G1234! - F! Passwords! - David Zendzian

so I'll be nice to you this is not gonna be a full hour so we have to get out early for those who have not started drinking I'll be kind to you and I try to avoid talks that rant on about things but I felt we need to rant about things about passwords it's a really important thing I hate this will slide so we'll pass it really quickly I've been in history forever for a couple years been coming to these events for a very long time and I really think we have a good good discussion here so I want to have an environment here so feel free to shout out anything you wished you if

there's things that we go through this you find that you are strongly opinionated about please feel free to contribute and let's have some fun with it and move through it quickly so who here uses passwords who has a regulatory compliance part of requiring password controls no a few uh surprise maybe you should go check your eggs folks I'm sure you have more than you realize but pastor something we have to live with and it's one of those things has been around since systems were first started this is just small list but there are many things that are driving this and I'll get into a couple things in the end even the DoD is pushing this gonna be a

big challenge going forward on some of this I'm sure you've seen all these before so hopefully someone here has more that I don't have but password policies hopefully some people here have HUD deliver them and have the same feeling I do but I do about them but same basic thing to deal with for everywhere you know only it's only certain complex passwords certain link to passwords they have to have you know they can't be transmitted or stored encrypted that comes right from PCI you can have all the basic things we deal with passwords I'm does anyone have a thing I did I forgot is there a fun password policy that we've worked on somewhere that doesn't fit these I'm not

expecting answer but I'd love to hear one so my answer this is okay cursed is streaming we curse the loser can we curse so this actually means [ __ ] passwords so like we're in church now what do y'all think about passwords there we go we'll practice this or this will come up a few times this presentation here so feel free to want get your energy up you know this is this is the end of the besides you want to have some energy guy this let's go forward and have some fun with it oops get best a lot so in a typical corporate environment it's not just one place you have passwords if you're small

company might have a domain controller and two or three machines but realistically it's never just that the every domain you have you know naturally gonna have some Docs and Google Docs you're gonna have some stuff in office 365 who here has like mainframes or large back-end computers in actually almost a third of the room here and there's they're they're not going away data center stuff you know it I know we have the cloud but you were gonna have data center stuff somewhere in some environment you know KVM who has KVM switches you know which gave us or integrate into password management let's get into that one later every one of these systems are out there all

different you know there's third party services there's all the integrated stuff you know you probably have some cloud stuff everything out there has passwords and Patricks controls so picture here at a company anyone here since ad ever worked as I said seeing these easier access request forms new user comes in they have a role defined let's go create passwords so how much does how much fun would you have in typical environment we you've got 20 30 separate systems and you have to go out and create unique passwords get them to the users explain to the users which is which how many support ecology expects you're gonna have which password is which how's it work I'm confused

that's pretty common because in reality they're all separate you know we have different ways we'll get into in a minute I thought people are tying them together making passwords you know easier to manage but realistically most of the systems we deal with especially for new companies that's one things I want to focus on here is you know picture your new company and you have you're just starting out and either all these separate systems so you can have 10 15 20 30 separate systems trying to manage passwords it's really really difficult and you want to try to do it and following your password policies making sure things are unique and I want to share I'll summarize a story for you

I want to share the story I put out the word to all my friends saying hey I'm and talk about passwords share some fun story me about the problems you've had in pastors out there good friend of mine came back and said hey look at this we generate unique passwords our system admin function we have a modem that we've converted into a digital clock it's cool it's like you know let's see an old Hayes modem we actually reused it makes a clock and we're doing all of our passwords so we come up when we put change it followed by these four-digit number this random we done the clock so the friend I'm trying to ask them are

these unique systems this is 20 years ago still applies in some places in the u.s. how interesting wait change it I say characters UNIX password a characters and truncates hmm all of our passwords are changing so yes um - I basically say [ __ ] passwords yeah we're getting into that a second yeah yeah I know I'm kind of going through the steps of Ealing we're a small company and this actually I'm going through right now and you know some people are in enterprises they have legacy systems but in new companies you saw the same problems we're trying to figure this out you know I couldn't just talk about one while you want one things

we have one at least feel some time so pasture management so now that we've actually got 30 different pastures if we've gotten out there for all of our users news you're coming on board we do all the past version say okay let's do pasture imagine we have to make it easy for them our password management tool is really made for admins to put passwords in so other people can use them they're only not designed for corporate environment they have some tools that help but realistically they really are a repository for people to use who here has executives they're trying to get you know teach on one password non-technical people your sales people your marketing people your PR folks here let's give you

a technical solution put it in your browser to generate passwords for you yeah they're lucky that you have Facebook working you know one password is a great idea but we know how to use it people really don't know how to use it and plus it doesn't really touch everything we go back to our mapping of all the different services does one password manager SSH keys for all your cloud servers there's a manager mainframe passwords yes in some ways yes some ways no I mean this yes we can we can copy a key into there yes you can copy into it but does it man your SSH keys so well then maybe maybe here's a great forum to make them

publicly available I'm glad you're here we can we can have some public disclosure stuff even more fun third-party apps I have different colors here because some do work some don't work and then I haven't encrypted disks you know we all have requirements if your environments you have to have data you know secure data you'll encrypted disks there really are no tools out there to managed centrally encrypted you can do revert revocation and different things with it but realistically having end-users who changes their passwords on there could be a disk every three months yeah I think I'm the only one yeah so it's a problem plus guitar C and fun things out there one password they just

announced they're pulling away from their local storage and making you go to the cloud offering do you really want to have your passwords in the cloud that's one those questions you need to ask your enterprise are you comfortable with these tools taking all of your passwords can put it in one place especially seeing things like one login impact with exposure of the passwords you know are you really comfortable putting your entire corporate environment all your users and one cloud provider you know that just really is it's one of those questions out there that really makes it a difficult use of these tools which is causing folks I don't forget to do this game from Emirates I think your mom said

we don't really think you should use password managers what happens to the devices get hacked so people are now starting to feel uncomfortable with password managers so how do we solve that problem I mean it's really no easy answer except safe lock passwords right we got to get past this and that's why the gist of my talk here I'm kind of pointing these things out a lot of us really understand and feel the same exact thing about all this that's one reason why I didn't want to make it a four-hour I really want to say you know we're here to have this conversation try to look at what are we doing to solve this problem because we are the group of

people we're going to go beyond these password managers and go and figure out how to make these things work so back to our fictional user we created all these user accounts the user comes in on his first day and what happens password reset time so do you come in the office of first day they've got 40 passwords of chains a brand new password manager which they've never used before there's some more in marketing you're a junior dev person so you spend two days on the phone with them walking them through changing passwords and how to gather machines and train them how to use these tools and it's not efficient and I don't want to make this into a complaining [ __ ] fest

but it really is I mean this is this one of the things that we as an industry have not oh it crashed that's good yeah is there prophecy

I'm sorry y'all

technology it solves all of our problems right it does I apologize y'all I thought of using Google sheets but I was like maybe the internet won't work so I'll do this

sorry we've been doing a live demo

and started back up again now don't recover just go there we go so basically you know we have we got a user they come in there they have the first day is they okay welcome to the company go change your pastor and everything you know you have plenty of time right you start a new job you have time you go ahead and figure these things out but to the end users can't feels like this you know there's like three I started the job not have to spend a whole day doing password management and I'm not sure about how many people in here I know a couple folks I met earlier we talked earlier I know your users have a lot of systems

and a lot of passwords this really fits that model and even in smaller companies it's not quite as bad as this but you still if you have five or ten or fifteen passwords it really feels like this is the end users we need to find a better way of making this work and we also need remember we got to require unique passwords for our users you know we're asking them to do things that are really not intuitive to them passwords are not something people think about you know we're lucky we can remember our phone numbers trying to member all the password to make that all work it's difficult so they always always always end up back in this and the old default

and make one password of hide across all systems which is what we don't want so because of what we're doing the tools were providing the users they're not able to actually ever do what we need of them having unique passwords having changing passwords it just doesn't work so the solutions are out there people are trying to make things work and go out there now I'm gonna come back again say [ __ ] passwords this really shouldn't be this hard we've been doing passwords for 50 years you know longer if you think outside technology but in computers we do this for a while because you know what's gonna happen three months in you're gonna have to do all

this all over again every three months all your users are going through all the passwords for all the systems and as we know they're not gonna change passwords on things that are not easily accessible they're not getting changed or encrypted disk faster they're not gonna change their Google password you know they're gonna keep things the same because it's not senior manager controlled which brings you back again in this in your mantra you're gonna leave this hall and be like going on the hall going [ __ ] password [ __ ] passwords because it really is it should not be this hard but it is so what happened is over time people okey let's let's integrate these things

let's make it so they can all talk together so we use a part of the main controller we use all adapt on it we tie it into our radius we have tactics we have all these other fun tools to make it all work but you can see there's so a bunch of things this still don't tuck to it so even with this model we have what one two three four five seven seven or eight still separate password you have to manage we've made it easier but overall we really haven't done much to help people get better at this so again there's there's being things people working on this trying to make this a little better by coming back to it new

rights come down the line so we've finally gained to a point things are starting to be an agreed we're starting any great in LDAP and have doctor directory and folks from down the line and anyone here work in uh DoD stuff I didn't think I would actually say yes but so you're familiar with Defarge and the things coming down for to background occasion so there there are regs coming down and even a PCI there's a big push to push people toward multi-factor authentication so we haven't gotten passwords right and now people are saying let's just go to a multi-factor and that was actually the goal of AI was to try to talk about today I was gonna

try to build a talk then really showed how we can actually build an enterprise using multi-factor but I started putting it together and looking at just the tools that I have to use for my users I get to a point was like I can't I can't do that yet you know and I wanted to really talk about and map this out and start a dialogue and I'm hoping that some of you will come from here and have some dialogue with people on your teams and figure out how can you manage this I've got a few more tools I want to go through and again I told you to see me a really short talk I'm hoping we can push

twenty minutes no it should be 25 minutes but um so looking at some you know the tools how do we actually it beyond this so I am I didn't even access management systems there these tools other okhta for Drock I'm actually looking at Ford record so it'll be easier to manage my okhta and it tries to actually take that next step above the LDAP above the radius and tactics to really provide more centralized control for the users and it has features and tools that can do it you can see again ingress at your Amazon you can tie things together in actually do better automation other management passwords so you can start doing better control of it

you're not can we depend on a domain controller for all of it you can actually you know pull out of that and have better access to tools out there and there's one thing I don't have in here which I'll bring up again but the focus of this really was on the users don't forget there's also applications sitting out there so we have database and stuff there's the application side of this and I do want to bring up a tool that I've actually been talking to a friend who made who's working part of a team that made it they'll help solve that problem but you know using these tools you can actually start integrating multi-factor but the

first you want is go --gel I mean everyone here probably uses Google Authenticator you do you even login to my laptop but Google Authenticator you know itself is not linked you can't really tie Google Authenticator into your okhta or I am system because it really well parts of it can but really is is separate unless you're using a third-party tool that uses it so there are plenty of tools that use the Google Authenticator as the authentication tool so um you can actually build a tool cuddlin OTP to actually manage your own soft tokens using Google Authenticator which that would expose a radius interface to tie into those same tools but then that would have to be a feed

feeding into more feeds and if this is occlude of things time together I said oh never use a Yubikey it's it's a really cool little you know do a factor authentication but again it needs something Italian to the backend you know there's there's commercial tools that offer and again a little CPU is another one okhta has links to tie into these services so they're starting to get these these features tied together but the real problems can come back to the fact that they really don't solve all the problem still they're really only applying to those environments that had the radius in LDAP environments you know a little overlap beginning Microsoft and Google Authenticator they have their own

control separately but overall it really is the same environment we're at with LDAP the same solutions are being solved when I can offer multi-factor which again it makes it easier for users you don't have passwords not now you've got you know two-thirds of your systems out there configured with the multi-factor authentication except for some of those core systems you're still gonna have servers in the data center that you have to be on the council they're not LDAP or radius-a enabled so you have to have static passwords on them SSH key management and you and I will talk about this in a little bit I wanna see what you're talking about there's another - I'm looking at I'll

show in a second it deals with some of the problems with key management and application integration but databases I mean I don't know if y'all ever manage databases password management databases it's really not matured in a long time there's a lot of problems with databases we could have a whole talk on security issues around databases but that led me to another tool I want to bring up here called credit hub does anybody actually use Cloud Foundry tools and you guys should look at it they have a great ear sector has really was built around the Cloud Foundry tools now they help a lot in that space but they have a whole bunch of tools that they've opened

sourced he's like the the company itself is done wonderful wonderful things you've actually created a suite of tools that offer developers financial services companies and other things out there who are mean to have not just this but development tools how do you actually make a development lifecycle that has the agile and easy use around legacy in modern and modern environments tied together but credit hub there's a really interesting thing what it does it actually allows you to integrate the password management into the rest of your environment so with credit hub you can actually manage your database passwords you can actually manage your application passwords which then comes in and clears up a bunch of things so

you can see I have one more thing in here for applications because that you know I want to talk about about users but I don't want to forget the fact that applications are a big thing out there we all have applications they're seen they're running they have passwords and other secure things built into them that there's nothing to manage it so what happened to someone breaks into a web server and they get your SSH key or your your encryption key off of your application you know how do you change that password how do you manage it this can actually integrate right into the management of it you can see it overlaps into your I am stuff so it can actually

integrate with I am and automate the actual passwords within I am to your other various systems so it's a great set of tools for automating the passwords and the controls of all the pieces around it so INRIA the actual whole point of my talk really come down to credit hub tying together a lot of pieces but also really the big thing is there still are things out there they're not solved now there are tools you can do in the mainframe space but it really isn't made without at and plugins and more money and more licenses to really expand upon that and it just doesn't it wasn't designed to work with that stuff and we still are

gonna have to live with all those problems and then the final thing comes what happens when someone leaves the company so they change a role they go somewhere else you know what's gonna happen now you've got all these SSH keys you've got passwords you've got you know two-factor tokens you've got all these pieces and places all over the place and are you actually going through and cleaning them out and now I'm sure there's a few orders in here that they've seen it doesn't happen so again back to my tagline you know it really comes down to [ __ ] passwords we've got to do a better job and I wish that I could've got a little bit longer for

y'all but I told you I keep it short because this is the end of day and you all need to get there drinking so I will end there and open it up for our discussion questions anything people want to talk about tackling let's use the mic I know you're just dying yeah so just first of all I'm Jeffrey Goldberg from a job it's the makers of 1password awesome so some of the things and what we're doing or what is or what your put it isn't actually correct we did not announce any such thing but it's been a it's been in the air that's fine oh the happy to talk about all of that stuff if

anybody when we get to the drinking part and my raising my hand on the on the SSH keys that's a cheap we have our own internal command-line kind of tool that we can script around for doing those things so we've got we've got an internal command line client that is not yet ready to be released to the public so we can do a lot of that kind of management so that isn't that doesn't take away from your point that password managers don't that don't do that I think generally what I want to say is that you know we've been screaming [ __ ] passwords for 70 years yes and I've seen proposals to get rid of passwords come

and go for more than 20 years when I first started trying to create my own yes and so I do think that any proposal that's trying to solve this problem needs to actually take a look at why previous attempts failed and so I would wreck it's just it's not a question I'm sorry I'm going oh no that's fine I'm speechmaking here you know so you know we've all known all these problems that you've pointed out for a long time a lot of people have put in efforts to try to come up with a password killer and it hasn't happened yet and there are reasons that those attempts have failed and I and I would just advise people to

look at why previous attempts failed and before starting out I'll throw this out there and say next year b-sides or any other reasonable b-sides they're happening throughout the year why don't you come you're in the space you're in one password I mean you've you've got people in the trenches and part of the reason I want to make this talk is some people don't see enterprise pictures that there are smaller teams or on pen testing teams and red teams they don't really realize that on the operation side the scale of how much work this is so I invite you please come do better talk to me I come up here I mean I fully sympathize with the with

the system or network administrator who has to deal with these things that's where I got my start so yeah so please go and anyone else this is not a problem come here and speak yourself share your stories come back and injera better ways of doing this and I wanted to bring this talk up because you know some people don't get a chance to see the bigger holistic picture because they're either breaking in there using these weaknesses to break into places and I want to just add that that the basis of these his active discussion not just receiving and so I think we have like this really awesome opportunity because we have a block of time and I'm gonna pass the mic

around I think this is really awesome this is what we're supposed to be doing is discussing not receiving and taking information in hi my name is Christian and by the way hi to the gentleman from 1password who gave a great talk here a couple of years ago actually I remember your talk was okay I think I missed last year so it would ruin the year before but um so uh you mentioned cred hub in it that's actually something I've just started looking at I was wondering if you had if you had more thoughts on credit hub or more to add to that topic I am actually just appointed myself one of my new projects I'm working on one

person we were really looking at working with us is with the team who built it so I got a really good chance to meet with people called foundry and talk to them about the tools are using and I'm really impressed I've not had a chance to really start any gradient with the things but I think what they've done and they've recognized the fact at least from my point of view what I'm looking at using it for is on the application side you know there are things you can do with with SSH key management real multiple users and user management account management within the servers but I'm really focusing on application management database management so as you deploying cloud servers and

you're doing scaling across if you need to change you know I can change the passwords on my applications and databases daily so this is a matter if someone hacks a server the next you know I get acting within five minutes change all that so I'm just now deploying it but if you want to keep in touch you know I got my contact stuff let's let's keep talking yeah so sorry I'll just jump back in since we're having a conversation here so that was actually newt new to me some of the capabilities that you talked about with cred hubs so I'm excited about that and excited to learn more about it I was really just sort of looking at it from the

credential credential management orchestration mmm-hmm point for cloud things but to to emphasize you know the you know the story that that led us to the - to our collective mantra of [ __ ] passwords I spent some time doing doing identity management and identity orchestration and doing both both federated and so st. single sign-on and same sign on right or orchestration of distributing the password to all the different things yes and it is a massive pain in the ass it is it's hard to re-engineer it if you already have running systems you can't re engineer what's already there well and particularly when you have a high diversity of systems that have different and competing construction constraints

mm-hmm to the point that you can't even make them agree you know like it the Microsoft world you can do three out of four but in some other world there's no three out of four option it's it will contain and if it doesn't then you're just wrong yeah so it gets really interesting and that's this is you y'all have excited meat and this is this is exactly one week this talk I wanted to keep it short so we can start talking about these things because as our nice kind gentleman started the whole thing he you know our dialogue here we have been saying [ __ ] passwords for a very long time and everyone also needs to bring it

back up again and say oK we've said it what do you need to fix it so try it out let's let's keep in dialogue what you're using for a chair with what I'm using it for and they are open-source projects if you find a different way for it you can consume yelling that you know I'll go back to it but that is but it's a good hub page you Cloud Foundry all of the Cloud Foundry tools or more they're all in github you can you can cone Cloud Foundry and just use all their tools they have a lot of other really great tools for businesses looking to take standard internal business practices and move them to a cloud environment you

have another question so I'm Tony by the way it seems to me that one of the more intractable problems isn't so much I mean it definitely is a very difficult problem to try to get a bunch of different developers different applications to talk together to cooperate and all there to that but one of the things that you brought up in your slide with all the nice bubbles the differentiate all the things is you know if you've got a full disk encryption going on like BitLocker or what-have-you you have an issue where before anything gets to run except for the secure little sign in for your full disk encryption you know that that's something that getting it to integrate with any kind of

other application is virtually impossible and the only thing that I can possibly think of that could integrate all of these things and include even full disk encryption before the operating system even boots is maybe biometrics but one of the biggest reasons and I talked about this with my brother whose company's InfoSec group won't let him use biometrics even on his iPhone is you know biometrics you can get a false positive one in ten thousand times and for them that that level of accuracy and in spite of the fact that biometrics is actually still well now more readily available that level of accuracy to them represented a risk that was too great for them to take on mm-hmm

so maybe in the future biometrics could successfully integrate these things it with a single sign-on that could be centrally managed that you know you could actually kill off the ability of a terminated employee to access things by eliminating their their biometric sign-on but I don't know what what are your thoughts on biometrics well it's the interesting question because there's so many there's different sides to it you look at the Microsoft solution there like let's just take the picture of person so now we've got a picture based one that doesn't have some the infrared things or depth things so you have to use pictures to bypass them you don't be Mike over here he wants to add something

to speech but I do want I do want to add one thing since since it is the do we go ahead that you know the Vegas hype you know machine learning consult sorry answer machine learning out there bingo yeah so um biometrics are a lot like security question you know your mother's maiden name you can't change them when they've been compromised they are actually facts about the world that live outside of your head and so so so in a sense they do not have the security properties that parents a token or something is regularly enroute right they that an actual secret that's designed as a proof for authentication instead you're looking at things that help with

identification and this is actually a fundamental thing and so you're going to end up in an arms race with biometrics that you're going to lose right people like me it took literally ten different scans for me to go through a fingerprints can't because I've burned my finger so many times working in a kitchen so okay and then of course you're not taking to account the fact that people are already hacking eyes mm-hmm with the pictures you know we still don't have a good answer sorry I'm not supposed to be inserting that was me as a guest and not as a room monitor do we have anybody who would like to speak over here any more comments oh here we

go well you're welcome make that one I want you one other tool if I can remember the name of the vendor they actually kind of its kind of bridging this gap in some some areas and it's actually looking at patterns so so you're doing a login on your iPhone or something and it's actually looking at histories in patterns of way you actually use the phone to tie together you know not only biometrics but the way you swipe the time of day you swipe the angle you hold the phone all those little different characteristics which are somewhat unique and not not identified have to identify a little easy to mask or takeover there's some actually tools

coming on that space I can't remember the vendor off top my head but if y'all talk to me later about repop ahead my idea is that why are we trying to have a silver bullet that handles everything either a good password good biometrics a perfect system why not go in depth where you have you know something you have something you know something you are yeah but make it quick and easy to get through it because what's the idea why do we have them there that's what we have to accomplish to get rid of them is to go to an Archy well I'm not sure the goal is to get rid of them there's two sides

the question one is the management of it so the ability to manage a disparity of passwords across multiple platforms multiple environments when people come into an organization they change a role they leave an organization how do you manage that environment you know it's small shop so you'll just have one system with you know access to everything what happens when he or she leaves you're gonna find out that you don't have access to any of your systems so management is a big question that I'm focused on an operational side I'm trying to figure out how do you make that easier but also on the end user side if you have an end user who's not effect even some technical people but

we'll get into them later but you know most people who are non-technical they don't want to manage 15 passwords and every three months change 15 passwords and in you know it's it's it's yes it is the way it is but it's causing problems people are now going you know using the same password across ten systems or they'll go change the faster and then a few days later if they Candle change it back to something else again so by putting these constraints on it and not making their lives easier we're making them go around around us and we're bypassing you know the solution we're trying to find solve so as you were talking a minute ago well

two things actually crossed my mind so I for similar reasons that have been expressed I'm I'm not a not a big fan of biometrics but the thing that crossed my mind earlier it was about transaction intent verification so out-of-band Channel and I think you mentioned duo that that's one of the many on that does that but the the idea that you can say okay I see you're trying to log into ax did you mean to do that yes no much much easier than typing in you know six digits or eight digits from from an OTP you delivered over a channel that potentially if done right using like push messaging could be more secure than say SMS which is all of the ss7

problems yes so I'm obviously expressing a bias that I think that that could be good but what what do you think about it what do I think about it on I think it's a great idea and with you know the advent of I am systems the integration of things around it I think it's easier till you're deploying tools like that now you know ten years ago we couldn't have done that we didn't have the integration between systems and it will always have the problem of like something like e systems don't support it you know someone's got a mumps database it in somewhere it's never get talking I am I to throw mumps others huge week their head additions comments

well thank you I mean this the dialogue is really what I was trying to pitch for I wasn't it wasn't really the presentation everyone here kind was in the same page with and I really wanted to have the dialogue just talking about this because you live this life and people really don't talk about it enough you know we [ __ ] about it but we don't talk about it yeah

so it seems to me that okay a leading criticism of biometrics is that it's something about you that you can't change if it becomes compromised but doesn't that I mean you're right that that does turn into an arms race but you know the ideal is that your identification mechanism identifies the person accurately reliably and so causing or creating a system that recognizes something about you that doesn't change at least that has the the upshot of you you sometimes if you're trying to log in that specific user or you're trying to keep out that specific user if they've been fired then something about them that doesn't change is one of the most reliable ways of moderating your

interactions with that user now it does have downsides if you find a way okay well yeah we can just pass the mic around so so I think I've made my point to the degree that's necessary yeah so that that's actually a great point um and I figured I'd walk over here because we're probably just gonna have a conversation my job is done so well the camera itself in this way so we'll keep going this way yeah so you actually raise a really good point which is that there's two steps to this process that we tend to think of as bound together right it's identification authentication and authorization so three steps really but the identification and authentication pieces

are bound the authorization piece is implicitly bound but not really so yes right examined by the system they're accessing but the key to that so if I if I push on biometrics for a moment right some of some of the objections are that they can increase coercion they can increase violence we saw that with theft of cars in in a country where they implemented thumbprint readers that didn't include proof of proof of life for the thumbprint

we are the impromptu panel give the whole romp here so where I was heading with that is that if you're looking at if you're looking at a situation where you're saying well should we let person X do thing Y you've got to start with okay well do we know that their person acts okay that's that's the authentication piece but then should we let them do thing Y and that's your transactional risk piece which we tends to be just you know well is there a rule that person X can do this but to get into some of the things that we're being mentioned about like the angle you hold your phone and things like that those

those are transactional risk indicators and even when I started talking about transaction intent verification that's got two components to it right do you possess the device that is asking you the question do you want to do this I see you've just tried to do this do you actually want to so do you possess the device that is bound to that system and then deep do you approve the action you've requested yeah so it's sort of though as we talk about the passwords topic what we're really unpacking is not just do we know who you are but do we trust that you're acting within of your own volition and within the privileges that you that you ought to have at that

moment in time if you could just pass it in before and before you get into this I want to throw out the one more thing that I'm not sure if y'all saw this week but there's a company I think in the Midwest they're actually implanting RFID centers in the skin of the employees because I'm assuming militating said biometry we don't cut their finger whatever was but then now they're going beyond the fact of biometrics and actually making that part about them an added feature to the person so means that want to add that as part of your response okay um so I mean I just wanted to follow up with you know with what you said is that

there is a distinction between identification and authentication something that that is is indicating your identity of where the things that you're talking about these things that don't change but ultimately some secret is needed for authentication whether it's a secret that's stored long-term on your phone and there's a proof of having that secret through something like totp or whether or whether it's a secret in your head there there there has to be some secret that's part of of the authentication because any non secret stuff can be copied that's a fundamental fact if it's non secret it can be copied you know just as credit card numbers were never meant to be secret they were record locators and you were

supposed to authenticate my signature is showing photo ID but starting to use things that work well for identification like record locators or how you look I scan stuff like that using identifiers as authenticators always leads to bad things happening we've got this case with credit card numbers we've got this case with Social Security numbers and we have this with failure of biometrics for authentication but the other thing that someone mentioned oh I think you mentioned the point of these sort of behavioral things you know it's just like if you log in to some of one of your Google things from a very different location on the planet than they're used to you doing they'll have you go through more steps

but those things that are kind of you know and thanks do this through fraud detection if transactions are happening yet unusual times typical ways you don't do it this is combined for maybe it coming from a different IP address or you've typed your password different different speeds and things like that these are used to sort of fraud detection they're not authentication in the sense that these provide proofs of who you are but they provide clues that there might be a problem and therefore they might ask for an extra authentication step and I think it's important to separate that notion and I'll throw out there you've mentioned the idea that's my ton of banks are using this you know I'll throw this out

there I'm not sure how people here in banking but how many people are actually having their own applications identify what your users are doing and trying to do that mapping and looking for invalid attempts or things happening within the application that that would require you just to ask that secondary question are you really you well the are you really you question is a very important one but one of the things that I think we're losing sight of and it gets back to this gentleman's point of you know the silver bullet and and the ideal system on the one hand it biometrics especially in isolation is not an ideal system and you're right ideally you know biometrics

maybe one form of authentication one form of identification properly speaking and then you you have a secondary passcode but right now passwords are primary passwords are primary they're ubiquitous and they are not terribly secure and when best practices are implemented there a high friction system they take a lot of time when you're gonna type out fifteen or twenty characters every single time you login and the more random they are the harder they are to hack but the harder they are for the person themselves to even remember so having biometrics as the base might at least eliminate or mitigate to some degree the pry I can't remember my password so either I've forgotten it and now I need to take

a lot of admin time or I've written it on and sticky that is on the back side of my monitor or under my keyboard or in a drawer and otherwise just terribly insecure so I'm not saying that biometrics are a perfect system but you know when passwords are primary I think it's a more insecure system than if biometrics were primary and then passwords or one-time use token Authenticator or something like that that would be the second measure to ensure the authentication now that you have identity so got more people joining I would take a little bit of issue with your idea of secrecy because the secrecy of passwords is as we have heard through many sessions today getting compromised

okay so that doesn't work I'm reminded of a story that I heard many years ago the veracity of which I do not know but it I like the story and the fact that AT&T had a bunch of scientists trying to create an error-free communications channel an error-free communications Channel we the whole of one of those there were some other brains in a tea that were the labs doing some research they could prove that you could never have an error free system no matter how good it was there were it always be errors the engineer said damn maybe we ought to drop back and instead of trying to get a perfect system find an error detecting error

correcting system I think that's where we're at here mm-hmm one system isn't going to give us everything that we want but if we do simple passwords not big long complex ones just enough to give you an idea that it's there okay now we'll go back and double-check your bio yep you look like the right guy now we can either do SMS or we can do token or we can do something else bang-bang-bang get through it to where you get two out of three okay do you want so now you can go to a third level tertiary or fourth fifth level of backup on the thing error detection error correction so I'll throw out I know we're almost another

time here so I'll throw out one one interesting question to that piece is what happens you throw your regulations in there which have been written and hard to change they require certain lengths certain complexities certain so to go to that minimal system to make it easier to move toward error detection how do we get that piece I don't know if I think a lot of people here aware of it I don't know if you are the new draft NIST guidelines are you know they're advising against arbitrary recycling you're forcing people to create new passwords there they these these guidelines oppose these complexity rules and passwords so we are actually getting the last 15 years of research on what

works better or worse I mean because you know we got it still fun passwords yeah you know but what makes them worse and you know and and what works at improving them is finally getting into these guidelines that we can now all cite and throw up to our IT guys or whoever and say hey look NIST is saying don't put in most those complexity requirements let's get rid of them now and the new processing credit cards with PCI comes back and says no keep them yeah I mean just just to emphasize that right it's stop doing password expiration stop doing structured complexity requirements because both of those make people for make people forget they actually

encourage wrong behaviors mm-hmm so and it's fascinating to see that coming out of Ness it's pretty cool if I just might piggyback on the elimination of complexity requirements there was a talking in the same room earlier that was talking about the more password requirements you have the more combinations you've eliminated of possible character sets and you've decreased the potential entropy of your passwords so in some ways yeah they can be more hurtful than than helpful but I think we're out of time here's my wrench right now I have a number of different systems so this is from a personal level and I have probably a couple hundred different passwords which for some reason is shocking to some people I

don't understand why I've been on the net now for 20 years and I and those are all active and I go through my passwords of my accounts regularly and wean things out I have a number of different systems that are now asking me to record my voice multiple times when I come in so that they can quickly identify me the next time I call my health insurance company or other locations I don't want to record my biometrics with anybody not my eyes not my voice not my walk not my talk and I think that that's because of the the issue I have with then being readily identifiable to other entities that are not the one that I gave that

information to and I'll throw on to that the idea that you don't know how they're gonna store it and when that gets out your biometrics are now not you anymore they're evers replaying it well the other thing too is that goes to something that you know it is nice to be able to readily identify the individual from an admin standpoint but from a privacy standpoint you've actually hit on something for which there is no rebuttal in the in the pro biometrics argument the idea of privacy anonymity and the the right to be forgotten mm-hmm so there is that so I don't want throw out there there are a few people who have not joined the panel in the audience there

anything what we've said or going through that you would love us to talk about we can take it offline hit the bar for this but I mean is there anything on here that's useful to you that we could continue with so I'll end at that point and see where it goes well I'll just quickly comment that there's also the problem that I believe it was adobe recently announced software that with very little no not terribly much training something in the neighborhood of I think it was 20 hours of voice available can action can't can convincingly mimic a human oh they are they tell you to recording your call [Laughter] well your voice you can record it all on

this camera here too so

[Applause]