Blog
Recent
LastPass For Admins

NCSAM Week 3: The Future of Passwords and Authentication in Cyber Security

LastPassOctober 18, 2017
At LastPass we’re not just thinking about the password problems of today but we’re also looking ahead. How are today’s trends in how we live and work going to change in the future? How will new technology help improve our security while eliminating the friction of access? How can we evolve our products to solve the problems of tomorrow? When looking at these questions and the future of our industry, we see two major trends. The first one is rather obvious: cybercrime is here to stay as evidenced by the continued rise in security breaches, hacks, and the billion-dollar criminal business of ransomware. For many of us, nearly all of our valuable assets are now stored and accessible online. A single breach in one of our accounts could mean the loss of our life savings, our identity, our reputation, and many memories. In businesses, the impact of cybercrime is equally as detrimental and so are the costs to recover from and protect against them in the future. The second trend is the increasing impact of the consumerization of technology and a Bring-your-own (BYO) world. Long gone are the days of relying solely on company sanctioned devices, apps, and data to do our work. Bring your own smartphone, tablet, app... You name it, employees are introducing it to the workplace and their co-workers. Why? Because it makes them more productive and in many cases solves a key problem of accessibility, sharing, or filling a knowledge gap. We all have become accustomed to instant access to everything. Have a problem? We solve it by downloading an app, tapping our social network, or googling the answer.

The Human Factor

The link between these two trends is what we call “the human factor.” We simply do things that are not ideal from a security point of view, such as reuse passwords and access work technology on our personal devices. The reason for this? Convenience. We do these things because they make our lives easier. Think about our personal lives: we leave a house key in a “secret” hiding place for a friend or family member, even though we know that’s the first place a thief will check.  We write passwords on sticky notes, put them on our monitors and wall boards, hand them to co-workers or share them by email. Cybercriminals take advantage of the human factor as it’s the easiest and most effective attack surface available to them. Similarly, why would thieves break into your front door, when an open window in the back of the house will do just as well. We’re all not naïve or ill-intentioned. Many people don’t know they’re increasing their risk of an attack by re-using passwords, sharing them via email, or making them so short they’re easy to remember. Even still, those who do know tend to do it anyway… for the sake of convenience, simplicity and productivity. When thinking about the future of cyber security, we must account for the human factor. People will always take the path of least resistance so how can security and technology leaders enable others to protect themselves? The solution must be approached from two perspectives: leveraging new identity approaches and increasing our vigilance of cyber threats.

Evolution of Bring-your-own Identity (BYOI)

On the technology side, we’re starting to see mobile devices become true extensions of our identities so instead of simply BYOD (Device), we’ll soon be talking more about BYOI (Identity). Biometric verification is paving the way for this future. We’re already seeing it in smartphones, with technologies like Apple FaceID and Samsung Pass. Other verification factors will surely be added, and they’ll likely work with many other apps and IOT devices as well. As biometric verification technology improves, it will provide a secure way to enable instant access to everything - computers, cloud apps, homes, cars, office buildings, thermostats, bicycle locks, and more. The benefit of BYOI is that it transcends personal and work life. Your identity is the same whether you’re paying bills or starting a new job. In a BYOI world, your identity would ideally be linked to all of your company’s systems, replacing passwords and other more vulnerable, less convenient means of authentication. Many companies have already delegated authentication to your smartphone to enable convenient access to email and other company apps directly. Why not just go all-in and use the device as proof of identity? Imagine showing up to work on your first day, and instead of being issued a badge, a new identity (yourname@newco.com) and a new set of apps, you’d just present your smartphone and your access is granted, instantly to every resource you need to begin to work. In switching to BYOI, companies could realize substantial savings through reduced administrative costs. Calls for password assignment and resets account for as much as 50% of IT help desk costs as employees regularly report password related problems. Companies will gain much greater productivity by letting their employees use applications they’re comfortable with and enabling them with tools like LastPass that remove the barriers to access. Companies could even gain greater sales efficiency as incoming sales team members could bring their contact data with them from one sales position to the next or what could become known as BYOR (Rolodex).

Improving Cyber Security Awareness

I find our greatest challenge is increasing broad awareness of cyber security threats and it’s also about addressing the human factor. Growing up, we learned many rules for personal security: Don’t talk to strangers. Don’t leave the house unlocked. Don’t leave your bags unattended at the airport. Now, however, we’re living in a digital age. Nearly all of our assets and history is online. Our banking, credit card, brokerage, retirement, and insurance accounts. Our merchant and entertainment accounts – like Amazon, Netflix, Spotify and every online site we’ve ever signed up for. Our memories – the photos and videos of our children we have stored in the cloud. Even our identity – passport, driver’s license and the relationships we have with other people via Facebook and LinkedIn. All of it has a digital footprint. In the digital world, though, people are still not using the same rules for personal safety as they use in the physical world. That’s where the problem lies. Many people still don’t realize how dangerous the digital world has become and we’re only just beginning to understand the impact of online asset theft, identity theft and ransomware. We need to be vigilant online – just as we are in the physical word when we look through the peephole of our front door, travel to unfamiliar neighborhoods, go to the airport, or attend large sporting events.

Our Challenge for the Future

Unfortunately, we have a long way to go. We can envision the future as instant access and instant identification, but to get there, identity technology must progress to the point where it can guarantee correct authentication. And the majority of people have yet to understand that online security is even more important than offline security. Physical assets are more easily replaced. Recovering your online identity and digital assets is far more problematic and arduous. Despite 3 billion Yahoo passwords being stolen, and an attack on Equifax which affected 143 million Americans, that vigilance is not yet there. Many people still don’t see password security as a problem. They can’t see why anyone would want to hack them. I hope not, but perhaps we haven’t yet seen a big enough attack. Perhaps the tipping point will come when everyone knows a friend or relative who’s been a victim of cybercrime. At LastPass, we’re focused on making security, simply effortless by addressing the human factor. We’re helping people and businesses improve their security posture while removing friction and obstacles to being productive and getting work done. Matt Kaplan is the General Manager of Emerging products at LogMeIn, which includes LastPass. He is accountable for establishing and executing the business vision and product strategy while aligning product, engineering and go-to-market teams to deliver on growth goals.