Introduction (00:30) You are listening to KBKast, the cybersecurity podcast for all executives cutting through the jargon and height to understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen. Karissa (00:44) Joining me today is Dave Maunsell, CEO of Haventec. And today we're talking about Apple's Take ongoing password list for the future. Dave, great to speak to you again. It's been a while. You were probably one of my earlier guests back in the day, so it's really great to have you back to explore a little bit more about password list. Dave Maunsell (01:03) Thanks. Great to be back and thanks for the opportunity to reconnect with your audience. Karissa (01:07) So talk to me a little bit more. What is your take on Apple going password? Dave Maunsell (01:12) CISOs we believe that Apple's push, and actual fact, a number of the big technology businesses push, is a really welcome step in helping businesses, brands, other enterprises, start the process of eliminating the risk associated with the low assurance username and password for those listeners who are familiar with the Haventic business. And one of the podcasts we did with yourselves a couple of years ago. You'll know that this push into password list. Where does an organisation believe that it is an important step in certainly addressing one of the key challenges that organisations have with the low assurance means that they're using to authenticate their customers at the moment. Now, the username and the password. It's been around since at least 1961. It has proved exceedingly resilient. And now we on average report that we read from NordPass from last year, we all have, on average, 100 passwords that we need to remember and manage. Now, that goes to a great extent to how successful they've been as a solution, but I think if you ask any Australian, do they really, or anyone on the planet for that matter, do they really want to have to manage 100 passwords? Dave Maunsell (02:44) I'm guessing the answer is going to be more often no than it is going to be yes. What's also interesting from a lot of the breach data out there in the marketplace at the moment is within the breach data, the messages that those who have been compromised are leaving is that they don't want to manage multiple passwords, they don't want to manage passwords that are difficult to remember. I mean, the top password, for example, was 123456 and then it was the word password. So it's no wonder that last year there were 2 billion passwords stolen. That's called forge rock. And so with all of that as context, I think the push by the large technology organisations and Apple into a space that's important, where there is a market need and that market need is only growing, is a really positive development. There will be some caveats to all of this though. I do think that when we talk about passwordless, we certainly want to focus on not just the user experience component of that authentication process, but also the elimination of the risk that is being faced by many large organisations for storing usernames and passwords on behalf of their customers. Dave Maunsell (04:27) So I think as we go through this discussion, it'll be good to like the opportunity to highlight, beyond the user experience, what organisations should be looking for to make a transformation in the space, not only to improve the user experience, but also to address the enterprise risk and ultimately enhance their position against the regulations. And the Privacy Act, for that matter. Karissa (04:56) Yeah, great points. I think one of the things that you said before is when the password was around. Yes, it's showing great resiliency. I think it's probably also because we only have one password that we were logging into things, but now, like you said, 100 plus is all the tools and stuff we got to use for our jobs and then everything else like Netflix and all these other things we have to log into. It's quite exhausting and I like your comment, Dave, around the user experience, because it is frustrating the amount of times that people have to reset passwords because they can't remember and they do then default to password 123456 because it's easy for them to remember. So I think that we've sort of spread this ground of people using basic passwords because there are so many systems they need to log into, so that's probably why they do it in terms of the psychology. And I think that I'd love to focus on the user experience side of things because again, as consumers want to make it as easy as possible to log into things. So do you think from your experience and things that you're seeing in the market, moving away from having passwords and having the cognitive ability to think about a long password or a strong password, will this become easy then if you just focus this on the consumers? Dave Maunsell (06:08) For people, we actually think over the near to medium term that enterprises should be looking at multiple offerings to authenticate their customers in a way that is done in a high assurance way. So we think that's important. And while the passwordless user experience will be one of the offerings that are relevant to certain segments or subsegments of your customer base, we believe that for some parts of your customer base that they are going to want to hold onto a username and password because they're comfortable with it. It's an experience that they are familiar with so they know how to use it. And as a consequence, while password CISOs will be important, I think recognising that your digital front door should support multiple means of confidently authenticating your customers in a way that doesn't open up to any additional risk. We think that's an important decision criteria for organisations who are looking to transform this aspect of their digital channels. Karissa (07:28) What do you mean? You said before, like multiple offerings but high assurance. What do you mean by high assurance? Dave Maunsell (07:35) The security researchers consider that just the username password combination as a low assurance means of authentication. We see from the breach data that it's not typically a strong combination with most people using easy to guess passwords. As a consequence of some of the breaches and the extent to which these breaches are occurring, access to people's username and passwords can be found in darker spots on the web. And as a consequence, relying simply on a username and a password for ongoing authentication of your customers is a low assurance way of doing it. Now, one common high assurance way of minimising the impact of the low assurance username and password is to introduce another factor into the authentication process. A number of us are familiar with either a six digit Pin being sent to your phone or an authenticator app that adds a second factor to the authentication process and provides the brand with some additional confidence that the person they're authenticating is their legitimate customer or patient or whoever it turns out to be. That's high assurance. And then these initiatives like Pass Key, Behaving Authenticate Solution, they're all high assurance authentication solutions because they rely on multiple factors to authenticate a customer. Karissa (09:14) Got you. Okay, guess multiple factors with password list as well. So completely removing the password, but then you've got either Google Authenticator, for example, if you're logging into Google, or something being sent to your phone like the Pin. Dave Maunsell (09:27) We think that passwordless is a fantastic way of helping get your customers quickly and conveniently through your digital front door. Because it's low friction, it can be as easy as putting an affordable Pin or a Face ID or a fingerprint. A really good way of getting your customers to where they want to be, not stumbling through a complicated authentication process, but onto the other side of the authentication wall. Doing what you want them to do within that digital interactions and password list is a great way of doing that. We believe that some of your customer base, they're going to stay weighted to use them and passwords for a while longer. Some of your customer base are going to start to look at some of the authentication options that are emerging, like Verifiable credentials. And we believe it's going to be important for a brand, especially those brands who are competing digitally to not just as a user experience. Don't just think about password CISOs as the answer or whatever multifactor authentication solution using, but supporting multiple ways of authenticating your customer that allows your customer to choose what they're comfortable with, but doing that in a way that doesn't open the enterprise up to any additional risk, which is the high assurance component. Dave Maunsell (10:54) And we do see initiatives like Passkey helping to progress that and helping to progress that we feel in the right direction. Karissa (11:04) Yeah, that makes absolute sense. And one of the things that was coming to my mind as you're speaking, I talked about digital front door. If we look at an elementary example on, I don't know, someone accessing an e commerce site, probably not buying stuff of an ecommerce every day, but maybe it's like once a month or once every few months, and then all of a sudden I can't remember my password. So as a result, they can be bothered trying to reset it. Then they just go elsewhere or they don't buy anything from the retailer. So I think that should be able to enable better revenue for businesses because people aren't, like you said, they're not complicating how they authenticate themselves, whether they're logging into something or they're accessing something as well. So this is going to be an upside for people to get more money out of consumers as well. Dave Maunsell (11:47) Well, there certainly is, there's research out there that a complicated authentication process or complicated authentication steps close to a transaction will see customers dropping off and that's a direct hit to revenue. Complicated authentication process can also discriminate against the elderly and the less able because they find moving across multiple devices, typing in numbers from one device into another device is inherently confusing. And the WC three estimate that around 15% of the population find a lot of the conventional multifactor authentication solutions very difficult to use to the extent where they cannot navigate their way through that authentication process. So you're right, a lot of the solutions that are being leaned on at the moment, they're slowing down business and they're also having a negative impact on your ability to penetrate the entire market as well as in some instances, seeing you lose revenue. So getting this right, getting this right is going to be great for business and it's also going to help speed up business because you're going to be able to do it more confidently. You're going to know if you've issued your customers with high assurance credentials like Pass keys, that you can get them quickly and conveniently through your digital front door and then doing what you want them to be doing. Dave Maunsell (13:16) And if it's buying something, they've already navigated the authentication process and you can confidently go about doing business with them. Karissa (13:23) Now, following the announcement that Apple made a few months ago or a few weeks ago about them going past with this, but then other companies as well as sort of making their move as well, do you believe that we will start to see parcels become more ubiquitous? I mean, obviously I'm in the security space, so yes, I'm seeing it from that front. But when we're talking about companies like Apple, which have a solid foothold in the market and they're saying this, obviously other companies will follow. So will we start to see more of this from your perspective? Dave Maunsell (13:53) Well, there's somebody that has to manage 100 passwords. I hope so. But jokes aside, I do think the fact that Apple, Google and Microsoft have all said they're going to gravitate around the same standard, this is going to be great because it really is going to accelerate the availability of goodness offerings and Parsky offerings in the marketplace. The questions on how ubiquitous going to get. I think it's going to be a difficult one to second guess at the moment, given how early we are in the introduction of some of this new Passkey technology. Think about it. The instance from a brand, say, for example, one of the banks, they're interested in this Passkey technology, they are going to be dependent on the uptake by their customer base of hardware and software that is compatible with the new standards that are being introduced by the Passkey initiative. And so while the brand may itself benefit from providing a passwordless offering using the Passkey technology to their customer base, it's likely to only ever be a percentage of that customer base for a period on time until all of their customers have adopted the hardware and software that supports the standard. Dave Maunsell (15:26) And so the brand is probably not going to be able to be in full, direct control of the uptake of some of the benefits associated with Parsky because they're dependent on their customers buying and upgrading to new technology. Which will mean the other benefit of Passkey, which is ultimately the elimination of the need to store and manage large numbers of username and passwords in the enterprise. That doesn't go. That doesn't go until your customer base has fully adopted the new standards. And I think that's going to be the challenge for many organisations who are looking at some of the new technology. Well, I think the user experience benefits are obvious. How do they minimise the cost and the operational risks of getting from the username and password authentication experience across the past, key in a way that has an end date because they know all of their customers will have adopted the new standards? I think that's going to be a challenge for organisations who are wanting to take their customers on a passwordless user experience journey that's dependent on the standards that Passkey is dependent on. Do I still think it's in the right direction? Dave Maunsell (17:06) I do. Do I think there are likely to be, for many organisations, stepping stones on the way to that full passwordless experience? Certainly we do it. And within our customer base we've found organisations who do want to go straight to a passwordless experience. Good example of that for us is You Bank, whose customers right now, all of their customers authenticate with either a four digit Pin or a biometric, and they don't have to store any usernames and passwords anywhere within their enterprise because the technology is not dependent on a standard. But we've also got other customers who don't want go out to their user base just yet to change their authentication experience. But they're looking for ways of introducing a higher assurance authentication. And for those customers we've found that our silent multifactor authentication solution is a step in the right direction because it introduces high assurance authentication but it also allows them to, when they're ready and when they believe their customer base is ready to introduce a genuinely passwordless authentication experience. Karissa (18:30) So Dave, I want to talk to you about Pass keys. You mentioned it a few times, so I'm keen to understand for our audience who perhaps are not familiar, would you be able to explain a little bit more about what it is? Dave Maunsell (18:39) Yeah, so they're an open standard password replacement solution that uses asymmetric cryptography that provides more security and better protection of those credentials while simultaneously being far simpler to use. It's essentially a photo login credential that's tied to a website or an application and a physical device using cryptographic keys. Pass keys allow users to authenticate without having to enter username a password or provide any other authentication factor. They can do it simply by a biometric face ID or a fingerprint. This technology's aim is to replace the need for the use of passwords as the primary authentication mechanism and in doing so provide organisations with the ability to eliminate the organisational and operational risk and CISOs associated with storing username and passwords on behalf of their customers. The introduction of Pass keys into our everyday lives is going to be coupled with operating system and hardware rollouts that Apple and Google and Microsoft will be doing over the near to medium term with iOS 16 release. iOS 16 includes support for Passkey and macOS Ventura, which I believe is launching this month, also includes support for Pasky. The really clever thing about this innovation is it builds on the ido solution in a way that takes advantage of the device that's sitting in your hand and the key that's used to authenticate that customer never leaves their device. Dave Maunsell (20:45) And in fact the private key stays locked on your device. The server that you're interacting with, your bank, the organisation that is offering you the service or the application that you're connecting to, it holds the public key and the authentication of you occurs through a challenge between the organization's server and the application. And once that challenge is successfully responded to, the user is verified and passed through to the application. Really easy to use and built on, you know, public private key infrastructure that's proven exceedingly resilient and exceedingly effective since its introduction back in the 70s. But flipping the model in that the enterprise holds the public key, not the private key. And you as the consumer, the customer, the patient, you hold the private key on your device. Karissa (21:48) So what I'm hearing, what you're saying is that passkey is going to be inherently a safer solution. Dave Maunsell (21:54) That's right. And if you go to the operational risk of storing a whole lot of username and passwords for an enterprise, where they get themselves in trouble from a regulatory perspective, is when their enterprise gets breached, the whole of username and passwords stolen. And that allows whoever's got access to that information to use that to commit other acts. In the instance where an organisation has completely eliminated username and password and they're using the Passkey technology, when the enterprise is breached, there's nothing of value to steal because all of the components required to authenticate a customer, they don't exist in the enterprise. Only decentralised components or parts of the puzzle exist in the enterprise. Karissa (22:46) I think that definitely makes sense and I definitely agree with all your points. And you mentioned something before around a company not looking to sort of transform how they authenticate their customers, yet why do you think that's the case? Do they not want to disrupt what's happening in their business? Is it too hard? Like what's? Sort of the reasoning? I mean, like, moving towards anything and doing something new is always a challenge. Dave Maunsell (23:10) Maybe Pevlov's still having his way with some of us in relation to our conditioned response to experiences that we are familiar with. I can give you the experience that we have had as a business over the last couple of years introducing our technology. And our technology is a passwordless user experience with a genuinely passwordless architecture underneath it. So within our authentication solution, there are no passwords anywhere when we're going and introducing the technology to organisations. I love the story around how we can eliminate operational risk associated with storing username and password. They loved how easy it is to implement and integrate into their existing identity and access management solution. And they also like the fact that they can introduce our offering to their customer base regardless of what device they're coming in from. So it's not dependent on a standard that's been rolled out across operating systems and browsers. But we found with a lot of organisations that we talk to and it sort of comes back to the user experience. And I'm paraphrasing this, but, Dave, we've just spent the last decade telling our customers that longer, like a longer password is stronger. And you want me to go and tell them that a four digit Pin is better? Dave Maunsell (24:36) I think we've got to take them on a journey to that particular point and that journey is going to take some time and that journey is going to take some education. And for many brands, that time and that education, they want to do that as more often than not as part of some broader digital transformation they're doing across their customer base. So if you take a bank, for example, to couple that transition from username and password to a four digit Pin or a biometric with maybe a broader digital transformation. And so they get the benefits of going out to their customer base, talking to them not just about how they're making it easier to get through the digital front door, but all the other benefits once they get when they get over to the other side of the digital front door. So including this as part of a bigger transformation. That said, they're still really interested in what they can do to introduce additional factors or high assurance authentication into the existing username and password process. I think we're all familiar with it, whether it's a Mygov ID for the MyGov account being sent to your phone or it's going to an authenticator app to tie in a six digit Pin. Dave Maunsell (25:59) Those are options for many organisations. It is interesting that we've also heard for a lot of organisations looking to introduce high assurance authentication, there is reluctant or not reluctant. Reluctance is probably not the right word, but they're, they don't want to go out and tell them to move to a four digit Pin but they're also they don't really want to go out and tell them to type in a six digit Pin from an SMS or from an authenticator app. So they they don't really also want to disrupt the customer base with the introduction of a conventional multi factor authentication experience. And that's where we found with our rolling key technology, the introduction of silent multifactor authentication last month as a good part way point for organisations who are wanting to introduce high assurance authentication. Keep usernames and password in place, but start the journey towards offering password lists and truly passwordless authentication. Karissa (27:01) Yeah, I totally hear what you're saying in terms of what the clients were saying on we've told people to have long strong passwords and now we're saying we've got a default back to like four digit Pin. So I totally hear from that perspective. That makes sense from a business point of view. There's a couple of things I want to sort of get your opinion on nowadays is talking a little bit more about Fido or Fast Identity online alliance, like what they do for people who perhaps are not familiar. And the other thing that I know is that they've worked for nearly a decade to create a unified format for online authentication. Dave Maunsell (27:35) Yeah, that's why I said Haventig is a member of the Fido alliance. We're familiar with them, we like the alliance, we like what they're trying to do, we certainly like what they're trying to advance from a privacy perspective as well as from a user experience perspective. The main goal of the photo alliance is to change the nature of authentication with open standards that are more secure than passwords and simpler to use for consumers and I think provided some examples of that during the discussion that we've had to date. It's an important alliance. There are some big names amongst the members, including Apple, Google, Microsoft, as well as Amazon. The mission itself is to develop technical standards that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users, to operate industry certification programmes to help ensure successful adoption of these specifications, as well as submitting mature technical specs to recognise standard development by organisations of formal standardisation of phyto specifications. What's interesting in itself, and I think you mentioned it, was it's been it's been around for a while. I think it was founded back in 2013 and the five two standard which introduced some biometric offerings as well, has been around since April 2018. Dave Maunsell (29:14) My memory serves me correctly. The fact that they have the alliance has been around for a decade and yet 2 billion passwords were compromised last year, according to Fordrock. That's a 35% increase from the year before. Gives you a little bit of a sense of the challenge that we all face getting rid of passwords. Karissa (29:41) Yes. So, okay, this leads me to my next question, which I'm really curious about. What does this mean for password management companies that are out there? We've just spoken the whole conversation about getting rid of passwords. Passwords are annoying that we don't really need them anymore. I'm curious to hear your thoughts on this one. Dave Maunsell (30:00) If you'd asked me this question when we met a couple of years ago, with everything I knew around how fragile and brittle the username password experience was, I would have been materially more optimistic around how quickly organisations were. Going to adopt authentication solutions like those that exist within the Fido Alliance, like the passkey solution that tearly improved the customer experience while addressing a key organisational risk. And that's the storage and management of large stores of username and passwords. So I thought passwordless and truly passwordless solutions a great way to make it easier for your customers to authenticate themselves and reduce the operational risk of having to store all of your username and passwords with the benefit of the last couple of years. I may not flippantly make a joke that the nuclear winter statement that cockroaches will survive. I think passwords are going to survive as well. I do think having an ambition of making it easier and more convenient for your customer base to digitally interact with you online and at the same time look for opportunities to reduce organisational risk associated with the management of username and passwords is. What the advice that we're giving our clients and the new organisations that we talk to? Dave Maunsell (31:42) I think a strategy that doesn't take into account that certain applications, certain segments of your customer base will want to keep using username and passwords could be in for some trouble. I think it's a blind spot if the organisation doesn't take into account the possibility that some of their customers will want to continue to use the username password combo to get access to a service. Karissa (32:17) So would you say that in terms of market share though, if we zoom out password management companies because people are, you know, just say hypothetically arbitrary numbers, 30% of people now are going to take up passwordless type of solutions over a password manager. So does that then mean that password management companies would lose potential 30% revenue? Dave Maunsell (32:39) I certainly wouldn't go there. I certainly think for the near to medium term, the password managers and the role that they play in our life will continue to be there. Because while some of the brands that you interact with, they might start to offer passwordless authentication experiences and if they're the past key ones, they're going to be dependent on the adoption of the standard or you as the customer having access to a device and operating system that is compliant with the standard. But if you've got other devices that are you might have a workstation that's five years old that you want to continue to use, then you might, for some of your devices, have a passwordless authentication, but you still might. Need to manage a username and password for some of the devices that you still own, that you want to connect to some of your digital services. So actually there is a scenario where the role of password managers and actual fact increases in the near term to allow individuals to manage the transition from the username password combo to genuinely passwordless. Because as an end user of a lot of these services, it's very likely that I will need to use for a period of time, in a determinate period of time, a combination of one or the other password CISOs or username and password to get access to the digital service. Dave Maunsell (34:10) So my hypothesis is that there is a role that widthless managers are well positioned to play in helping customers transition from these different user experiences, especially those passwordless offerings that are dependent on the introduction of new standards. Karissa (34:30) So if we look at, for example, like electric cars so there are some people who drive in electric cars, it's not really ubiquitous at the moment, but over time we probably won't drive petrol cars or diesel cars anymore. And I mean over time. I mean like a long period of time depends on how quickly we need to move to that. But would you say, like, if you were to password, I don't know, let's just say ten years, will password managers still be in the same form as they are today? Because I do hear what you're saying, I'm just trying to get a grass bob. Will eventually they fade out over time or do you think there's always going to be a need there? Dave Maunsell (35:03) So my hope is that certainly in my lifetime, that I no longer need to have a password manager in my life because the technology organisations that I depend on have come up with a way of allowing me to confidently use one pin or one fingerprint or one face ID for everything that is. My hope a lot easier as well. That's right. Karissa (35:32) So, Dave, in terms of sort of final thoughts or any sort of closing comments, do you have anything that you'd like to leave our audience with today? Dave Maunsell (35:38) It goes back to one of the points on the process that organisations go through as they transition from the authentication experience they've got in the marketplace now to whatever their target state might be, and that might be passwordless. We do think, and certainly organisations that we engage with believe it's going to be important is to design a target architecture and a journey that allows your customers to choose their preferred authentication mechanism, at least for the near term so that you can take your customers on the journey that you would like to take them to, which is ultimately to a simple, convenient, high assurance way of authenticating themselves every time they connect to your applications. But on that journey, ensure that you are only offering high assurance solutions to authenticate your customers. And so addressing some of the weaknesses of the current username password authentication experience as a first step towards passwordless would encourage organisations to at least start there, because that's going to provide them with the ability to minimise what? Is the primary privacy challenge for many organisations, which is the fact that username and passwords are inherently weak, can't be relied on, too easily stolen, too easily, told to somebody else. Dave Maunsell (37:25) So address that now and that will help. And if you've chosen the right solution to help address that now, that's going to help you on your path towards a truly passwordless authentication experience for your customers. Karissa (37:41) Well, as you say, Dave, hopefully in my lifetime I don't have to see another password, type one in or reset one ever again, and I would be a very happy consumer. Dave Maunsell (37:49) Yeah, you have me both. Karissa (37:51) So thanks very much for your time, Dave, and thanks for coming back on the show. Dave Maunsell (37:54) Absolute pleasure. Karissa (37:55) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes.This podcast is brought to you by Mercsec, the specialists in security, search and recruitment solutions. Visit mercsec.com to connect today. If you'd like to find out how KBI can help grow your site, The Business, then please head over to KBI Digital. This podcast was brought to you by KBI Media, the voice of cyber.