When I attended the 2022 RSA Conference this month, it felt surreal. None of us leaving the conference in 2020 would have guessed we would not meet again in person for almost two and a half years. The theme this year centered on the idea “transform.” Transformation is a fitting topic because the world has changed since the last in-person RSA Conference.
In that timeframe, the cybersecurity landscape has radically shifted. There are new threat vectors, a doubled-down focus on user experience, and new approaches to solving age-old problems. Keeping that overarching concept of transformation in mind, here are my top four takeaways from this year’s event:
Passwordless MFA Is Not Nice to Have; It’s a Requirement
Multi-factor authentication (MFA) came up in almost every session and customer conversation. The example of how the lack of MFA caused the Colonial Pipeline breach was common. In a session hosted by FIDO, the speaker predicted that MFA bypass attacks would become mainstream by 2023.
Legacy MFA is widely understood, but the challenge is that one-time passcodes (OTPs) are still susceptible to account takeover (ATO) attacks and are friction-filled. This friction leads to customers not enabling MFA, which exposes your organization to risks, or your customers leaving for a competitor who offers a more direct login experience. Passwordless MFA is the only way to prevent ATO attacks while giving customers a seamless MFA experience that never disrupts their journey.
Customer Experience Is Competitive Advantage
In almost every session focused on authentication, the fundamental question arose: how do you make authentication convenient? Adding stronger customer authentication is an obvious way to reduce risk; however, increased friction ultimately drives your customers away. There were debates on both sides of the security versus experience argument, but achieving both a more robust security and a simpler customer experience is possible.
Customer experience is proving to be the primary driver of competitive advantage. In a market full of choice, customers will choose to work with the business that makes it easiest for them. Complex password requirements coupled with legacy MFA do not welcome customers to create accounts, but passwordless authentication that authenticates customers across channels invites your customers to log in again and again.
Many Say They Are Passwordless
A surplus of vendor booths and sessions discussed the end of passwords and the rise of passwordless authentication. I agree with the prediction; however, it is essential to highlight the difference between passwordless and “less-passwords.” Passwordless means there are no passwords – anywhere. Not as the fallback authentication mechanism, not even when customers enroll or create accounts. Less-passwords are when passwords still exist in the environment but are simply masked with a biometric experience. Think of them as passwords in disguise.
As the discussion on passwords continues to come to the forefront, it’s critical to understand whether your solution is passwordless or passwords in disguise. If the answer is not true passwordless, the underlying security concerns, user experience pains, and overhead of passwords still exist. Our buyer’s guide offers helpful questions to ask your vendor on whether a solution is true passwordless.
The Market Is Experiencing Information Overload
This year’s RSA Conference concluded with a panel discussion exploring information disorder. The panelists included Katie Couric, Journalist and Founder of Katie Couric Media; Chris Krebs, Founding Director of Cybersecurity and Infrastructure Security Agency (CISA); Rashad Robinson, President of Color of Change; and Hugh Thompson, Program Committee Chair of RSA Conference. The discussion focused on fake news and how challenging it is for the public to determine what news is true and what is not.
The discussion was timely as we consider how the cybersecurity landscape has transformed with information overload. There are more cybersecurity vendors with different claims, making it increasingly difficult for cybersecurity pros to differentiate between claims. Passwordless is an excellent example of this. Many claim they are passwordless, but truly passwordless means 100% elimination of passwords.
This year’s RSA Conference was a great one, and the theme of transformation was entirely fitting. I had a blast with the Transmit Security team onsite, educating attendees on how going truly passwordless, not less-passwords, can eliminate your most significant security risk. I am already looking forward to next year (thankfully, I won’t have to wait two and a half years this time!)