RSA teams up with Yubico for passwordless authentication

RSA Security joined forces with Yubico to eliminate passwords within the enterprise. RSA's Jim Ducharme explains what it will take to the reach the 'last mile' of the pursuit.

The world might be one step closer to the passwordless future that security enthusiasts dream of.

On Dec. 10, RSA Security announced a strategic partnership with Yubico, the company known for its USB authentication keys, to drive passwordless authentication in the enterprise. The partnership combines Yubico's YubiKey technology with RSA's FIDO-powered SecurID authentication to eliminate passwords for enterprise employees, particularly those in use cases where mobile phones may not be appropriate or permitted for authentication. The combined offering, YubiKey for RSA SecurID Access, will launch in March.

Jim DucharmeJim Ducharme

In this Q&A, Jim Ducharme, vice president of identity and fraud and risk intelligence products at RSA, discusses the new Yubico partnership, FIDO as a standard and how close we are to the so-called "death of passwords."

Editor's note: This interview has been edited for length and clarity.

Tell me how the Yubico partnership came to be.

Jim Ducharme: I was talking to a customer and they mentioned how customers are struggling with the various use cases out there for people to prove to be who they say they are. A few years ago, I think that everybody thought that the world was just going to be taken over by mobile phone authentication and that's all they'd ever need and they'd never need anything else. But they're quickly realizing that they need multiple options to support the various use cases. Mobile authentication is certainly a new modern method that is convenient, given that everybody is walking around with a mobile phone, but there are a number of use cases, like call centers, remote workers and even folks who, believe it or not, don't have a smartphone, that they still need to care for and make sure that they are who they say they are.

At RSA, we've had our SecurID tokens for quite a while now, but there are other use cases that we've found. FIDO-compliant devices were looked at as something that customers wanted to deploy. Particularly hardware-based ones like a Yubico security key. And RSA was the founding member of the FIDO subcommittee on enterprise application, but largely the uptick has been on the consumer identity side of it. We wanted to figure out how we can help the enterprise with their employee use cases, leveraging FIDO and these standards, coupled with these other use cases like call centers or areas where there is a particular device that a user needs to use and they need to prove they are who they say they are.

This customer sent me on this sort of tour of asking my customers what they thought about these use cases and I was amazed at how many customers were already looking at this solution yet finding themselves having to purchase Yubico keys from Yubico and purchase RSA from us for the FIDO backend. It's only natural for us to bring these two strong brands together to give customers what they need sort of all-in-one box, virtually if you will. Now what we offer is more choice in how users authenticate themselves, allowing them to transform as maybe they get more comfortable with adopting mobile authentication. A lot of users don't want to use their mobile phone for corporate authentication, but that's slowly increasing. We wanted to make sure we were providing a platform that can allow users that flexibility of choice, but as the same time, allow our customers and the identity teams to have a single structure to support those different use cases and allow that transformation to happen over time, whether it be from hardware devices, hardware tokens, to mobile authenticators to desktop authenticators to new biometrics, et cetera.

How does this partnership with Yubico fit into RSA's overall strategy?

Ducharme: Obviously things like a Yubico device is just another form of a passwordless authenticator. But there are plenty of passwordless authenticators out there right now -- most people have them in their hands now with [Apple] Face ID and Touch ID, but that's only part of the solution. Our focus is an identity ecosystem that surrounds the end user and their authenticator where passwords still exist. Despite these new passwordless authenticators, we still haven't managed to get rid of the password. The help desk is still dealing with password resets, and the support costs associated with passwords are actually going up instead of down. If we're implementing more and more passwordless authentication, why is the burden on the help desk actually going up? The reality is, most of these passwordless authentication methods are actually not passwordless at all. These biometric methods are nothing more than digital facades on top of a password, so the underlying password is still there. They're allowing a much more passwordless experience, which is great for the end user, but the password is still there. We're actually finding that in many cases, the help desk calls are going up because you're not using that password as frequently as you used to, and now once a month or once a week when people have to use it, they are more apt to forget it than the password they use every single day. We're actually seeing an increase in forgotten passwords because the more we're taking passwords out of users' hands, the more they're actually forgetting it. We really have to go that last mile to truly get rid of the passwords.

Strategically, our goal is not only to have a spectrum of passwordless authentication and experiences for end users, but we also have to look at all of these other places where the password hides and eliminate those [uses]. Until we do, the burden on the help desk, the costs on the IT help desk are not going to go down, and that's one of the important goals of moving towards the passwordless world, and that's where our focus is.

Do you think companies are worried about lost keys and having that negatively impact availability?

Ducharme: Yes. As a matter of fact, we had a customer dinner last night and that is probably one of the number one [concerns], the notion of lost keys. The thing that's nice about the YubiKey devices is that they sit resident within the device so the odds of losing it are less such. But it absolutely is still an issue. Whenever you have anything that you have to have, you could potentially lose it.

We need to make sure they're easily replaceable, not just easy but cost-wise as well, and couple that with credential enrollment recovery. When they lose those devices, make sure that they still have accessibility to the systems they still need access to. Even if you don't lose it permanently, you forget it on your desk at home and when you arrive to work, well, you can't be out of business for the day because you left your key at home. That's what we're working on -- what do you do when the user doesn't have their key? We still need to be able to provide them access very securely and while not reverting back to a password. What we're trying to do is surround these physical devices and mobile phones with these recovery mechanisms when the user doesn't have access to their authenticator, whatever form it is. 

How much progress do you think FIDO has made in the last couple years?

Ducharme: FIDO has gotten a lot of good brand recognition. We're seeing some uptick in it, but we think with this announcement we're hoping to really increase the pace of adoption. The great news is we're seeing the support in things like the browsers. It was a huge milestone when Microsoft announced its support with Windows Hello. We're starting to get the plumbing in all the right places so we're very optimistic about it. But the actual application, it's still a vast minority of a lot of customers in the enterprise use case, and a lot of that has to do with the technology refresh cycles. Are they getting the browsers on the end users' laptops? Are they using Hello for business? But honestly, these upgrade cycles to Windows Hello are happening faster than the previous Windows cycles, so I'm optimistic about it. But what we're encouraged by is the adoption of the technology like FIDO, like Web OPM, within the browsers and the operating systems; the end user adoption, by which I mean the companies deploying these technologies to their end users, isn't quite there yet. This is what we're hoping to bring out.

Do you think we're going to see the death of passwords sometime in the next several years?

Ducharme: I've been in the identity space now for about 20 years. During a lot of that, I would say to myself the password will never die. But I actually think we're on the cusp of really being able to get rid of the password. I've seen the market understand what it's truly going to take to get rid of the password from all facets. We have the technology now that it's accessible with people every day with their mobile phones, wrist-based technologies and all of that. We have the ability to do so. It's within reach. The question will be, how do we make this technology successful, and how do we make it a priority? So I really am optimistic. What we'll have to do is push through people using passwordless experiences to help people understand that we really have to get rid of the underlying passwords. The industry's going to have to do the work to flush out the password for the last mile. I believe the technologies and the standards exist to do so, but until we start looking at the security implications and the costs associated with those passwords and really take it seriously, we won't do it. But I do believe we have the best opportunity to do it now.

Dig Deeper on Identity and access management