The End of Passwords with Trusona's Ori Eisen

Episode Thumbnail
00:00
00:00
This is a podcast episode titled, The End of Passwords with Trusona's Ori Eisen. The summary for this episode is: <p>Passwords are the worst. We know many users pick easy passwords and reuse them everywhere, passwords managers create a treasure-troves for hackers, and even two factor authentication has vulnerabilities. So that got us thinking – what’s next?</p> <p>Ori Eisen is our guest on this episode of the <a href= "https://www.georgianpartners.com/the-impact-podcast/">Georgian Impact Podcast</a>. He is the founder and CEO of <a href= "https://www.trusona.com/">Trusona</a> – a company working to bring about the death of passwords. Their technology verifies online identities using a combination of the existing biometrics in our phones, along with a snapshot of the “river of data” coming from the phone’s sensors. It’s online security that goes way beyond asking for your mother’s maiden name.</p> <p><strong>You’ll hear about:</strong></p> <ul> <li>Why two factor authentication often isn’t as secure as we’d expect, and <a href= "https://www.zdnet.com/article/google-wants-you-to-stop-using-its-sms-two-factor-sign-in/"> why companies like Google are moving away from SMS-based 2FA</a>.</li> <li>The pitfalls of password managers, and how they can make life easy for the bad guys.</li> <li>How Trusona integrates with everything from Office 365, to Zoom, to <a href= "https://www.trusona.com/videos//passwordless-login-to-wordpress-with-trusona"> Wordpress</a>.</li> <li>How to thwart spearfishing attacks even if hackers steal your phone or spoofs your SIM card.</li> <li>Why anti-replay is a key part of any security solution.</li> <li>How quantum computing <a href= "https://georgianpartners.com/episode-97-quantum-computing-and-tomorrows-problems-today/"> could soon undo the last 50 years of cryptography</a>.</li> </ul> <p><strong>Resources:</strong></p> <ul> <li><a href= "https://www.trusona.com/videos/2016/12/6/trusonas-best-of-show-demo-finovate-fall-2016"> Watch Trusona's demo here</a></li> <li><a href="https://www.youtube.com/watch?v=zoD5QWU1s_o">See Trusona's anti-replay demo here</a></li> <li>Listen to our episode on quantum cryptography with <a href= "https://georgianpartners.com/episode-97-quantum-computing-and-tomorrows-problems-today/"> Isara CEO Mike Brown</a></li> </ul> <p><strong>Who is Ori Eisen?</strong></p> <p>Ori Eisen is the founder and CEO of <a href= "https://www.trusona.com/">Trusona</a>. He has spent the last two decades fighting online crime. Prior to founding Trusona, Mr. Eisen founded 41st Parameter – the leading online fraud prevention and detection solution for financial institutions and e-commerce. Prior to that, he served as the Worldwide Fraud Director for American Express focusing on Internet and counterfeit fraud. And before that he was the Director of Fraud Prevention for VeriSign/Network Solutions.</p>
Why 2FA is important
00:23 MIN
Why Google is moving away from SMS-based 2FAs
00:42 MIN
How password managers make it easy for the bad guys
00:28 MIN
How Trusona works
00:56 MIN
Why anti-replay is a key part of any security solution
00:46 MIN
How quantum computing could soon undo the last 50 years of cryptography
00:49 MIN

John Prial: No time for fear- mongering. We already know all the issues around hacks and data breaches. Today, we're talking solutions. How about living in a world without passwords, but still being able to log on in a more secure manner? Say what? Yes we can. I'm so pleased to be talking with Ori Eisen, founder and CEO of Trusona, one of Georgian's companies or where he was previously, the founder of 41st Parameter, another Georgian company that was focused on detecting fraudulent transactions. I know you'll appreciate his directness and clarity when discussing an issue that at times can be frustrating, confusing, and a little challenging. Ori and I will be talking about why passwords are really not fit to protect our data. And actually, Trusona is providing a better and really interesting solution. I'm John Prial and welcome to the Georgian Impact Podcast. Ori, welcome to the show again. Look, I don't want to insult our audience and I want to get beyond kind of a data as to how many people still have passwords of password or their birthdays or beyond and so I know you're going to share an amazing statistic. I'd like to quickly get to the next level up though. Two factor authentication. Let's remind people why that is important.

Ori Eisen: Unfortunately, 18% of users use one, two, three, four, five, six as their passwords. And to your question, that is why two factor is so important because even if their password was breached or they gave it away through a phishing attack, the attacker can not get in if the second factor is effective.

John Prial: So does having two factor authentication eliminate me having to use my mother's maiden name?

Ori Eisen: Mm- hmm(affirmative). Good question. It all depends what the relying party or what the company you're trying to do business with, wants to do. For example, if you say I forgot my password, you might go through a whole set of questions like KBAs, Knowledge- Based Authentication. And they might as well ask you what's your mother's maiden name in order to recover your password. Many different companies do different things so I don't know that it will completely save you from it, but if the world will go passwordless you can prove who you are without ever saying your mother's maiden name.

John Prial: So I guess I'm good with that for now, but I'd like to go down the negative path. Many people, I think naively assume that their smartphones are safe, but I've read and I really want to hear more from you. If text messaging, kind of a common second factor authentication is safe or not. I've read about social engineering, I can get to a phone company, a human being, I get a new SIM card and all of a sudden, maybe I'm not safe anymore, if I figured out the basics of a hack here?

Ori Eisen: That is absolutely correct. Before, we used SMS really the answers of network of the telcos as a second channel to give you that OTP or the One- Time Passcode. Unfortunately, now people can simply call the telco and when they ask," Hey, who is calling?" You can say," Hi, my name is John. I have the mother's maiden name, or I have the last four of your social security." And then they ask," What can I do for you?" So the attacker can simply say," I got a new phone, please port my SIM to this new phone." And that's it. I now get your OTP. So not every two factor is made the same. As you can see, with simple social engineering or simple account takeover, I can now take over the very security that you thought you had. And unfortunately, Google just announced this week that they will stop using this method because it's so porous.

John Prial: Wow. That is a negative path and it's dark for sure. Porous, I liked the use of that term too. How about password managers? Do they help or the good, the bad, the halfway? What are your thoughts?

Ori Eisen: I happened to had a call two hours ago with one of the leading password vault manufacturers and the conversation went something like this." You're expecting me to put all of my keys into one volt, all of my passwords. And how do I exactly protect this vault? Ah, with a master password!" It's almost like we're making it easy for the bad guys, because if you get my master password, you now not only have that, you have everything. So my argument to them is at least protect the vault with something that is passwordless, so it doesn't allow somebody to get everything in. I jokingly say, it's almost like we've helped the bad guys by organizing my bank log- ins and my healthcare we've put everything neatly together. We might as well go back to the notebook where only I can read my handwriting. It makes it easier on the experience. No doubt to put all your passwords in one place. I will admit to that, but it is not more secure.

John Prial: All right, I'll stick with halfway good because I really do love the use of my password manager. It really does warn me when I have duplicate passwords, it alerts me to breaches. It helps me generate complex passwords and it really is quite easy. Plus I'm comfortable that all that information is encrypted. It's only on my local machine, but you're talking about this main entrance into this treasure trove and Trusona can clearly help there. So tell me about your solution, how it works. I really do find this quite fascinating.

Ori Eisen: Yeah. I'll tell you and if you don't mind, we can try recording a 22nd demo that will explain it very nicely but first let me just explain it with words. We essentially found a way to take the cell phone everybody already has in their pocket. You already have biometrics that you trust and it trusts you and essentially extend it to any channel. Meaning what, when I put my fingerprint on my phone to unlock my Bank of America app, the context or the domain in which my authentication just happened is only on that phone. So if I stand, for example, in front of an ATM in the street, the ATM does not know who I am, even if I logged in into my Bank of America app right in front of it. So the Trusona solution allows us to use all the technology that already was built by Apple and by Samsung, maybe some Amazon stuff and extend it beyond your phone to your PC, to an ATM, to a call center call, to your TV, anything that you can simply point your phone at that with a QR code and log in. And if you don't mind, I'll show you the shortest demo of your life and the audience can see it too, of how it's simply just point and there's never an exchange of username and password in the process. So even if there is a key logger that is waiting for me to type in my username password. Sorry, it's never going to happen because it's passwordless, so watch.

John Prial: We'll have to share this and although we're an audio podcast, we'll figure out. Put some video up and pointing them in the show notes and I encourage everyone to take a look. It's pretty cool.

Ori Eisen: Going to the Trusona website, so anybody who is watching it can simply do this later on and play with it. So imagine you add a login with Trusona button to your VPN, to your SSO, to basically anything that you want to log into. Once you click it, it moves to a gateway with this QR code that is like a shimmering movie. You see, it's not a static object here. If you can see my video, I opened the Trusona app that you can get in the app store and it's simply a scanner. And all I do is this. I just point at the screen. Note, my hands, you can see them in the video. I'm not touching the keyboard. There's no username, no password exchanged and I'm now asked," Is that really you?" And if I simply click accept and pass the challenge of my biometrics. So John, if you found my phone, you wouldn't be able to pass the step. I'm in and there's no username and no passwords whatsoever.

John Prial: Well, that's incredible. This biometrics piece is key. So just loop back to that discussion on social engineering, where I'm fooling a human at a call center, but I'm on a phone. Does that no longer happen? Because now we've got physical, where I am or my face is. What exactly are you looking for?

Ori Eisen: So first let's demystify face ID and touch ID. Many people think that somehow the fingerprint data reaches Apple or Apple's cloud. It does not. It stays only on your local phone. And for that reason, when you get a new phone, you have to train it again with your fingerprint. It only stays local to the phone. And part of what I said before is we are using the fact that once you authenticate to your phone, we can then extend it to other channels. Now, the thing is, Apple doesn't know if your fingerprint belongs to you, John, or to Justin or to somebody else at the Georgian. So we need to tie it to hook it into an identity. So in the Trusona app, for example, we are asking for an email that you go verify with an email magic link. And after that we say," Ah, this phone that John authenticated into is linked to this email that he verified." So that every time you click log in with Trusona and you scan our code, we assert on the backend that you have logged in successfully. So let's just say you try to log into Office 365 to do your work. And you indeed have a john @ georgianpartners. com email and Trusona asserts to that, you will be led in. However, if you try to go into the federal government website and you used Trusona, we will assert that john @ georgianpartner just authenticated, but they'll say," Sorry, he's not one of the users we will allow here. So thank you but no thank you."

John Prial: Well, now I'm getting this. That's not a password for me. It's really me, my true identity. Dare I say my true persona at Trusona? Very effective.

Ori Eisen: In fact, let me give you a fun fact. It happened to be with one of the largest VCs who is a customer. During the pilot, they had a 30 day pilot, only two of the employees had Trusona and the rest of them used regular 2FA based on SIM. They had what's called a whale attack or a spear phishing attack that went exactly after their senior leadership to move some Lps, wiring instructions, a very severe attack if it was successful. The two people that choose Trusona were the only two people that it didn't work on. Why? Because their phones were ported. Just so you know that their SIM was swapped, but they got the push notification, not the attacker because our certificate only goes to that phone. We don't care what phone number it has. So after 30 days or just all those guys, you don't need to sell us anymore. We know it works because during the attack, the only two phones that still got the login correctly were yours.

John Prial: So let's go one level deeper. We at Georgian believe we've developed really good security hygiene. Everyone could do better, but we're pretty comfortable. We are users of Trusona. And by the way, that example you just used was not of us, but we really been able to raise the sensitivity level of the entire company. So that whenever any spam, especially those spear phishing attacks come in, we immediately share in a Slack channel. And it's interesting to see that not just one comes in, but often multiple at the same time. But it's great to see how the human side works and how important it is. But there is more we need to talk about and I'm sure this goes back to your previous company, 41st Parameter. Talk to me a bit about Anti- replay, please.

Ori Eisen: The best way to explain it is this. When you observe a river that is running and gushing, it will never be the same if you go in and out of it. And there's a very famous metaphor that the Trusona is built on. It's called," You can't enter the same river twice. It's a 3000 years old." What it really means is in today's world, we know already the malware is in people's PCs. It's called man in the browser. So anything you can try and hide or obscure, it's not going to work because the bad guys are already there for that reason. And because we know they're listening to your keystrokes or listening to your session and simply replaying it later to be you, we've invented something called Anti- replay. And it works like this, if you and I stood at the edge of a river and took a snapshot of it with a camera and that there're waves and there's water bubbles, and whatever happens there in the river, you really can take that picture exactly like that ever again, because it is so unique. It's like a snowflake or a fingerprint of sorts. And it's just never going to happen again. To illustrate it, guess what, I'm going to quickly share my screen because there's a saying" A picture is worth a thousand words."

John Prial: John here, let me just add that the audio is sufficient here for you to get to this without the visual. That said we will drop the Trusona page into our show notes.

Ori Eisen: Here's what I'm talking about. If you took that picture with me, John, with all these water droplets, you agree, you can't take it perfectly the same. When I showed the demo and I clicked our accept button. The moment you touch it, we're actually freezing or taking a snapshot of the river of data on the phone, such as the date and time down to the millisecond that should never, ever repeat. Exactly where you touch the phone, which you can't repeat even if I'll ask you to. Where was the compass pointing? What was the accelerometer reading, all those things that are not even personally identifiable and we take all these numbers and we hashed them. Why? Because if you had malware that listens to you logging in, and then it would replay that session, we will see that picture of the river perfectly again. Then we'll say," Sorry, but that cannot work" If it's 100% match, it's 100% fraud because you can't repeat that even if you want it to.

John Prial: It really is this biometrics and more, I'm standing at an ATM I'm 18 inches away. My phone is at a particular angle at a particular height. Is that the river of data?

Ori Eisen: Yes. And the beauty is we don't take those signals like in fraud detection where we say," This looks anomalous." Hence it's suspicious. That is not what we do. That is exactly what we did in 41st, by the way. In this case, there's zero false positives, because what we're saying is, if it ever comes perfectly back, how you stood next to the ATM and how you interacted with anything, then it can't be you because you can't repeat that even if you wanted to. The only thing that would repeat if someone recorded it and replayed it. So the beauty is we are all different. We do things different even between transactions. And we're using that against the bad guys in this case.

John Prial: Now I still see captcha, that technology to show that quote," I'm not a robot." It's different than replay, but it is interesting that somehow it seems to me that it's watching my cursor movement before I click. Sometimes, I get those goofy pictures to choose from. Is it fair to say what you've been describing is kind of that on steroids?

Ori Eisen: It is. Captcha, basically says somebody with a human like brain. Not that I didn't say human is on the other end. It still does not say John is there. If you want to know the bad guys, simply hire kids in India who gets, one penny per day to sit and click and solve captcha, to get into systems. So it just means that you have a human and not a bot on the other end. Unfortunately, with AI, I think all these captcha things will just disappear because AI will just become better at humans, even at looking at these things. So it's a good step in the right direction. Don't get me wrong, but it still doesn't mean that it's you.

John Prial: Well, we've all heard a lot about deep fakes and some of the challenges we will face with the future of AI. Captcha prevents a fake human, but now let's go one step further. Will AI allow the creation of a fake John in front of an ATM machine?

Ori Eisen: Yeah, kind of, but where it will not be able to fake all the way through is if I asked you to validate your email and you have to go do that, or if I ask you to take out your driver's license and show it to the camera. Last I checked, AIs don't have things like that to do in the physical world. They don't have hands to do it. So could they try to pretend to shove images or create images? Yes, but if I'll know that the distance of the camera was zero millimeters, I would say," Okay, no document is in front of the phone, ergo it's fake." so that's where the limitation of AI is. We force users to do things in the real world as part of joining Trusona and AIs are just not equipped to do that today.

John Prial: So the connection of digital and physical world really makes us interesting. So let's talk about your business a bit. Here we are in the middle of a pandemic. Zoom is the latest verb. It's a noun that's deeply embedded in the consciousness of so many people now. There they work, a happy company selling to enterprises and boom! End- user consumers by the gazillions, I don't have the real number are in the middle of logging on and they're avoiding zoom bombing and all that. What is Trusona sit on that spectrum of end users and enterprises and how'd you navigate all that?

Ori Eisen: Great question. I think the biggest struggle we had as a business is to decide where to focus in the early days. We're five years old. Now, when you say login, or when you say the word password, what you just meant is billions of interactions per day, both in consumer events, both in business events, in B2B2C, in partner. There's so many logins happening. So where do you start? We began our journey in B2C, just because we wanted to have situations like Netflix. Where if you could put our SDK into the Netflix app, in one day you got 500 million users and I'm sure the investors would clap. Over time, We realized that the world was just not ready. They didn't get it. They just said," Username and passwords are kind of working, so leave me alone." We are now experiencing a world where Microsoft, who is by the way an investor, Google, Akamai are all saying, we're going passwordless because they realize how much better it is and that the world needs it. And that basically swept us into the B2E or business to employ world where people don't think that by giving it to consumers, they'll really protect their Holy of Holies, which are like the databases of the bank. All this to say, John, that we're now in 50- 50 half of our projects are for consumers and half of the projects are for employees, and we do both.

John Prial: Well. That's really interesting. So I do some work for a small nonprofit, should I push for a password manager as a start? What do you recommend?

Ori Eisen: Right. So for the small guys, the first thing I want you to know is we do have a free plugin for WordPress. So sometimes you only want to have a website for the nonprofit that's so to least not get defaced. We give that for free to millions of websites. For managing, let's just say you have 20 employees and you want to go passwordless. It will be easier to simply go with something like a Microsoft Office 365, where you can plug a Trusona into, or to something like an Okta where Trusona can plug into. And with one fell swoop, you make everything else passwordless. In fact, John, why don't I show you my website, my personal blog and you'll see what I mean. So I practice what I preach. So here's my WordPress. People give WordPress bad rapids insecure, and this is the login to my admin console. So even if you had my username and password, guess what? There's nowhere to enter them. It's just not there.

John Prial: What about the work from home that's going on? Is that a greater opportunity for hacking? Home routers, people's nests the things change, routers may be exposed. What happened in your company?

Ori Eisen: Yeah. So at first, I'm going to say it again. I'm going to practice what I preach. I don't want to tell the world,"Hey, you should go password less. But in the meantime I do nothing." Guess what we did first a week, we added Trusona to Zoom. So I don't have to login to Zoom and use username and password, so we did that. Once we all went home, we realized where were our gaps, because when I'd go into the office and the network recognized me, I might not even need a password. But now that I'm at home, it's almost like I'm coming in from a Starbucks or something. So we started plugging all the holes we had because we usually were working inside headquarters like VPN, Zoom and other things. The good news is more and more people now because they work at home, realize how much passwords are insecure to get in through VPN. So we actually see an uptick in requests to protect remote employees, which is good news for the business. Even though I don't like the circumstances.

John Prial: So Ori, I know you well enough. You're not one to sell fear. And the positive side of trust in our view and Georgian's view is really, what's important. How do you go about this and tread lightly as you sell?

Ori Eisen: First of all, I appreciate you realizing it. I don't believe in FUD, fear, uncertainty and doubt. For simple reason, if you read the newspaper headlines, just like a regular person, you should be scared enough. Like there's not anything else I should add to make you even more scared and God helped me. If I need to use five on a CSO, that means that they're not the right customer. When I begin my pitch, it should not be about, should you get rid of password? It's about how to get rid of password. And many of them tell me," Oh, skip these slides about why passwords are applied from. I know, I know it's a problem. Just tell me how I do it. Right?" So I will say something that may be controversial, especially, to other entrepreneurs in VC funded firms. But I practice it myself and it works for me. I don't like to sell. I like to help people buy. Let me explain, it's a mental shift in the early days I wanted to sell. What does that mean? John, imagine I'm coming to your office," Hey John, I have a product. I think you should buy it. This is the price. Can we start now at pilot?" Listen to that conversation. It's all about me, how great my product. Where is you, where are you in the conversation? And many people would say," Wait, wait, wait, stop. Did you even ask me if I have the problem that your product solves?" Whoa. And after years of just listening to these conversations, I realized, I don't need to sell. I need to help them buy. So the first thing is tell me about what you're struggling with, what you're working with and then going to the conversation is what if we could get rid of passwords and get less sleep at night, get better user experience. Note, I didn't say anything that is fearful. I'm only telling you about the benefits of what your life would look like afterwards. And you know what, John, it doesn't work 100% of the time. I'm not going to lie. My work is 9 out of 10 times, which is good enough. So I just changed my pitch just to the positive outcome of using security that is supposed to you will get fired if you get compromised.

John Prial: Wow. That is just great to hear it. And boy, I'll take a 90% close rate any day. As we close, where do you see the next big threat coming from?

Ori Eisen: It is not going to happen tomorrow, but I do think it will happen in our lifetime where quantum computing has the potential to undo the last 50 years of cryptography. Simple as that. And just by the nature of the beast, only nation states will be able to have those machines. So you and I can not just go to the Apple store and get an Apple store that is a quantum based. I do worry that what we think today is secure even with things like SHA- 1, SHA- 256, SHA- 1024. It will just be a veiled mask to pretend like it will be security theater and that's real security, probably in the next 10 to 15 years. It probably is happening right now in some labs somewhere, but it will be available to nation states to rogue nations. So if you thought, for example, you're using WhatsApp or Zoom, you know how Zoom now, where you're going to make everything into an encrypted. Really, with what keys, the keys I'm allowed to use. Great. That means, I don't want to mention some governments, but governments who don't like this inaudible will say," Great. Do you think that you have security, but with this quantum computing, I can read everything you do." I worry about that because all the efforts we've put into HTPs and the padlock and you thinking," Oh, giving my credit card online is safe, right?" We'll just change in a very dramatic way and I don't know when we will pick up again where the majority of people have the tools to fight it. So other than that, I think we can solve a lot of things. That one is the one that worries me.

John Prial: Well, I have to decide if I will or won't sleep easy tonight on that. And actually we did a podcast on this topic. We'll put a link in our show notes where the discussion was about implementing algorithms that will get ahead of this future quantum threat. Implement them now and be protected in the future. It was quite enlightening. And I hope the companies can do some future- proofing to get ahead of your draconian story. But then again, you're the last person I'd ever think of contradicting. Ori, you're one of the great people to talk with. Hope the heat doesn't get you there in Arizona. We'll talk again. Thanks so much.

Ori Eisen: Thank you, John. I really appreciate you and the entire Georgian family. It is a pleasure working with you the second time as well.

DESCRIPTION

Passwords are the worst. We know many users pick easy passwords and reuse them everywhere, passwords managers create a treasure-troves for hackers, and even two factor authentication has vulnerabilities. So that got us thinking – what’s next?

Ori Eisen is our guest on this episode of the Georgian Impact Podcast. He is the founder and CEO of Trusona – a company working to bring about the death of passwords. Their technology verifies online identities using a combination of the existing biometrics in our phones, along with a snapshot of the “river of data” coming from the phone’s sensors. It’s online security that goes way beyond asking for your mother’s maiden name.

You’ll hear about:

Resources:

Who is Ori Eisen?

Ori Eisen is the founder and CEO of Trusona. He has spent the last two decades fighting online crime. Prior to founding Trusona, Mr. Eisen founded 41st Parameter – the leading online fraud prevention and detection solution for financial institutions and e-commerce. Prior to that, he served as the Worldwide Fraud Director for American Express focusing on Internet and counterfeit fraud. And before that he was the Director of Fraud Prevention for VeriSign/Network Solutions.