.
- Organizations have been conducting workshops and training in the intrinsic value of removing passwords and not being a victim.
CSS Partners LLC has over 150 years of global experience and is well versed in developing digital strategies and business cases to ensure completeness and organizational adoption. The companies’ consultants have in-depth knowledge of technology, security risks, audits, finances and an understanding of business requirements, coupled with positioning the most appropriate solution to suit the company’s requirements.
As an organization, we perform such work for every company in every region.