Security magazine: What is your title and background?

Tzur-David: I’m the CTO and Co-Founder of Secret Double Octopus. I started out in academia, did my MSc and PhD in Computer Science at the Hebrew University. I went on to do a post doctorate at the Interdisciplinary Center, Herzliya and later at Ben Gurion University of the Negev, which is where we came up with the idea behind Secret Double Octopus. My research primarily focused on PKI, cryptography, anomaly detection, web attacks, DDoS and intrusion detection and prevention systems.

Security magazine: Can you discuss the developments in passwordless authentication for the workplace over the past year?

Tzur-David: The pandemic was and still is an unprecedented event in many ways, including its effect on how we authenticate and log into digital business assets. All organizations have had to quickly change their practices in response and accommodate the need for remote work, while facing an increasing amount of cyberattacks. We’ve seen a tremendous growth in phishing attacks particularly, including coronavirus-themed scams and social engineering campaigns, aiming at small business as well as international and governmental organizations like the World Health Organization and the UK Tax Revenue office. While this wasn’t a total surprise, it’s very concerning for all of us in the security business. All of this, along with the financial implication of the pandemic made companies rethink the way they run security and access management in particular. If in 2019, VPNs were enough for many businesses, as a result of the pandemic, when companies went from a few dozen remote workers to tens of thousands overnight, they needed fast, innovative solutions. Add to that the fact that most companies still use systems that completely rely on user-managed passwords which expire periodically, often requiring physical, on-prem helpdesk assistance for renewal, , and it’s easy to understand why IT departments were overwhelmed with password resets and renewal, pushing for an alternative.

Overall this year demonstrated that protecting the perimeter is no longer a sufficient paradigm and the modern workforce demands a better authentication solution – one that enables easy and secure access to anything employees need, wherever they are and most of all without the dangers of memorized credentials, and their inherent burden on IT and security teams

Security magazine: What is the current growing rates of this tech?

Tzur-David: We see huge demand from all types of organizations, including those that were previously the most conservative in implementing new security tools, such as large banks and governmental organizations. There’s also a lot of capital pouring into passwordless technologies, the fact that we and other players in this field managed to secure investment rounds during the peak of the pandemic from top-tier VCs says a lot. As for the numbers, Gartner predicts that by 2023, 30% of organizations will use a form of passwordless authentication, which is a significant growth rate  from the 5% that do so today. This represents a higher acceleration rate than was previously expected before COVID.

Security magazine: What are the gaps that remain until passwordless becomes a standard in enterprise security?

Tzur-David: The key word here is enterprise. Most passwordless technologies started out as consumer solutions and the move to enterprise environments raises the bar significantly in a few ways. First there’s the technological challenge of enabling passwordless across all the various and complex infrastructures a modern global enterprise operates, such as cloud, hybrid, legacy etc. This is a huge barrier which only a few know how to tackle. Then there are legal, compliance and adoption attitude concerns, all of which are being addressed today by security vendors and their clients. In this respect the haste that the pandemic brought is already enabling changes that otherwise would have taken years.

Security magazine: Until we achieve this, what are best practices on password security for enterprise security?

Tzur-David: The best practices of using traditional passwords in the enterprise involve enforcing better policies, educating users, and implementing MFA solutions on every single asset the company uses. The thing is that living up to these standards is only becoming more complicated and in many scenarios almost impossible. This is the reason we see a record breaking number of successful attacks and data breaches every year. The truth is that as long as we rely on user-managed passwords, they will constitute the biggest threat to the enterprise; and there’s no way around it without completely eliminating these very same passwords.