June 23, 2021

The Journey to Passwordless Authentication w/ Derly Gutierrez

by Cyber Ranch

Listen Now


Show Notes

With us today is Derly Gutierrez, Head of Security at 1010 Data, and veteran. Derly is here with us today to talk about the journey to passwordless authentication and the flaws and strenghts of today's authentication methoods. Allan and Derly refer to studies and surveys about the problems with passwords and the challenges of implementing passwordless approaches. Derly emphasizes the need for other complementary technologies such as Role-Based Access Control (RBAC), Privileged Access Management (PAM), and system-to-system communications. The two discuss corporate and personal use of passwordless solutions, talk about legal precedence and the future of passwordless approaches. Key Takeaways 1:14 How Derly got into cyber 1:58 About Derly's day job as Head of Security 2:34 Allan quotes the 2017 Verizon DBIR on how many breaches involve weak or stolen passwords 3:35 Allan cites NIST 800-63b 4:15 Derly talks about CAC cards in the US DoD 4:50 Derly sides with vendor innovations over NIST guidance 5:56 Allan clarifies the distinction between PINs and passwords 6:52 Derly points out the flaws with biometrics in terms of reliability and assurance 9:09 Allan cites a survey regarding WHY organizations choose passwordless 9:52 How many 'passwordless' solutions still include shared secrets 10:38 Derly talks about corporate vs. personal passwordless solutions and shared secrets as backup for reliability issues 11:37 Derly emphasizes a lack of RBAC and PAM foiling all authentication approaches 13:06 Allan points out the value of Identity and Access Management solutions 13:44 Allan references three vendor approaches towards passwordless for legacy systems such as RADIUS 14:50 Derly takes these methods apart 16:05 Many companies are not doing Role-Based Acces Control, system-to-system communication and Privileged Access Management correctly 17:02 Allan brings up the presence of push attacks 17:38 Allan's definiton of true passwordless authentication 17:56 Derly's definition of true passwordless authentication 21:29 For personal use of biometrics, Allan brings up a disturbing precedent of law enforcement accessing an individual's phone with forced facial recognition 23:17 Derly emphasizes that applications on your phone should have a different authentication factor than access to the phone itself 23:47 "Your home is your castle" has become "Your phone is your castle" 25:06 Allan cites one last survey as to how many of us really are passwordless 26:02 How long before we got to passwordless? 28:06 What keeps Derly going in cyber Links: Learn more about Derly on LinkedIn and Twitter Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Axonius
Read more

Recent Episodes

March 22, 2023
by Cyber Ranch

This episode is a story about an entire vendor encounter gone horribly wrong.  Allan is joined by Paul Moreno, VP of InfoSec at Catawii, formerly SVP of Cybersecurity at Adyen, investor and advisor.  Paul found a cybersecurity vendor.  Paul found goo...

March 15, 2023
by Cyber Ranch

Join Allan and Dr. Mike Brass (whose degree is in archaeology!) as they jointly explore the technical side of the house vs. the GRC side of the house, noting that GRC can be a great path to CISO. Hear Mike's journey from IT technician to GRC to CISO....

March 8, 2023
by Cyber Ranch

We have this idea that we can be perfect.  And we know that idea is unsound.  So we settle for imperfection.  But are we doing that purposefully?  Do we have a conscious plan for embracing imperfection?  How can we, as cyber professionals, embrace ou...

March 1, 2023
by Cyber Ranch

In this episode, Allan is joined by Omkhar Arasaratnam, a force in the industry and an expert in the intersection of software and security (you may remember Omkhar from an earlier show about supply chain security). They challenge each other to a game...

February 22, 2023
by Cyber Ranch

Join Allan, Shaun Marion (CISO of McDonald's) and ChatGPT itself for a lively conversation about the implications of this new tool, AI in general, and nuances about ChatGPT's usage. Even after controls were put into place to prevent ChatGPT from help...

February 15, 2023
by Cyber Ranch

How important are communications after your company has been breached?  They can make or break customer perception, and the perception of the world.  Bad communications are perceived as bad intent. Joining Allan this week is Heather Noggle, owner of ...

February 8, 2023
by Cyber Ranch

Do you want to be a CISO one day?  Are you a CISO today who wants to strengthen your ties into the rest of the business?  The Business Information Security Officer (BISO) role is one you should explore. The role can vary quite a bit, as you will hear...

February 1, 2023
by Cyber Ranch

Joining Allan today are two folks who are passionate about leadership – not just practicing good leadership, but instilling good leadership in future generations.  Joey Rachid is CISO in the ecommerce and financial services industry, is on advisory b...

January 25, 2023
by Cyber Ranch

This week Allan is joined by Nipun Gupta, and industry veteran who has been a consultant, practitioner, vendor, advisor and investor. The topic is "What are we really protecting in cyber?" and the nuances of that question are explored in depth - as w...

January 18, 2023
by Cyber Ranch

This week, Allan is joined by Peter Schawacker, CEO @ Nearshore Cyber, former CISO, advisor to MSPs, etc.  Another one of Allan's illustrious guests with 25 years in cyber.  (https://www.linkedin.com/in/schawacker/).  The topic started as all that th...