• United States



Contributing writer

How First Citrus Bank got rid of employee passwords

Jun 04, 201913 mins
AuthenticationIdentity Management SolutionsPasswords

The Florida bank rolled out passwordless authentication in February that relies on device biometrics of their smartphones.

CSO > Password elimination [conceptual password security lock in a trash bin]
Credit: Porcorex / Bluebay2014 / Getty Images

Security experts have been bemoaning the endless array of problems associated with using passwords — they’re either too easy for criminals to guess or too difficult to remember, they’re reused, they’re constantly being stolen. Until recently, there’s been no practical way to get away from them.

Even the fingerprint or facial scanners on phones, which can make it possible to log into your DropBox or PayPal account without typing in your password, don’t do away with the passwords themselves. The passwords are still there, used when you first set up the app, or needed when you want to log in from another device or browser.

Things are starting the change, however. In March, the World Wide Web Consortium (W3C) approved the WebAuthn standard, a joint project with the FIDO Alliance, which allows for passwordless authentication on the web using authentication mechanisms such as the fingerprint reader on a smartphone. All major browsers support it, including Chrome, Firefox, Microsoft Edge and Safari. So do Android phones and Windows 10 computers.

The idea is that identity is federated. A fingerprint or photo or voice recording is stored locally, on a phone and is never transmitted to third parties. The phone uses a secure mechanism to authenticate the user and then confirms the identity to the website or application. The system isn’t perfectly secure. There are ways to hack fingerprints and facial IDs, and if the authentication mechanism is a hardware token like a USB key, it can be stolen. It is a significant improvement in security over the traditional user account and password approach to authentication.

The transition won’t be easy, but some organizations are already moving ahead. Florida’s First Citrus Bank rolled out a passwordless authentication system to its employees in February after an evaluation period that started last fall. “We deployed it to everyone in our organization, using the biometrics inherent in their devices, whether Android or iPhone,” says Joe Kynion, the community bank’s cybersecurity lead.

Employees controls their own private keys, while the bank manages the public keys via its authentication technology vendor, HYPR. If the company suffers a breach, the hackers won’t be able to steal a list of employee passwords.

The bank was motivated to make the change by NIST’s new, tougher, password recommendations, says Kynion. “We’re not going to fire an employee for writing down a password because we made them so difficult to remember,” he says. “So, we started to look at different ways to mitigate a user from having to type in a Windows password.”

One technology he considered was a facial recognition scanner, but it cost $250 per person. “That was kind of cost prohibitive, and, honestly, it only worked about 50% of the time,” he says.

Decentralized password management that relies on something as common as a smartphone was very intriguing, he says. “People can leave their drivers’ licenses at home,” he says. “People say, ‘Oh, I can survive without that for a while.’ But leaving a cell phone at home? That doesn’t happen.”

Should Google, Microsoft or Facebook own your identity?

Today, many consumer-facing websites, and some business ones as well, allow people to log in with their Facebook, Google, Microsoft, or LinkedIn credentials. For example, someone could authenticate via Android biometrics, then leverage that authentication to log into many other accounts.

There’s a limit to how much enterprises are willing to trust Google, much less Facebook, with their user identities. That’s why enterprises are building their own FIDO-compliant authentication systems, or using those provided by enterprise-grade authentication vendors, as First Citrus Bank did with HYPR. “Google’s sign-on has been around for years, and so has Facebook’s,” says HYPR CEO George Avetisov. “But major banks aren’t using that to log in users. At the end of the day, the bank or the enterprise wants to own that authentication layer.”

In addition, he says, enterprises typically need to be cross-platform. Not all users have Facebook accounts or want to use them on third-party websites, and not all users have Android phones or Microsoft accounts. “And enterprises don’t want to be locked into Google, they don’t want to be locked into Microsoft,” says Avetisov.

Google and Microsoft are doing a great service to the industry, he adds, by bringing passwordless functionality to millions of people and helping everyone get comfortable with biometrics. “We need these tech giants to go passwordless,” he says.

From fobs to phones

In the past, FIDO-compliant devices were things like USB key fobs and smart cards. They were expensive to deploy and easy to lose. Plus, they weren’t at all convenient for the average consumer. “But asking them to use their phone handset is not a stretch,” says Andrew Shikiar, CMO at FIDO Alliance. “That’s where I think we’ll see strong adoption.” With support from the major Web browsers, and Windows and Android operating system, the way forward is now clear, he says.

Apple has initial support for FIDO authentication for its Safari browser. The way that iPhones protect biometric information is in line with FIDO requirements, Shikiar adds. While iPhones themselves aren’t currently FIDO certified, many iPhone apps are FIDO-compliant, he says. “Companies like Nok Nok and HYPR all have software development kits that a service provider can use to build their apps and deploy on iOS,” he says.

When will the iPhone platform itself be certified? “That would require Apple to submit it for certification, and that’s entirely up to Apple,” says Shikiar. With apps available, and Google and Microsoft firmly on board, there’s no obstacles for enterprises to start moving in this direction. “Microsoft has a very aggressive strategy for moving beyond passwords,” he says. “Your Microsoft account, your Windows account, are now supported through FIDO authentication.”

When employees are first hired — or get new phones — they authenticate their devices with their employers and are in the system.  “So they never need passwords to be established, used, or centrally stored,” Shikiar says.

For website authentication for PC users, the user experience isn’t completely worked out yet, he says. For example, users might be asked to open an app on their phone to authenticate via the internet, or the phone could connect locally to the PC. “As it becomes more popularized, I think we’ll start to see some commonalities of what the user experience looks like,” he says.

At Citrus Bank, employees connect their phones to authorize access to their computers by downloading an app on the phone, then synchronize it with the HYPR app running on their computer. “We deployed the software to everyone’s desktop remotely by using MSI push,” says Citrus Bank’s Kynion. “Then, we had to modify the registry keys after installation with the unique keys that allows contact with the HYPR servers to match the keys on the devices.”

This makes the initial authentication process quick and easy — but it also allows other employees to come up to someone’s computer while it’s logged in to authorize their own phones. “That was a flaw,” Kynion admits. The solution was to show employees a list of other devices that have access to their computers. “Then you can say, ‘Who’s this other phone?’ and it deletes the other private key.”

Another problem was that some people still don’t have smartphones. “There are people who are still [not using smartphones], but I understand why people are concerned,” says Kynion. “We have devices that are smartphones that we no longer use because they’re too old. We set them to wifi only and gave them out and got to 100% adoption. Everyone’s using it and we haven’t had any problems with people locking themselves out anymore.”

Leaving passwords behind

Passwords are ubiquitous, and multiplying, and are built into the core of many systems and applications. According to password management vendor Dashlane, in 2017, the average user had 150 different accounts that needed passwords. That doesn’t mean they had 150 different passwords to memorize, however, since many people simply use the same password over and over.

For enterprises, the situation is even worse. According to a report by another password management vendor, LastPass, the average employee had 191 passwords in 2017. In a survey conducted earlier this year by Ponemon, 69% of IT and cybersecurity professionals say that they shared passwords with colleagues, and 51% say they reuse an average of five passwords across their business or personal accounts.

“This is an intractable challenge,” says Lisa O’Connor, who leads global security research and development at Accenture Labs. “We have to do better. If we get rid of that shared secret password, we’re in a whole different place of hygiene, and our attack surface and exposure as enterprises go way down.”

To make the switch, companies will have to completely rethink their authentication process. Instead of issuing user credentials, they will now have to onboard via trusted devices and third-party authentication systems.

What happens if that device or authentication system fails? “You’re going to have to make sure you have a model where you’re not falling back to a password, but you’re falling back to something else,” O’Connor says. “It would be about going back to whoever issued the account and reestablishing access to that account. If their phone is gone, you’re literally going to have to re-provision that user account to the new credential.”

The process could also involve a text message to a backup phone number, or a call to a help desk or even something sent in the mail. “It depends on the nature of the business and the type of transaction and the level of escalation required,” she says.

It’s possible to get there, says Shahrokh Shahidzadeh, CEO at authentication vendor Acceptto, but today, many companies still fall back to passwords or PINs. “Unfortunately, it takes a concerted effort and cross-organization collaboration,” he says. “The whole industry relies on passwords.”

As a result, most companies who offer passwordless authentication, still have passwords on the back end — with all the security problems that they create. The passwordless authentication is a choice offered to customers in addition to passwords, not a full replacement. Still, he says, 5 million end users at companies like Aetna have opted into Acceptto’s password authentication system.

In addition, even if companies switch their own systems over to passwordless authentication, they’re still using passwords when their employees log into most web applications. At First Citrus Bank, Kynion is looking at password management technology. “That’s what I’m using,” Kynion said. “I just have to remember a master password that has two-factor authentication in it. I don’t even know the login to my online banking — it automatically handles it.”

Now the bank is evaluating enterprise-grade systems, he said. “The password vaulting would allow us to create random character passwords — without having to actually know them.” In addition, some of the password management systems already have passwordless support. Dashlane, one of the platforms that First Citrus is considering, is one of them. “It’s almost a no-brainer,” said Kynion. “If we adopt Dashlane, I’m going to recommend that we use Google Authentication.”

Multilayered authentication for added security

In some cases, a password might not be necessary for authentication because the user is logging in from a trusted device at a time they normally log in from a place where they’re normally located, and doing the same things that they normally do. This type of behavioral authentication can also be layered on top of biometrics or hardware tokens for additional security. Users can also be continually authenticated while they use an application, not just when they first log in.

“Unless you have solutions that keep track of the behavior of people, people will get privileged access to data,” says Shahidzadeh. “It has to be cognitive and continuous and actionable — if you detect an anomaly, you need to kick the person out.”

The latest approach is to layer multiple authentication methods based on context, says David Vergara, head of global product marketing at OneSpan, a risk-based authentication vendor. “Low-risk transactions are completed seamlessly, and riskier transactions require additional authentication steps to ensure the validity of the user,” he says. Authentication isn’t just yes or no anymore. “It’s in shades of gray.”

Biometric authentication methods don’t rely on fingerprints or facial scans, but on more subtle signals that can be centrally stored, and used for completely seamless authentication. If a company stores its users’ fingerprints in a central location, that’s an obvious security risk. If hackers got their hands on those, they could do a lot of damage.

What about typing patterns? “The industry is looking at assessing individuals based on key strong cadence — the time you spend jumping between keys, and the time you spend lifting off keys,” says Stuart Dobbie, product owner at Callsign, a London-based authentication vendor. “You might have a different typing pattern in the morning, or in the evening.”

On smartphones, these patterns could involve the way that a person swipes across their screen or holds their phone. Creating this type of identification mechanism requires the ability to identify a person’s usage patterns, patterns that are not only difficult to reverse-engineer but that are unique to particular applications.

More and more organizations are using these techniques, as well as other elements of user profiles such as location and known devices. European requirements for stronger authentication are driving adoption, he says, especially in the financial services. For the most part, these methods are layered on top of passwords for additional security, not replacing them. “Passwords are so heavily embedded across the Internet,” Dobbie says. “It’s not an insignificant thing to change.” The new FIDO specifications, including WebAuthn, are creating a way in which that can happen. “But this has happened relatively recently,” he says.

There are also other steps that a company can take to add security layers to its authentication process.

For example, at First Citrus, some actions cannot be performed by a single person. “Internally, we’re a firm believer in least permissions to get the job done,” says Kynion. “So, no one person has the ability to wire a million dollars to anyone, not even the CEO. Every single transaction where it creates a transfer of funds externally would require a second person to log in, so there’s a trail of activity to create and approve the transaction before it goes to the person who actually does the transaction.”

The bank is also paying attention to recent developments in user behavior analytics, he says. “If all of a sudden, they’re trying to go into folders that they’ve never gone into before, the heuristics will try to mitigate it by saving a record of it, or creating an alert,” he says. “That’s an intriguing possibility, but we’re not there yet.”