June 23, 2021

The Journey to Passwordless Authentication w/ Derly Gutierrez

by Cyber Ranch

Listen Now


Show Notes

With us today is Derly Gutierrez, Head of Security at 1010 Data, and veteran. Derly is here with us today to talk about the journey to passwordless authentication and the flaws and strenghts of today's authentication methoods. Allan and Derly refer to studies and surveys about the problems with passwords and the challenges of implementing passwordless approaches. Derly emphasizes the need for other complementary technologies such as Role-Based Access Control (RBAC), Privileged Access Management (PAM), and system-to-system communications. The two discuss corporate and personal use of passwordless solutions, talk about legal precedence and the future of passwordless approaches. Key Takeaways 1:14 How Derly got into cyber 1:58 About Derly's day job as Head of Security 2:34 Allan quotes the 2017 Verizon DBIR on how many breaches involve weak or stolen passwords 3:35 Allan cites NIST 800-63b 4:15 Derly talks about CAC cards in the US DoD 4:50 Derly sides with vendor innovations over NIST guidance 5:56 Allan clarifies the distinction between PINs and passwords 6:52 Derly points out the flaws with biometrics in terms of reliability and assurance 9:09 Allan cites a survey regarding WHY organizations choose passwordless 9:52 How many 'passwordless' solutions still include shared secrets 10:38 Derly talks about corporate vs. personal passwordless solutions and shared secrets as backup for reliability issues 11:37 Derly emphasizes a lack of RBAC and PAM foiling all authentication approaches 13:06 Allan points out the value of Identity and Access Management solutions 13:44 Allan references three vendor approaches towards passwordless for legacy systems such as RADIUS 14:50 Derly takes these methods apart 16:05 Many companies are not doing Role-Based Acces Control, system-to-system communication and Privileged Access Management correctly 17:02 Allan brings up the presence of push attacks 17:38 Allan's definiton of true passwordless authentication 17:56 Derly's definition of true passwordless authentication 21:29 For personal use of biometrics, Allan brings up a disturbing precedent of law enforcement accessing an individual's phone with forced facial recognition 23:17 Derly emphasizes that applications on your phone should have a different authentication factor than access to the phone itself 23:47 "Your home is your castle" has become "Your phone is your castle" 25:06 Allan cites one last survey as to how many of us really are passwordless 26:02 How long before we got to passwordless? 28:06 What keeps Derly going in cyber Links: Learn more about Derly on LinkedIn and Twitter Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Axonius
Read more

Recent Episodes

November 29, 2023
by Cyber Ranch

Allan takes the show on the road again, this time at his all-time favorite conference: CISO XC! He asks a unique question of each guest, who represent a great deal of breadth in our industry: Dave Belanger, CISO at Bestow Insurance - What is the most...

November 22, 2023
by Cyber Ranch

Howdy, y'all!  Allan is taking this week off to spend time with family and to give thanks for all the wonderful things in his life - including y'all! For those who don't track it, there is no Cyber Ranch Podcast four times  a year: American Thanksgiv...

November 15, 2023
by Cyber Ranch

Warning, there might be some naughty language in this one! The challenge was issued!!!! Allan teamed up with TWO other podcasts to take on the insufferable marketing that floods the cybersecurity industry in the month of October! Who won??? "Won"? Th...

November 8, 2023
by Cyber Ranch

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest today is Evan Wolff, partner at Crowell & Moring, and Allan's favorite cyber attorney.  Evan has led and managed 100s of investigations including cybersecurity, data breach, insider...

November 1, 2023
by Cyber Ranch

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  That’s Tim Rohrbaugh, Founder/Principal at DefaultDenySec, former CISO for JetBlue Airways, advisor, investor: yup!  Another Cyber Ranch guest with an awesome history!  Tim and Allan were chattin...

October 25, 2023
by Cyber Ranch

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  We're joined today by Jacqueline (AKA “Jack”) Powell, CISO at Allianz Life and former Deputy CISO at Hanes.  She has also consulted, and has worked at Chevron, General Dynamics, and SACI.  Jack h...

October 18, 2023
by Cyber Ranch

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  That’s Kymberlee Price, strategic security consultant, Black Hat content review board member, former Sr. Director of Product Security at New Relic, former Principal Security Manager at Microsoft ...

October 11, 2023
by Cyber Ranch

Chris Tillett is a well-known figure in our industry.  He is in product management and R&D at Palo Alto Networks.  He is also a great guy, funny, and can wield the snark quite well.  He is the perfect foil for Allan Alford as the two of them take...

September 27, 2023
by Cyber Ranch

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Joining Allan this week is Ron Nissim, CEO @ Entitle.  Yes, this is one of our rare shows with a vendor as a guest.  Why?  Because in this case, the vendor was more highly informed than any of Al...

September 20, 2023
by Cyber Ranch

Allan is joined by AJ Grotto: William J. Perry International Security Fellow and Founding Director of the Program on Geopolitics, Technology and Governance at Stanford University.  He also serves as the faculty lead for the cyber policy specializatio...