Cyber Leaders Exchange 2023: Okta’s Sean Frazier on killing the password dead
Getting rid of passwords once and for all is really about creating strong security that’s also frictionless for users, explains Okta’s Sean Frazier in a con...
In mid-July, the White House hosted federal and industry cybersecurity leaders to hammer home the point that the time has come to fully adopt phishing-resistant multifactor authentication.
First, reiterate the importance of using strong MFA “to achieve a simple, seamless and secure digital experience,” he said.
Second, continue the conversation started with the release of the National Cybersecurity Strategy, which called for the public and private sectors to align technology strategies to address shared security goals in an interoperable and usable way.
Using multifactor authentication is a new idea. All the guidance around identity and access management from the Cybersecurity and Infrastructure Security Agency and others says to use multifactor authentication.
“But not all MFA is created equal,” Frazier said. “That was one of the common threads of the symposium — to talk about phishing-resistant factors. How do we think about multifactor authentication and a better user experience? And how do we make this is really the jumping-off point to start talking about getting rid of the passwords and making passwordless authentication a real thing?”
As Frazier pointed out: “We’ve been talking about getting rid of passwords, I would say, for almost 20 years. Part of it is the technology had to catch up to where we are.”
With FIDO2 passwordless authentication and other approaches that work on mobile devices and desktops equally well, the opportunity to finally “kill the password dead” is here, he said.
That’s why the White House’s meeting emphasized the need to get past the need for usernames and passwords once and for all.
Any MFA is better than no MFA
Phishing-resistant MFA is different than just regular MFA. Frazier said phishing-resistant MFA means there is no ability for a man-in-the-middle attack where a bad actor can capture someone’s information from the authentication stream.
“It includes some things like the user origin binding and it includes things like the device binding,” he said. “Even if the person got anything off of the wires or the conversation, they could not use that to impersonate you.”
With nonphishing-resistant MFA, attackers — who Frazier noted are getting more sophisticated and faster — can capture code that is texted to a victim’s cellphone or sent to an email address.
“I always tell people that that any MFA is better than no MFA. If you’re telling me you can’t do any MFA, and the only thing you can do is SMS, I’d say, ‘OK, do that,’ ” he said. “But anytime you have something that you know, like a password, and also something that’s going to be shared with you like a one-time password, it’s really not that difficult for attackers to either figure that out or figure out a way for you to give it to them or figure out a way to sit in the middle of that conversation and pull that off the network and use it on your behalf.”
The use of phishing-resistant multifactor authentication is therefore a fundamental ingredient in the implementation of any zero trust architecture.
Frazier said he’s seen the use of strong identity and access management mature across the government over the last few years.
Finding the right friction balance
But culture obstacles continue to hamper agencies in reaching a higher level of maturity, he said.
“To me, it’s almost an evolution not a revolution, so these changes are not nearly as big as they seem upfront,” Frazier said. “But some people are still resistant to change because we’re human beings. It’s kind of what we do.”
He described that cultural shift as moving from protecting everything on a network — using firewalls, intrusion detection systems and intrusion prevention systems — to moving security to the endpoints, essentially every user device and all applications. “That’s a big fundamental shift for folks,” Frazier said.
To address that requires continual communications across organizations, he advised. Agencies need to develop communication and action plans to ensure leadership and frontline workers understand the changes that are happening. Frazier said some agencies and organizations are finding success in changing culture through a center of excellent approach.
A center of excellence approach lets an organization handhold its users and provide a strong communication platform to keep everyone informed, he said.
“This is not a government problem or an agency problem,” Frazier said. “This is a writ large technology problem in society, where you need to have that ability where you meet the users where they are, provide very little friction for them and provide all the friction to the attackers as you build a robust security architecture that is flexible enough to support that.”
And that user experience matters a lot, he said. “I am just as passionate about good user experiences as I am about good security outcomes. I think this is one area where we have challenges where we as security people like to be the people of ‘No!’ We’re going to tell you what you can’t do because we’re security people, and we have to figure out ways to enable people so we are the people of ‘Yes.’ ”
Why? It’s simple, he said: If security teams create friction for users, the users will find a way around protections. Agencies must therefore strike a balance between mitigating risks and creating good UX, Frazier said.
“We need to make sure that not all the onus for security is put on the end users, which is back to the password. … For the most part, I think that the burden for a lot of this, as builders of software and builders of security, should be put on us. We should build secure-by-design things. We shouldn’t rely on the end user being able to configure things appropriately.”
Sean Frazier is Federal CSO at Okta. In his role, Sean acts as the voice of the CSO for Okta's federal business. Prior to joining Okta, Sean spent more than 25 years working in technology and public sector security for companies such as Duo Security, Netscape, LoudCloud/Opsware, Proofpoint, Cisco & MobileIron. Sean has helped lead numerous projects used by the Department of Defense and Intelligence Community, including the Fortezza Crypto Card, Defense Messaging System (DMS) and many others. He also has extensive experience in identity and public key infrastructure (PKI), network, applications, mobile and IoT. Sean has testified in front of the U.S. Senate Homeland Security and Government Affairs Committee on the importance of public/private partnership in protecting the nation’s digital infrastructure. Sean also advises public/private partnership working groups including ACT-IAC, ATARC and many others.
Jason Miller
Executive Editor, Federal News Network
Jason Miller has been executive editor of Federal News Network since 2008. Jason directs the news coverage on all federal issues. He has also produced several news series – among them on whistleblower retaliation at the SBA, the overall impact of President Obama’s first term, cross-agency priority goals, shared services and procurement reform.