Listen to the Trusona passkey authentication podcast to learn from cybersecurity experts as they discuss robust phishing defense tactics and passwordless authentication solutions. Explore how your organization can leverage advanced password security software to enhance sign-in processes, effectively mitigating the evolving risks of GenAI by detecting impersonation fraud and account takeover attacks early.
Anthony Jimenez
Welcome back to CarahCast, the podcast from Carahsoft, the trusted government IT solutions provider. Subscribe to get the latest technology updates in the public sector. I'm Anthony Jimenez, your host, from the carousel production team. On behalf of Trusona, we would like to welcome you to today's podcast focused around Trusona Passkey Authentication for the public sector to protect against AI based account takeover attacks. Ori Eisen, the CEO and founder at Trusona, and Frank Abagnale, Best Selling Author and advisor at Trusona, will discuss how to safeguard public sector data with Trusona Passkey Authentication.
Frank Abagnale
Hi. This is Frank Abagnale, and it's a pleasure to be with you just for a few minutes to discuss no password technology for those of you who don't know, for over 48 years, I have taught at the FBI Academy and over 200 seminars for field offices of the FBI as well as law enforcement and federal law enforcement in the country, from coast to coast. I'm also the proud father and FBI agent who's celebrating 18 years in the bureau, currently the unit chief of the FBI crisis negotiations unit. During my 48 years, I've conducted 3000 seminars around the world on cyber-crime, identity theft, fraud and many other subjects. But all through my career, I've always believed that we have got to get rid of passwords. I've been fortunate enough to be an advisor to Mr. Eisen for almost 20 years and developed some great technology in the fraud prevention area for the past 20 years, but I always said to him, we have got to get rid of passwords. Passwords are for tree houses. I'm not the only one. Everyone hates passwords. Passwords were invented in 1964 when I was 16 years old, before I did any of the things I did. I am now 76 years old, and we are still using passwords. How is that possible? If we go back and look at breaches, and I look at them going back to 2004 1000s of them, and the one thing I've learned is every breach, every single breach occurs because someone in that company did something they weren't supposed to do, or someone in that company failed to do something they were supposed to do. Hackers don't cause breaches. People do. There are millions of open doors left by people on every floor in every building and every company, whether it be a fortune, 500 fortune 100 a government agency or even the smallest business with 12 employees, and that's all hackers actually do is look for those weak spots and those open doors. But how can we still today be using passwords, a technology from 1964 80% of network intrusions are the result of a compromise user password, Colonial Pipeline shut down the entire Northeast over a simple compromise user password, 81% of hacking related breaches involve weak or stolen passwords. And every day around the world, 579 password attacks every second, according to Microsoft, which is equivalent to 18 billion attacks a year. If we were to take the three largest banks in the United States, just the three largest banks, those banks spend over $100 million a year resetting passwords in their call center at $70 a reset. It is time for us to do away with passwords. They are an old technology, and I absolutely need to see them replaced. And for once in my lifetime, and I'm fortunate enough that it's happening in my lifetime, we're moving to passkeys and no password technology. I'd like to now pass it over to Ori Eisen, who founded the no password technology, and he'll go on with the information. Thank you.
Ori Eisen
Thank you very much, Frank and thank you everybody who's joining us today. I really appreciate our host, Carahsoft and our partner who's helping us bring this technology on top of their contract. So anybody who wants to use it, as you can see, we want to talk to you about the 360 degree protection, which means, how do we put this technology everywhere you need it, so hackers do not find that door Frank was talking about, and provide also great user experience at the same time. At the end of my presentation, I will also speak about the need for preventing account takeover or during the account reset process, or the account recovery as it's called, how do we know who is trying to reset the account? Because those users will not come with passkeys and. You can see government agencies are making the news, unfortunately, part and parcel with every other large company, and unfortunately, we need to be able to move ahead faster than the bad guys. Otherwise, we will play catch up all the time. AI and the exacerbation of fraud is super important for this call today. Up until 18 months ago, all the tools the bad guys were using were known to us, and the equation of who can be to was pretty much similar. However, with the invention of AI, with Gen AI or deep fakes, you can now look appear, have a video, have a voice of the user, and unfortunately, beat either the IT Help Desk or other unsuspecting users at a company to masquerade or pretend to be somebody who belongs. This technology in their wrong hands could cause a lot of damage and a lot of problems, as the scattered spider gang is rigging right now on the world. Why are Gen AI and deep fakes such a big problem if, before I needed to mimic the voice of a person at a company today, what the crooks are doing are simply calling this person, and as soon as they pick up the phone and then say hello, who's calling, they have enough of a sample of the voice to then use A modulator and have a complete conversation with that voice, with the IT Help Desk, for example. It is that simple to do today. Today, you can take one picture of me, a still picture, and animate it with an eye for me to appear moving, just like you see me here in zoom. And now I'll ask you, how do you know that you're looking at me and not an AI model of me, and I'm pausing for effect. These technologies allow the bad guys now to imitate, to mimic, to masquerade as the real users, and they're starting to sell the know-how and tools on the dark web, which basically means the equation is now tilting towards the bad guys with the advent of generative AI, if we look at the chain of the different solutions you have in the company, for onboarding, for login, for account recovery, you will see that the crooks are using generative AI to attack the weakest link, because that is where they can do whatever they want. For example, today we're here to talk about PASS keys and passwordless technology, and we will show you how that works. However, the bad guys will not call and use pass keys. They will simply say, my phone was stolen, or my PC does not work, hence I cannot use pass keys. And now we'll ask to be authenticated with KBA, which is knowledge-based authentication, or OTP or lower grade security that will allow him to get in. I'll say it again. We can build all the fortification we can, but the bad guys will say, I simply don't have that tool you want me to have right now. Help me with a different level of security, which is usually lower. So, step one in preventing this is to add passkeys. So, for your good users, you have the best security possible without passwords. They cannot be phished and so forth. And on top of it, you must have a different solution for when the bad guys call in and say, I don't have pass keys. You should still help me, so we don't leave that as that door that is left unlocked, as Frank mentioned before, and we'll talk about both. If you've never heard about the term passkey. It started with the FIDO Alliance almost 13 years ago, as Frank mentioned through Sona was founded on creating a solution that is without passwords, and Frank joined this journey to help us be an evangelist for this idea today. Thanks to all the efforts of the industry. The technology is on 4 billion devices. It's on every major operating system and in every major browser. So now only you, the government agency or the large corporations are left with the work to add it to your website. You see, it's not that before, because it's in the browser, it will just start working for you. It's very similar to every browser knowing how to interpret HTML, but that does not write your website. The beauty is that you don't need to wait for anything. Today, this technology meets both CISA and this recommendation for IAL two and of course, it is phishing resistant. How? Because if you call me, or you call my mom and ask for our passkey, you will not be able to get it, because we cannot give it to you. Pass keys are released as a result of using biometrics like face ID or touch ID on your phone, and the user has no idea what they look like and what they are, unlike passwords, where you can simply give it away to an attacker. Last but not least, pesky simplify and speed up the registration and login so not only it is phishing resistant and more secure, which was Frank's you know idea from the beginning of why should he help the. World get there, but it happens to be easier and faster to use, so we're getting the best of both worlds. Let's look at the journey from password, as Frank said, from 1964 all the way to today's passkeys and MFA. In the late 90s, if you recall, there were technologies like secure key or secure ID, which were tokens that would change their number every 30 seconds or every 60 seconds. Those were called OTP, or one time passcode, and those really gained the name two FA, or two factor authentication. As a good lesson in history of security, you should ask, what is the one FA? If this is two FA Well, the one, if the one factor was username and password. We thought at that time that we will never do away with passwords. So, let's leave that as the insecure barrier and add on top of it a second factor. This is literally what that means. The notion of using passkeys is to undo all that work that was done before, because we now know that when people generate passwords for themselves and they're stored somewhere after a breach, that information is sold in the underground, and the key is simply useless, because once you give away your passwords, people can simply waltz into the account. So, the idea of passkey was, what can we do to give users that they will not need to set because people do not want to create long passwords to begin with, they don't need to remember. And way more important, that it will be phishing resistant, that even if you ask them to give them to the to the attacker, they will not be able to do so the way the passkey technology works. To get a little bit more technical, it is using a public and private key cryptography. The standard for that was developed by the FIDO Alliance. Today we're at the FIDO two version of this. As I said, it's on every major browser. It is considered an MFA, or multi factor authentication. It is built into the operating system and uses the biometrics either on your smartphone or on your PC or Mac in order to unlock the Trusted Platform Module that is where those pass keys are stored, very similar to where operating systems store your biometric templates and things like that. Your private key is never sent back, either to the relying party. Let's just say it would be your bank or to Apple or Microsoft or anybody else. It stays only on your device. So that's one of the biggest misconceptions about passkey, that people can see them or exchange them, and the answer you cannot. The passkey is bound to a certain domain. So, if you created a passkey at Bank A, you cannot log with it to bank B or to pharmacy C or to E, commerce D, every single passkey is bound to the domain that created it and can only be used there. So, if you have in your life 40 different websites that you're using, you will eventually create 40 different pass keys to get them. And part of the good news with that is, if one of them gets stolen for any reason, those keys cannot be used to unlock the rest of your websites, as you can see, very different than the password. If you use the same password everywhere, stealing one of them will steal all of them. Last but not least, using passkeys essentially removes the notion of credential theft or credential stuffing or even social engineering, as we said, because the users simply cannot give you the passkey, and machines cannot use credential stuffing to try and guess it, because every single time you do need to use a biometric, and that is not something that would work easy for an attack, I'm happy to say that this year, NIST has finally recommended an approved passkey for use in many different use cases. You do need to check your own guidelines, especially in federal government, if passkey will match the IL level that you require, both the carousel sales team and Persona would be happy to sit with you and review and go over these requirements. But by far and wide you can use today, pass keys in many different use cases, especially if they're consumer facing in both large enterprises and public facing websites of the government, our team built something that will show you how you can have a citizen experience. Think about the IRS website, for example, or login.gov or anything that would allow people to log into some services could be on the federal level, on the state or local by moving away from password and adding pass keys, you can improve a few things. First is an enhanced experience. If you do account opening, there's no password that is needed to create, and more accounts are opened as a result. The second experience enhanced is no. Password to type every time you log in, you don't have to remember it or type a long thing on your mobile phone, so you have no login failures or resets because people don't need to remember it or don't need to type it and make a mistake. So that will allow for more login success, which could look could lower your support costs of either account resets as well as just spending time on sending SMS, for example, or anything else to help people reset and, of course, creating a happier citizen with because the user experience is smoother. And last but not least, without adding anything cognitively that you need to remember, you are getting a second factor by design, which is not fishable or is not susceptible to ATO or account takeover. We'll touch on that at the end of our presentation, and that means you have fewer successful attacks, because there's just no way for the bad guys to get the pass keys. And that reduces the threat and is also in compliance with CISA and nest recommended in Trusona, we have decided to provide our passkey solution in two ways. One, I will call the good old-fashioned way by giving you SDKs and API and wish you good luck on your nine-month journey to add it to your website. Of course, we're there to help and consult, but that would require the whole SDLC cycle, or software development life cycle, and as you know from your agency, it will take a long time to get the value we are. In addition to that, which is what most vendors offer, offer our rapid deployment, which basically is coming from our platform. We call it passkey as a service, which simply allows you, when somebody clicks login, to point them to our facility to login. Of course, the URL will still be yours. We use CNAME and all those technologies to make it look smooth. And after we finish with the login process, we are redirecting the user back to you in an authenticated state. The beauty of that is, it gives you an out of the box user journey. You do not have to sit there for months and design it. You can manage all the journey through our platform, and you can get time to value in the fast way possible. That does not prevent you later from bringing the technology in house if you wanted that. But the beauty is that you do not have to go on a long-term project in order to gain the value of passkeys. We already do all the operating system and browser compatibility, complexity, all that is already included in our solution, and we're integrating with the largest IAM, CIM IDP through open standards like SAML and open ID Connect, which means that everything could just fit in. There's nothing that is there, like spaghetti code that you cannot undo later on, and usually it takes 30 days from the moment you say, Yep, I would like to try it until you have it live, working and ready for users to play with it. The technology that we provide on the fly allows you to customize, to configure, to evaluate and expand without you writing a single line of code. You can see on the bottom some testimonials for people who've gone through this process, and they're simply saying, thank you for saving me all the agony of figuring this out and giving me something that is already ready, already to get going. As I mentioned before, gangs like scattered spider. If you don't know who they are, please look it up. They're the folks who are suspected at creating a lot of mayhem the last year. Specifically, the MGM shutdown, the modus operandi that they use is calling the IT Help Desk and pretending to be a user that needs help. And they would say, I don't have pass keys, or I don't remember my password or my, you know, laptop or phone are gone. Please help me. Those attacks are called account takeover because they're trying to take over an existing account. And what Trusona offers, because we have live customers who realize that they need help with those phone calls when people do not have pass keys, we have developed a product called ATO protect to protect you and your organization from these rogue calls that pretend to be from users, but they're not your users. The way we are doing it is we have simplified the user journey to a simple URL that you would send to the caller. You can text it to them, you can email it to them, you can read it to them. You can give it to them on a zoom call like this. And once they get the link and scan their government issued ID, we would go to the authoritative sources to verify that indeed this ID exists. And then you can call anybody you want to continue or get more support. What we do is different than what you've probably heard about so far in technology, most of our competitors are simply scanning the front of the document and try to make an assessment. Is this document real or not? Because the fonts look correct and the side. Look correct, or the template of the document looks correct. Unfortunately, with the advent of AI, bad guys are using software like mid journey to create beautifully looking front of the driver license, and they even put their own face in there, and those mechanisms simply do not work as well as they did 18 months ago. What we're doing is not relying on the front at all. We simply scan the back of the document where there is a 2d barcode that has more information that is encoded by the DMV, and with that, we know that the document is legit and not a fake. The higher level bit here is you should begin your password list journey with passkeys and also be ready to take phone calls from people who say, I don't have passkeys, and make sure you authenticate those as well, because those could be the very crooks we're trying to defend from. So, here's one thing you can do, if you're participating. We offer this to all customers of our partners, like Carahsoft. You can ask us to create, at no cost, a branded passkey experience so you can show it internally to your team. We just need to know your logo and your color preferences, and our team will set it up. Can also provide a free account for this atop or ATO protect thing you just saw in order to see that it would work for your organization, all these things we do for our partners at no cost. I want to thank you for attending today to remind you, Carahsoft is a distributor of Trusona to all kinds of government agencies.
Anthony Jimenez
Thanks for listening, and thank you to our guests, Ori Eisen and Frank Abagnale. Don't forget to like comment and subscribe to CarahCast and be sure to listen to our other discussions. If you'd like more information on how Trusona can assist your organization, please visit www.carahsoft.com or email us at trusona@carahsoft.com thanks again for listening and have a great day.