UBS hates passwords
The Swiss multinational investment bank and financial services company started revamping the identification and access system for its customers and employees in 2019. A notable part of the plan is the phasing out of passwords.
The revamp of the identity and access management system was planned way before 2018, UBS infrastructure and security CTO Olivier Schraner told Transmit Security CEO and founder of Mickey Boodaei, and attendees in an on-stage interview at Cybertech, Tel Aviv.
The market for identification management has two approaches: the first approach is to augment passwords with two-factor authentication of anything that can be added to make it less vulnerable, and the second one is getting rid of them completely, noted Boodaei, whose company offers identity management services across applications.
Large, complex organisations such as UBS, with a lot of users and employees, might find it difficult to get rid of passwords entirely, with serious concerns popping up such as time needed and the cost of procedures, Boodaei pointed out.
“There are two types of passwords, the bad ones and the very bad ones. The bad ones are the simple ones that you can crack easily. And the very bad ones are the ones that are so complex that you need to write them down,” Schraner said.
“We initially started by adding a second factor around the smart card. Now clearly, the next step is to add multi-factor capability. And ultimately, that's getting us into a position where we can start removing the password as one of the factors and start using technologies that are more user friendly that are actually cheaper if you look at it from a total cost of ownership perspective.” he explained.
Faulty password management has also turned the tide against its use. The Global Password Security Report by LogMeIn said 57 percent of businesses globally are using multi-factor authentication, compared to 45 percent in 2018.
The 2019 data breach investigations report by Verizon said stolen or reused credentials were linked to 80 percent of hacking-related breaches.
The lax attitude on password management makes things easier for cyber-criminals, found Immuniweb. Approximately 42 percent of the stolen passwords were somehow related either to the victim’s company name or to the breached resource in question. On an average, 11 percent of the stolen passwords from one breach are identical. The most common password? Password!
In her detailed call to avoid passwords, written for SC Media UK, Secret Double Octopus marketing VP Inbal Voltiz said enterprises still cling to passwords because many legacy applications and services are password-based, and users are accustomed to the idea of passwords.
“Letting go of passwords is a necessary change of mindset that will take a concerted effort on the part of enterprises. Enterprises will need to seriously consider these realities unless they want to find themselves thoroughly KO’d by hackers,” she wrote.
In the perennial debate of usability versus security, user preference has always been towards the ease of use than security, reminded Boodaei.
“We've always been the kind of people who blocked things that inhibited us. I think that has changed. We now have the technical abilities to be actually enabling both, because you can create an environment easily where customers feel comfortable using advanced security measures. I think that is going to be changing the entire landscape of identity and authentication management,” Schraner replied.
“The big difference for us between customers and employees is that employees are a captive market, whereas clients have a choice, they can go elsewhere.”
Awareness of cyber-security and data breaches helped, as clients who earlier they pushed back the changes because of the inconvenience have started demanding advanced authentication capabilities, he added.
“I do think that journey is going to take a few years for us, but some of the key systems today are already in a position to operate without the password, which I think is a great achievement,” said Schraner.
UBS is building a new facility in Asia where they are piloting a “frictionless security approach”, where no password is required to access the facilities there, Schraner said, without disclosing the location of the facility.
“We're also moving a large chunk of our application estate to the public cloud,” he added, explaining that the advanced data protection and authentication capabilities offered by cloud computing uplifts the entire security level.
“Identity and authentication is key. If you get it right, you create a good experience. If you get it wrong, you probably see customers leaving and employees being frustrated. So clearly, that's why it makes the top of our list.”