Frictionless Fortess: Unlocking User Joy in Cybersecurity

Envisioning a Passwordless Future

Wouldn’t it be ideal if security was easy? This is a subject near and dear to my heart, and it has always been my view that too many security products are:

1. Hard to Install
2. Hard to Configure
3. Hard to Administer
4. Hard to Use 

When products are complex to use, shortcuts are taken, and mistakes are made. And that is when hackers pounce.

 And one of the biggest pains is passwords. No one likes them. They are easily phished using more sophisticated ChatGPT-generated emails (Last week, I talked about the dangers of passwords in the era of GenAI; you can check that out here). The extra length and characters make them impossible to remember. This is the worst of both worlds - hard to manage and ineffective at securing your data and operations. 

One half-step the security industry adopted is the password vault (a massive target for hackers).  This does help, but it fundamentally doesn’t solve the problem.  Why do we need passwords? Is there a better alternative that is easy and secure? I have been in companies that banned password vaults, required complex passwords, AND mandated frequent changes - a recipe for significant user friction and risks (writing down passwords, using the same one everywhere, etc). 

But let’s focus on the OT world, which is different from IT. Network administrators often apply the same friction-filled IT security solutions to the OT network. The problem for OT, especially in that crucial initial authentication phase, is that failure has far more consequences than in the IT world. If a remotely managed gas pipeline is failing, forgetting your password or having your credentials stolen and being unable to log in quickly has far more impact than an employee getting to their email. Passwords have issues.

What is the best way to generate an authentication challenge/response without a username/password that minimizes user friction while maintaining security? What if they only had to click an access button, scan a QR code with their mobile device, and authenticate with biometrics? This process combines multiple instances of what you have (an installed client and your biometrics) with what you know (the client config and the challenge QR code on your camera). 

In this scenario, the friction is all in the front end of the process, and once completed, there is minimal user friction.

The administrator:

1.  Has to create a user account
2. Assign the appropriate permissions
3. Send the invite to the user. 

The user:

1. Accepts the invite
2. Installs client
3. Start client
4. Authenticate with the mobile device
5. Do their job

There is no username or password prompt, remembering or changing passwords, or installing PKI certificates. Hackers cannot steal credentials with phishing. Hackers cannot hijack MFA sessions. Hackers cannot steal MFA cookies. Hackers can’t steal or bypass SMS MFA codes.

What about the user experience? It is just like Apple or Google Pay, except you scan a QR code rather than tapping. Financial and banking apps increasingly rely on local biometrics authentication, so most OT administrators probably use them today. You won’t change or lose your finger or face regularly (except in action movies where eyes and fingers are removable objects!), so it isn’t something you must remember and is resistant to hacking (today, at least). 

We want to deliver the most secure network possible while minimizing the impact on the user experience. The OT networks that BlastWave targets with our solution are the critical infrastructure that runs the world today - your food and water, fuel and energy, and the manufactured things you buy. We will continue to innovate to minimize friction, resulting in a more secure OT network for our customers.

I’ll follow this blog with more cybersecurity friction points and detail how BlastWave handles those issues for critical infrastructure deployments. Interested in seeing this live? Click here for a demo!