LastPass VP Product Management Dan DeMichele on Recent Strategy Shift and Future Plans
Published on May 1, 2021
'Secret Double Octopus' is a Tel Aviv-based software company specializing in passwordless authentication solutions for enterprise environments. Its products can practically cover anything, from cloud apps to VPNs and from workstation authentication to MFA for local asset access, and it does so through the deployment of "Secret Sharing" algorithms. So essentially, it renders the use of passwords, OTPs, security USB keys, and smart cards obsolete.
The company has made major headway in terms of business growth over the past year with significant strategic deals. The most recent is a partnership with identity giant Forgerock, through which Secret Double Octopus is providing its solution for passwordless desktop authentication to 1 million Forgerock enterprise users. More deployments are underway already for an additional group of 125,000 users.
We did a short interview with the founder and CTO of 'Secret Double Octopus,' Shimrit Tzur-David, who was happy to share her views around password security, password-less authentication systems, and what the future holds for the space.
Could you give us the “short” version of what drew you to cybersecurity and why you decided to found ‘Secret Double Octopus’?
My background is in academia, researching cybersecurity from my postgraduate days through my Ph.D. studies at the Hebrew University and later while working on my post-docs. My research areas primarily focused on PKI, cryptography, anomaly detection, web attacks, DDoS, and intrusion detection and prevention systems. So I had the opportunity to thoroughly understand many of the gaps and weaknesses of existing cyber security solutions.
During my Ph.D., I was also a consultant for Check Point and Marvell Semiconductor and designed an intrusion detection system product there. And as a practical person, I always saw my research as work that could someday contribute real-world value to the industry. At a certain point, the right idea and the right partners came along, and with the support of our first investors, Secret Double Octopus quickly took off.
In a world full of passwords, PINs, and even dedicated management apps for juggling everything, where does your “passwordless yet secure authentication” solution fit?
Our solution stands out exactly because the world is becoming overwhelmed with passwords, PINs, and complicated hardware and software solutions that try to solve the core issue but end up torturing users and making security worse. Even in the tech world, people can’t seem to manage it efficiently, with developers and executives carrying around security keys, OTP dongles, and a myriad of password generators and managers in an effort to keep things secure, so it’s hard to expect more from the general public. The way forward is to completely give up memorized secrets of any kind and rely on better technologies – those that make life easier and safer for both security professionals and end-users.
We can get why the ‘Secret Double Octopus’ product is easier for people to use. Can you explain why it’s safer compared to long passphrases too?
In an ideal world, where all people use long passphrases and never forget them, periodically change them and are somehow fully resilient to phishing, keylogging, MITM, and other relevant attacks, that would be enough (however, entering a 20+ characters string every time you log in isn’t the best user experience we can ask for in 2021). The fact of the matter is that even in large enterprises, employees can’t seem to cope with current password policies, so this approach is often neglected and instead should be addressed by implementing better technologies.
Isn’t biometric authentication also vulnerable in the sense that not all smartphone sensors are quite accurate, there have been bugs in this area, and even researchers proving that fingerprints can be successfully cloned?
That’s true, at least in theory. This is why biometrics should never be used as single-factor authentication, at least where real security is required. It’s one thing to open your smartphone with only a fingerprint or facial recognition, as long as the average thief isn’t able to breach that, in which case we can consider it safe enough for most people. It’s a whole other thing to let someone into a corporate network with only a fingerprint, especially when that’s done remotely, and no one can vouch for hardware integrity.
This is precisely why we use biometrics as an integrated second authentication factor, along with the user’s specific smartphone, which holds his cryptographic key. In security, you always have to consider the practical aspect of a threat and take into consideration a cots-risk analysis, so there’s really no doubt that when implemented correctly, biometrics add unique value to identification and authentication.
In your opinion, is the human factor the weakest link in the security chain, or is it a weak (or even non-existent) “proper rules” enforcement system? Does your product succeed in taking both elements out of the context?
That’s a great question because it’s very hard to draw a line between these two elements, especially in large organizations. Technically, a good CISO can write the best rules and policies and have them updated regularly, thus theoretically minimizing almost any risk to an acceptable level. But a practical CISO knows that it’s all about employee awareness and cooperation, and that requires both their understanding and the right tools to help them comply.
In this sense, we as technology vendors have a crucial role, and at Double Octopus we see the dramatic effects that a good user experience has on day-to-day security. When we started deploying our product on a massive scale, we realized just how much users hate passwords and the many hurdles that come with them, and even the skeptics saw that the infamous “human factor” in security is solvable.
Is your product only suitable for companies, or can regular internet users and individuals benefit from it too?
At the moment, we focus only on the enterprise market due to the specific complexities - including those related to infrastructure and compliance - that need to be solved in those environments. The consumer market is a completely different universe when it comes to authentication (despite some overlap like web services) and actually already has some very good passwordless options for almost all use cases. In enterprises, the damage caused by password-related issues is still enormous and the path to fully get rid of passwords requires special expertise and technologies that only very few hold.
Your product offers a type of “intrinsic phishing protection,” as there’s nothing to social engineer out of the user. What dangers remain for users, though? Did you ever have to deal with cloned apps pretending it’s you, attempting to steal people’s biometrics, or launch token-grabbing attacks?
Luckily we still didn’t see any of those in the field. It’s very true that nothing offers 100% security and if the right people with the right resources (state actors, for example) want to compromise an organization, they will probably succeed regardless of the security mechanisms employed.
But when we discuss moving away from passwords - which are the root cause of the large majority of breaches - to a provenly much safer alternative, this should be a no-brainer. Having said that, we use a number of state-of-the-art methods to protect our application and its communication (such as Shamir Secret Sharing and a device’s trusted hardware modules) to make sure we provide high assurance security.
Monitoring for leaked credentials on the dark web and hacking forums is relatively doable. Keeping an eye for access token leaks or zero-day exploits against solutions like yours would be harder. Do you dedicate any resources to that?
Monitoring the dark web is notedly not a trivial effort for companies outside the security business. Even when done right, it’s only the first step. You still have to use that data and take measures within the organization on a regular basis.
You’re right that the threat of zero-days is something we should always keep in mind, but this has been a constant for every software vendor for decades. While there are reasonable solutions to address zero-days and resolve detected threats before the damage spreads, passwords are still reigning havoc every day everywhere.
Is using passwords an already “dead” thing that will gradually but steadily decline over the next few years, or is it so cemented that it could stubbornly persist even when superior solutions are on offer?
Passwords won’t be a “dead” thing for a while, I’m afraid, even if only due to the massive legacy infrastructures that run many of our most important establishments like banks and governments. We work hard on mediating that gap, but there’s a very long way to go before passwords, and the damage they cause will be a thing of the past. I do think that for personal uses, typing passwords will become a thing of the past soon.
If you were to give our readers a single piece of security-related advice what is the message you would convey?
I think that large scale changes can be very frightening for big organizations. For example, eliminating all employee passwords may seem like too big and difficult of an undertaking. But the best way to secure yourself is to get away from the herd, so to speak, and make attacking your company harder. In today’s world, this means just that – stop using passwords. It’s not a plug-and-play move, but the security and cost benefits are immediate and unprecedented. Plus, your employees will love you for it.