The End of the Password… Finally
“Well, I can see, what you mean
It just takes me longer
And I can feel, what you feel
It just makes you stronger
You can take me for a little while
You can take me, you can make me smile in the end"
— “In The End” by Rush
This one hit me hard. If you don’t want to hear my sobbing at the loss of the legend and a gentleman, Neil Peart, the drummer and lyricist for one of my favorite bands, Rush, then skip ahead.
As I said, this one hit me hard. A lot harder than I even realized when I first heard the news that “the professor” had left his mortal coil. My exposure to Rush was early. When I was in grade school I had sent away for the Columbia House 10 records for a penny offer. For the younger folks who don’t remember (and probably don’t remember records) Columbia House had this scheme where you’d pick 10 records and all you had to pay was a penny that you would tape to the offer card with the list of records. The rub was that you had to buy 10 more records, at full retail price (actually a bit higher than if you went to the record store) over the course of the next year. It seemed like a good deal and it was since most people would cancel or never pay. I can’t remember if that was me (hey, it was a long time ago) but I do remember that Rush’s 2112 was among my 10 choices. I chose this record, like I did most records back then, not because I had any idea who they were (they hadn’t been played on the radio up until this point and we didn’t have cable TV let alone a thing called the Internet) but because of the album cover (same reason I chose Kiss "Destroyer"). Something about the album cover spoke to me. It’s sci-fi feel, it’s simplicity, everything.
When I played the record (and I played it a lot — especially the 20-minute entire first side the magnum opus 2112), I was hooked, and I have been a rabid Rush fan ever since.
I have since passed on my love (or at least a strong like) of Rush to my kids by taking my two oldest boys to see their "Vapor Trails" tour — and then the whole family to see then as they exited stage left for their "R40" final tour. They’ve had an amazing career, and the world is better off for having them in it. (I know we still have Ged and Alex but somehow it just won’t be the same).
I quote Neil’s profound words regularly and until his passing I hadn’t really thought much about it. One of my favorites that I have used often is “if you chose not to decide you still have made a choice.” From the song “Freewill.”
I’ve quoted this to my kids and I’ve quoted this in work situations (among many situations) wherever and whenever inaction and/or indecision seem like the right path forward (psst… it never is).
Mr. Peart, you will be missed. I will miss you. Change is hard.
This brings me to the point of this somewhat rambling micro-thought of mine. Change. All change is hard (some harder than others), and some change is bad, but often times it’s neither bad nor good but it is always inevitable. We spend a lot of time trying to get out of (or outright fighting) change and to me this is totally wasted energy. There is also welcome change, and while it is welcome, it is still change, ergo it will probably be hard.
Prepping for Passwordless
This is the preparation for the day where we no longer have to live with passwords as a security construct. I think it’s safe to say that this will be a happy change that we will all embrace. But the “how do we get there?” part is still a little TBD. The good news is that I’ve seen where an open and standards based approach can work wonders to solve hard problems like this.
I’ve written about this a bunch but usually as an adjunct to something else (usually Zero Trust aka ZT) but now, as much as identity is an anchor tenant of a ZT architecture, this is all about the WebAuthN baby.
I always talk about how passwords were never truly designed to be a security construct to begin with. They were created way back in the sixties at MIT by legendary computer scientist the late Fernando Corbodo. They were first put in place as a basic protection for timeshare sessions and files, no one kicked up much of a fuss when the “passwd” file got swapped with the “message of the day” file.
I think Mr. Corbato would be none too happy that passwords have persisted as the primary login security mechanism for the last 60 years. We just kinda took the lazy way out of protecting our data and we’ve been doubling down on lazy ever since.
The Road of Constant Password Failure
When computers were new we failed to create a mechanism to protect them. No biggie. Computers were as big as a house and there were like ten in the whole US of A at the time, so big whoop. Then the PC revolution happened and we just dragged the same failed construct along for the ride (FAIL 100x). Then the Internet happened and we thought well, if it worked for PCs it’ll work for this too (FAIL x Million). Then we got to cloud and then mobile and then……… and we never fixed the problem. We made a choice to have terrible security (“if you chose not to decide, you still have made a choice”)
Developers are amazing but they are also lazy, especially when it comes to mundane things like security. Much easier to put all of the burden of security on the user (hey, I’ll just create a database of strings and the user will have to enter it in and maintain it. Oh there’s already a database that doesn’t that (LDAP)? I’ll just use that because it’ll hash a password. Check. Sometimes dev folks balk at this level of security involvement. Heck, might as well outsource the entire security stack (OpenSSL) and just leave everything as default and never update it.
We are where we are because of choices we made (or didn’t make). It’s our own fault. But….. we finally have a chance to make this right.
We Can “Decide” To Make Security Right
I vividly remember the online commerce revolution, when the internet went from a passive information model to a meaningful way to transact business. It was enabled and fueled by encryption. PKI to be exact. Before SSL no one was even thinking about buying things or accessing their bank accounts online (keep in mind it took a few years for this to really take off). When we (Netscape) introduced SSL, it changed the game, but not for the only reason you might be thinking. Sure, it was the security of “the lock” that made people more comfortable with trusting the internet for such transactions, but it was really the transparency that drove rapid and total adoption.
Users didn’t have to do anything, not really. This was the secret to SSL’s (and it’s protege TLS) success. It was, in my humble opinion, PKI done right. The right combination of security and ease of use had always been (and always will be) a balancing act but SSL was the right balance of the two dynamics needed to succeed.
WebAuthn Will Change Identity Security
We are on the cusp of a very similar revolution when it comes to user identity security. WebAuthn will do for user authentication and access what SSL did for e-commerce. It will allow us to login, securely and transparently for the first time. Ever. The acceleration of adoption has already started once Apple got in on the game at the platform level, this decision will be the fuel that will propel the rocket ship. WebAuthN will be what will finally save us from the password hell we have been living in for so many years. But it will happen. I can feel it. In my bones. We WILL kill the password once and for all.
Now, WebAuthN is not magic, it’s still very early-stage, and will take some time.I like to tell people that if we measure it’s life using a baseball analogy we are only in the 2nd inning and the top of the 2nd at that.
Passwordless and the Public Sector
In the US public sector, we are very familiar with PKI. We’ve been living a PKI life and trying to kill the password for 20 years. We intrinsically knew the value that PKI could bring to solving this problem, but the tools didn’t exist at the time, so we built it ourselves. But what we’ve found is that it’s easy (or at least easier) to build a complex system but much harder to maintain it. This part was an expensive (but necessary at the time) choice and it only gets more and more expensive to maintain as time goes on, let alone if you need to (and you definitely do) innovate. This “I”nfrastructure (as in the I in PKI) has to be able to adapt in a modern world. This is why WebAuthN is compelling. It’s the PKI we know, love and understand, but implemented in a way that can be deployed to the masses, across all platforms, using an open standard.
I, for one, could not be more excited for this revolution and Duo’s part in it. It will take all of us in the end user compute ecosystem. Anyone who provides the ability for users to login to things will be affected and it is incumbent upon us all to move quickly (as quick as we can) to join the passwordless party.
The next 10 years are going to be fun.