Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show notes: Take the Guessing Out of Passwordless Authentication
Quick Take
On this week’s episode of Compliance Unfiltered, the CU guys dive headfirst into the relatively new frontier of passwordless authentication. Most folks have questions about this realm and how is relates directly to compliance standards – we get it.
On this episode, Adam gives you the full rundown of what, how, and why passwordless authentication could be valuable for your organization.
All this and more “good stuff,” on this week’s episode of Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter.
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside a man who always keeps you guessing. Adam Goslin, how the heck are you? Doing great. How are you, Todd? I can’t complain, man. This time of year, so many plates are spinning for so many different folks. It’s hard to keep track of everything, especially things like, I don’t know, your 18-digit password that you need to get into your grocery store app.
So today, we’re going to talk a little bit about something I think that’s near and dear to a lot of people’s hearts, and that’s password less authentication. Now, what in the heck is that exactly? Well, as the title would infer, authenticating without a password, not to be captain Obvious over here. I feel like I should have my pug bongos or something at hand, so that I can mimic the commercial. Have you seen that one? PS, you can get your compliance unfiltered pug bongos. I would love to have pug bongos. I think that’d be hilarious. A whole new dimension to our motion alerts though. So, yeah, all right, maybe we need to rethink that. I’m struggling enough as it is. We’re workshopping it, it’s fine. So anyway, now it’s as the name suggests, there’s a lot of rumblings going on right now about password less authentication out in the space.
Like you infer, there’s a couple schools of thoughts on the whole password thing, right? Users effing hate changing their passwords, and having these long ass passwords, and there’s security people out there that are like, hey, passwords are the bane of our existence, if we didn’t have those pesky passwords, then we’d probably be more secure, if they didn’t make us change them, da, da, da. So there’s a ton of schools of thought about, to password or not to password. And so that’s really where the password less authentication kind of set hold. Back in the day, you’d use a username and a password to go get into everything under the sun. Next thing you know, bad guys, girls are grabbing people’s usernames and passwords. and hacking accounts. And so poof, you know, we get two factor authentication, and all these glorious ideas of hey, if we make people change their passwords more often than. and make them really long and complex, then they’ll be forced to go ahead and use a password management system, then we’re going to hit some utopia. Well, I mean, that actually encouraged a lot of people to go with password patterns, and things along those lines. It started with the old school RSA key fobs were a thing for a long period of time. And then they’ve moved into multi factor authentication, where, you had to get two of three different factors, something you know, something you have, something you are, so you know, you have your username, password, you have a one time code sent to your phone, some are biometrics, retinal scans, facial recognitions, fingerprints, things along those lines. So, with all of that kind of backdrop in mind, the password less authentication approach really just seeks to eliminate the password component of it. So, basically, you know your username, and then you’ve got something else that kind of goes along with it, so that we can validate that this user is really a valid user for gaining access to this particular target system that they’re trying to gain authentication to.
Sure. Now, for the purposes of this podcast, I have to ask, does password less authentication, like play well in the sandbox with compliance standards? Well, that’s a mixed bag, you know, the bottom line is that, it grows in popularity from a grassroots level.
But with anything, any drive to fundamentally change the mode of mechanisms for authentication. It’s gonna take a while before all the governing bodies kind of play catch up on this. There’s many standards out there, which will literally have line-by-line requirements for, thou shalt approach your authentication in this manner. PCI specifically is very prescriptive in terms of its requirements for what needs to be there. And, you know, under 321, we’ll see where things settle out. I don’t think I’m making massive changes for 4.0, but, even other standards that are out there, there are password requirements, authentication requirements that need to be met. So I think it’s going to be a little bit before we see the compliance arena really embracing it wholeheartedly across the board. I think for the time being, it’s going to be a mixed bag for those organizations that are going up against multiple certifications. Now you’ve got the challenge of, number one, which compliance standards is it that they’re presently subjected to and, also evaluating any standards that these organizations are going to want to go up against in the future, will really drive the initial landscape, if you will.
Yeah, I guess that makes sense. Now, what if a company still wants to move forward with password less authentication, despite that? Well, you know, before you just go tearing off down the password less authentication path. I’m a big fan of, take your measurements, review the landscape, then plan your leap off of the cliff. But, before you’re doing anything, upfront analysis and research on your various compliance requirements, we were talking a minute ago about which ones are you subject to now, which ones do you see on the near term horizon. I mean, the last thing you want to do is just go head first into rolling out this brand new authentication approach only to discover that, oh, now we’re gonna have a problem with getting through our compliance. So, the first step, especially if your organization is in the process of leveraging an assessor, I mean, stop, number one is go ahead and bend the ear of the assessment firm and, and talk with them about, hey, we’d love to go down this path. What do you see as options? How can we navigate these waters, etc. The reality is, their job is at the end of the day to make the call on, are you meeting the requirements, or are you not? Are they going to bless your path through the weeds or not? So you definitely want to make sure that you’re checking in with the assessor, before you just go full force down that path, if you will. Keep in mind, there’s some options, depending on what standards you’ve got, the assessors may approve a risk-based approach when it comes to meeting the various requirements that you have for a particular certification. They can work with you to find an inventive way to head down that path. It may be that it’s, perfectly acceptable because of the suite of compliance standards you’ve got. My guess is, is more often than not, you’re going to have some challenges if you’re wanting to head down this path.
But you just, don’t want to go spending the time, money, effort on some big initiative that all of a sudden the assessor is not going to sign off. And, the worst part about the whole, ah, let’s throw a caution to wind and go down this password less authentication path is the users, all the users are going to love it. And so now you’ve got an internal uprising. Right when you’re, like, oh, yeah and here’s your password list authentication, ah just kidding, never mind we can’t really do it, that’s not going to go over well shall we say. So, yeah you definitely want to make sure you got you got that together. Another asset that organizations can leverage is if they are lucky enough to have a consultant in addition to their assessor to lean on. Well, the cool part about the consultant is number one they’ve got an outsider’s perspective, they can draw on, all their experience they’ve been involved in with these various compliance standards. They’ve seen what other people have done, and they also fall into that unique arena where they’re not obligated to do everything at arm’s length ,they can have real conversations with you about what are the real pluses and minuses, and what should you do etc. You can get a lot more solid and frank response, out of the consultants that you’ve got. They’ll be able to help you with it if it’s them, plus an assessor, then they’ll be able to kind of help you work your way through the conversations with the assessor. Navigate the waters of getting them to you know to agree, bless, and allow you to move forward.
Now what if a company is already leveraging password less authentication and now wants to get compliant, like what kind of options do they have? Well, there’s a couple things. I mean, you know, they’re not just SOL, you know, if they’re already down that path. There’s various ways to, roll out, the password less authentication and, be able to navigate the compliance waters. Certainly, the commentary we just had about, you’re going to need to go through the gauntlet with the assessor, maybe your consultant can kind of help, etc. Both of those are going to come into play as well. One option that they may be able to take depending on the headspace of their assessor is going down the path using the passwords as backups or recovery method for their, you know their accounts. Set them up using passwords initially and then, go with a password less authentication for SSL, you know, passwords as a backup. While it’s not a true password less solution, it’ll at least allow the day by day folks to go password less, once they’ve crossed that initial barrier. But leverage the SSL for streamlining the access to the internal systems. As an organization, maybe you’re striking a middle ground, right? Okay, yeah, not truly password less, but, you only have to enter your password once for any of the ones that are integrated to your SSO solution. So, you know, that might be one way to be able to navigate the waters, and still appease the assessors as you’re going down the path, depending on what you have to go up against.
Another option, if you’ve got devices that allowing local authentication to a particular device in addition to the integration to Active Directory or single sign-on, maybe you can set up the local direct authentication to switch over when you have to log into your switch. Since that’s where your credentials are stored. Those credentials aren’t integrated into Active Directory, SSO or any of the other multi-factor authentication arenas. That way you can maintain that password less solution for your main line authentication, but still checking the boxes of PCI. If you’ve got those passwords for local devices, maybe you can use the management of those to be able to fill the boxes on your compliance track if you will. Another, option that organizations may be able to take advantage of is going down the path of limiting their compliance scope. So it may be that the environment that they need to go get compliant, is really this subset of the overall corporate structure, etc. And so everybody can be using their password list for other things on the network. But then you set in place specific rules for these specific systems that’ll meet the needs or requirements that the assessor has as you’re going down that path. The segmentation would allow you to basically have one set of rules for the in-scope segmented environment and a different set of rules, obviously, for those arenas that aren’t necessarily tied straight into the systems that you have to maintain compliance for.
Yeah, that makes total sense. Parting thoughts and shots for the folks this week. Well, password list authentication might be gaining in popularity from the grassroots level. But it’s still a no-go for several of the compliance standards out there. Just reiterate the notion of do your research, connect with your assessor, connect with your consultant. Just if you are in a position where you already headed down the path of password list authentication, and now I need to turn around and go get compliant, just be prepared. You may have to make some tough decisions. You might be able to figure your way. But, you and I have spoken in the past about choosing your assessor, which is really important. ringing in the back of my ears, right, is that, if you have a really black and white style approach assessor, where they’re not willing to, you know, look at the requirements and look at the, the nature of the criteria that you need to meet. And, we can basically make the solution, you know, justifiably make the solution work to be able to check the boxes and allow you to kind of continue down the path. If you’ve got that black and white assessor, it’s tough. If you’ve got an assessor that is willing to consider options and all that fun stuff, it makes that path certainly tremendously easier to be able to go down.
At some point in the game, password less authentication will likely be an option for various security standards. But, until that happens, just keep your ear on the noise and your nose above the waterline. And certainly, the TCT crew can give people assistance with getting headed in the right direction, if that’s what they need. Sure, and I don’t want this to sound too ominous. So thank you for providing some rays of sunshine there at the end. Sure. No problemo.
And that’s right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
