How to Manage the Move to the Post-Password Cyber Landscape

Fraud is one of the sector’s biggest concerns, but passwords aren’t much of an obstacle to today’s innovative cybercriminals. Biometrics are the next frontier, but how do you get customers to accept the pivot?  Susan Koski, Chief Information Security Officer, PNC, has been examining the challenge and recommends managing by facts and known risks, understanding fraud prevention as a cross-sector problem, and remembering that the customer experience has to be central to the post-password cyber landscape. 

Transcription (edited for clarity) 

Elizabeth Heathfield, Chief Corporate Affairs Officer, FS-ISAC: Welcome to FS-ISAC's podcast, FinCyber Today. I'm Elizabeth Heathfield, Chief Corporate Affairs Officer at FS-ISAC.  

Identity and access management — being able to trust that people are who they say they are — are at the core of today's global financial system. But with the AI revolution upon us, passwords just don't do it anymore. I talked to Susan Koski, the CISO of PNC, about the future of IAM.  

Elizabeth Heathfield: Thanks so much for being here. I'm super excited to chat with you about this topic. I know it's a topic that's near and dear to your heart — the future of identity. So why do you think it's so central to where we are now as an industry?  

Susan Koski: Identity for our customers is so central because we need to make sure that the person is who they say they are, and make sure that we can have the right level of trust to enable their access and any transactional items that they need to get to. But this is also about the customer experience and making sure that we're providing the customers with those tools so they can have trust and we're protecting them appropriately. So I'm just very passionate about not only the experience, but the appropriate security married with that experience.  

Heathfield: Why do you think it's changing now? What's the ‘why now’ thing?  

Koski: The why now is — and it's been happening — criminals reach out and they try to get people's user IDs and passwords. Most people reuse the same user ID and password across multiple websites. So if [cybercriminals] get that, then they try it against bank websites or other websites to get in. And then sometimes they even try to call and get your multi-factor authentication, which might be through an SMS, which is still considered a phishable credential. They're very good at it. We have to shift away from that so we're not relying on user IDs and passwords, which essentially were invented in the late 1960s.  

Heathfield: So passwords need to go. I've definitely heard that a lot. Well, what's next?  

Koski: What's next is passwordless authentication. Leveraging information about your device, the trust of the device. [It’s about] how well we've proved your identity via the mobile network operators and the phone number that you're using, as well as email and how trusted that can be, and ID verification. So making sure that the ID that's presented is that individual and that someone hasn't used AI to create deepfakes and try to circumvent controls.  

If you think about when you go to the airport, you're putting your driver's license in, they're checking it, they're taking a photo and then they're deleting it. I've asked, and they delete that. But they're checking that what is on that state-issued license, or even a government-issued document, is you — but they're also validating it with a picture. 

Heathfield: Let's get a little bit more into the technologies and then we can talk about the process of moving our workforce and then our customers as well. I'm thinking about older people. I don't know how easy it's going to be to get adoption of stopping something that is so second nature to people as passwords. 

Koski: The technologies are biometrics and things like that. And you're right, some demographics may not leverage that and may not want to use that. So you may never get to 100%. But it's about that in-the-moment opportunity to say, ‘did you know you could use this? And here's how it helps protect you. But here's also how it makes it easier to potentially log in and not have to remember all these different things that you have to.’ And the other thing too, in most of these technologies, that biometric stays on that device. So it's yours. It's not necessarily going to the company to be stored.  

It's really important to have that but you also have to realize that you're never going to get 100%. So you also have to care for and cure for. If someone's still going to need to use a phishable credential, then there may be a little more friction oriented with that. There may be a little bit, again, more friction, a little more customer experience balance that you have to figure out. 

Now on the workforce side, that's also important because the criminals are trying to social engineer companies to get into companies. A lot of companies are working through zero trust architectures and how you really move your employees to passwordless, whether it's with hard tokens or something like that, or its some kind of biometrics and facial recognition use in technologies that are out there to do that. That's also a journey. But when you think about that, it reduces risk to your company. It reduces [the possibility of] someone getting in there. People are looking at LinkedIn [saying] ‘that’s a database administrator. Let me try to get in with that person. Let me see where I can go.’ They're very good at that. But how do you really insulate yourself so that it reduces lateral movement? How do you use zero-trust architecture? Because that's not just about identity, it's about segmentation, and really constant evaluation of the risk signals to determine the level of authentication. That same concept applies in the customer space as well. 

Heathfield: Is it a huge investment to go to passwordless? How do you, as a CISO, look at the landscape and say okay, we're going to do this. And how do you get the buy-in across the firm to make the investment that's required?  

Koski: One of the key things is already having people understand what the risks are out there and what they're seeing. So making sure you have data and facts and not managing by feeling, but data and facts that show ‘this is what we're seeing. These are the account takeovers we're seeing with the businesses. These are the channels by which this is coming in. We added this control, but guess what? There was a criminal that tried to leverage that and they were stopped.’ 

The balance is understanding what the voice of the customer is saying. Is there negative feedback or positive feedback and how do you course correct for that? You're never going to be perfect on everything, but how do you course correct for that? Have that understanding. And when you do this, you can't just do everything at once. You have to take a phased approach. But I find having people understanding the business challenges [helps] but also bringing those folks in for the technology and the art of the possible, and how this actually enables the business. Then ask how do we use data and signals coming out of the shift to passwordless to ask if the customer experience improved. Did, potentially, authentication challenges improve? Did fraud improve? How do we actually look at that and measure that for the appropriate effectiveness?  

It's a journey. It is not a sprint. And you have to do that. And I've even seen [companies] encourage customers to do that because they have to ultimately adopt. And you have to encourage them to do that. So there's different ways you can do that, helping educate along the way.  

Heathfield: Regarding biometrics, are you seeing any hesitation from customers on having companies have that kind of personal information about people and how do you reassure people that you're going to be handling their data in a responsible way?  

Koski: Most of the time, when you're looking at biometrics and the device and actually the binding of that device cryptographically, those biometrics stay on the consumer's device. It's not something that's being passed to an organization to actually store that face ID, whatever it might be, where they unlock their phone. So most of those actually stay and sit on the customer's device. We work very closely with privacy, though, for everything that we're doing to make sure that we're upholding what we say we're going to do with customers. And we're not changing that in any way as we're rolling out the solutions.  

Heathfield: And do you think face ID is the primary biometric, that's what we're talking about? Because I've heard retinal scans and there's fingerprints obviously, but what are we actually talking about here? Is it mostly face ID?  

Koski: Well, I think it depends on the device. So maybe touch ID, it might be face ID. I think the retinal scanning might be for maybe more sensitive areas that you might need to get into, like data centers or something like that. But I think it's mainly about what is the consumer used to? What is their comfort zone? Again, I mentioned those airport examples. People are used to doing that. So if you meet them with something they're already familiar with, think it helps adoption quite a bit.  

Heathfield: Do you think we're going to see more of what we used to think of as offline, like your []drivers] license — is that going to go to a more digital form? So that we can then have the more biometric, stronger identity verification?  

Koski: I think you're going to see, as innovations happen with mobile driver's licenses here in the United States, that as states can issue those, you can have those. The critical thing is going to be how that identity was proved by that institution or that state for those institutions to leverage that []technology]. There's a lot of work actually going on with NIST [National Institute of Standards and Technology] and their Center of Excellence relative to mobile driver's licenses. And being part of that to drive the change and enable that is important because everybody lives on their device. A lot of people don't want you to put your credit cards or your debit cards on your device. Most people would like to not have to carry all of those cards in their wallet and not even carry a wallet, just have their phone. So the more that we can enable that in a safe, secure way and know that identity has been proved so it can be trusted in the ecosystem, that is where we need to go.  

Heathfield: Is there anything that the sector is seeing regarding to regulation or regulatory frameworks for this? I mean, you talked about NIST in terms of standards, but do you think there is a time where governments are going to compel financial institutions to move towards passwordless and other forms of new identity verification?  

Koski: I think that you always have to look at the regulatory guidance and make sure you're in alignment with that. The last guidance in our sector around this was around August of 2021, not only for the customers but for the workforce as well. It was a combined issuance of an updated documentation. I think that could happen if we don't take action. So we really have to take action and be sharing with our prudential agencies what we're doing, how we're uplifting that, and how we're trying to protect the customer and really meet them where they are and ultimately have a delightful experience for them. 

Heathfield: Do you think that firms are looking at this primarily from a fraud perspective? Or primarily from a cyber and  credentials perspective? Or is it really just a convergence of both ? That it solves two major challenges if we can really fix identity verification?  

Koski: There's this cyber/fraud nexus. And you're not really doing fraud without a cyber channel nowadays. How identity is proved actually can reduce, I think, the authentication friction and experience. But ultimately, there's a better experience, too, with third-party fraud. First-party fraud may still exist, but on the third-party side, that should help to reduce some of what we're seeing. But really, we're coming at it from a position of how do we make this better for the customer? How do we also make it better for them to really enable capabilities in a more rapid way because we have a level of assurance on the identity and the device. And based on that assurance, you can make certain decisions based on the signals that you have.  

Heathfield: What haven't I asked about where you think the future of identity is going? That you want people to know, especially in the sector?  

Koski: I think it's going to continue to evolve. And as we've done for years in cyber, you deploy something, techniques change. So as you started ID verification, you saw criminals really trying to exploit that and find weaknesses in the technology behind it. Trying to do velocity attacks of the same image across multiple licenses and things like that. The key thing behind all this is data and data science and analytics. It's really bringing a marriage of that together. And then AI and those attacks coming in and transforming things, how do you fight fire with fire with AI fighting AI? I think you're going to continue to see that evolution, definitely on the identity proofing.  

You're also, I think, going to see criminals continue their telecom abuse. So, whether it's reaching out, maybe not from your bank but from some other, maybe not in your sector, asking ‘Hey, you forgot to make this payment.’ People might give up a debit card or a credit card. Then they see a charge they weren't expecting and then they call to dispute that. But they may never make the correlation that it came from here.  

The more we can really make those connections and reduce some of that the telecom abuse, whether it's through phishing or the phone calls, leveraging things like do-not-originate and brand-your-calls. If your brand is being infringed on, how are those messages not delivered? Because it is truly a brand infringement [issue to] protect the customers. But as our sector fights that, again, now [cybercriminals are] pivoting towards things that still can get the money out of the ecosystem, but it's not infringing on your brand.  

Heathfield: Yeah, we have been working with the Aspen Institute, which has done a task force on fraud and scam prevention. And the reason why we're working with them is because we need to work across sectors, right? Like, it's not just a financial sector issue. I know your teams are working across sectors — how do you recommend that financial firms work with other sectors like telecom and social media companies that are doing executive impersonation [work] to bring it down from the back end side? 

Koski: I think a good example was [at the FS-ISAC Spring Summit]. There was a fraud working session and we had the telcos there. Telcos were invited because sometimes people don't know these things are going on. So you educate, you bring that in. And how do we bring in those other sectors too? Because it's also impacting them. So how do we bring that holistically together so we can fight that together and not just be a one-sector specific element? Thank you, Elizabeth, for all the wonderful questions.  

Heathfield: Thank you so much. It was great to have you.