Haystax Use Case Summary #1

There are a few insider threat incidents that have reached infamy in the United States of America, and the individuals that have carried these incidents out have become household names. Looking back on these events, many professionals have asked if there was something that could have been done to recognize some of the warning signs of these individuals to nip these attacks in the bud.

Our colleagues at Haystax, a wholly-owned subsidiary of Fishtech Group, have been focusing on a couple of these infamous actors, asking the question – if they had tried to pull off a similar attack today, would their behavior stand out to security analysts? Using Haystax’s security analytics platform, they believe the answer is, yes!

In a new ‘use case’ blog series, a few of the professionals at Haystax will focus on four total infamous insider threat incidents. The first two use cases that Haystax have put out focus on Edward Snowden, who leaked classified government documents back in 2013, and Ana Montes who was arrested on suspicion of spying for the Cuban government in 2001 after a years-long internal mole-hunt and was eventually convicted.

Finding Edward Snowden: A Haystax Use Case

With recent focus shifting back toward Edward Snowden due to increased press around his new book, it was worth looking back at this particular incident, especially being that it happened so recently relative to other cases, like with Ana Montes.

Haystax asserts that using their analytics platform, it would have been possible to detect and intervene on Edward Snowden’s plan to leak classified information and flee the country.

The Haystax analytics platform combines more traditional machine learning and similar data-driven techniques along with a probabilistic model that ingests data as evidence and extrapolates future outcomes from it. In this particular case, a risk score would be produced in the system that would allow Snowden’s adverse behavior to be recognized all the way back in 2007, giving adequate time to intervene before his eventual flee to Hong Kong in 2013.

The most significant obstacle to finding Edward Snowden was the lack of a system of processes and technologies that focused on person-risk, analyzing multiple information sources the way an analyst would. Haystax breaks down each of the various critical events that would today raise flags using their technology from 2007 to 2013.

Check out the full use case here.

Finding Ana Montes: A Haystax Use Case

For those who don’t recall, Ana Montes was a spy. She joined the U.S. Defense Intelligence Agency (DIA) in September 1985 and was eventually promoted to senior analyst, only to be arrested in her office on September 21, 2001 on suspicion of spying for the Cuban government after a years-long internal mole-hunt, and eventually convicted.

In their second use case, Haystax asks another simple question – in the resulting years from her hiring in 1985, to her eventual arrest, would Montes have been recognized as showing behavioral riskiness that would have enabled DIA security analysts to receive alerts in context, surfacing incidents that otherwise wouldn’t seem concerning using the technology of today?

Using the Haystax for Insider Threat Solution, our colleagues believe that they would have captured all the normal indicators that alert DIA analysts, but would have additionally given top analysts and investigators (with the appropriate permissions) the ability to capture more qualitative events like those that eventually led to Montes’ arrest. Using this solution, they would be able to feed them back as structured data into the probabilistic model that underlies the Haystax analytics platform, leading to an earlier detection and arrest.

Check out the full use case here.

More Haystax Use Cases to Come

These two Haystax use cases are just the tip of the iceberg. Stay tuned to the Haystax website for more use cases coming soon.

Note: Want to conduct a risk assessment to find your hidden insider threats, regardless of whether their intent is malicious or – whether they are unwitting or negligent actors? Contact a Haystax rep or click here to find out how.

7 Soft Skills You Need for a Cybersecurity Career

Success in the cybersecurity industry depends in great part on people skills. What we commonly call ‘soft skills’ are those aptitudes and traits that are difficult to measure and quantify. In fact, according to LinkedIn’s 2020 Emerging Jobs Report, skills like communication, creativity, and collaboration are virtually impossible to automate, making the candidate who possesses these skills all the more valuable.

Soft skills are hard to measure but not necessarily hard to acquire. They can be practiced and flexed just like other more scholarly or technical endeavors. And they may be even more important in years to come as automation becomes more widespread.

But what are the most important people skills for someone considering a career in cybersecurity? What helps a young person thrive in this competitive, super-hot industry? We asked some folks here at Fishtech who regularly meet with students and here’s what they said.


You absolutely must be able to speak with customers and colleagues, to explain situations, and potential remedies and next steps. Good communication skills are huge, especially in crisis situations. Both verbal and written skills are important because after the dust settles, you’ll be updating a customer log with the critical details. Bottom line: you need to be able to solve a technical issue and explain it to a customer.

Continual learner

Do you self-identify as a problem solver? If you’re always looking for better way to do things, you’re a continual learner. Set goals for yourself, your career, and your work to level up and stand out.


Show us what you really love. Document your projects — be that what you’re doing in school, at home, on a volunteer basis, wherever. Blog about your projects; believe it or not, these passion projects may be more important than your resume. Start a portfolio to show your passion and your growth.


Many technical people are, let’s face it, used to being the smartest person in the room. A little humility goes a long way when working with your teammates and clients. A raging attitude really stinks, especially when you’re coding or working hard and fast on a breach. Respect other’s opinions as well as the quantifiable facts and work to be a valued member of the squad.


Invest in hard work — and yourself. Put in the time and enjoy the work. You can compensate for almost all of your weaknesses with hard work and dedication.


Feed your curiosity. Whatever you’re interested in, look it up. If you’re passionate about it, find the resources to learn more.


Every single person has something to offer — an ability and skill that others don’t have. Make good use of self- confidence. Believe in yourself and make sure others know it. Confidence is contagious.

The Healthcare Industry Has a Remedy for Insider Threats

Today’s blog post comes from our colleagues at Haystax, a wholly-owned subsidiary of Fishtech Group, talking about the lessons organizations in every industry can learn from the integrated insider risk mitigation programs of the health care industry. Check out the original article on their website here.

Of all U.S. industries, healthcare is the most highly regulated – even more so than the heavily scrutinized banking and finance sector.

There are health-related laws such as HIPAA, which among other things safeguards the privacy of patient records, plus an array of regulations that seek to protect individuals from health risks while boosting overall public health and welfare. Compliance is not optional.

Given this stringent regulatory environment, healthcare companies go to great lengths to safeguard their security as well, especially where patient data and their own valuable intellectual property are concerned.

So it should come as no surprise that these companies mobilized quickly when they started experiencing major data breaches several years ago, including cases where trusted insiders stole information and either sold it or left and took it to a competitor.

Indeed, the 2019 edition of Verizon’s widely read Data Breach Investigations Report (DBIR) confirmed the trend. Verizon noted that 15 percent of all breaches were in healthcare, as compared to 10 percent for finance.

The DBIR further found that trusted insiders were responsible for 59% of the security incidents and breaches it analyzed. Some of those were due to malicious intent while others were accidental or caused by negligence, and the actors could be found at every level of a company – from customer service representatives to IT staff to senior executives.

Importantly, the DBIR also found that: “Financial gain is still the most common motive behind data breaches where a motive is known.”

The federal government has weighed in as well. A few months ago the Office of Civil Rights (OCR) under the U.S. Department of Health and Human Services warned of the dangers posed by insider threats in the medical field – where employees had exposed confidential medical information for financial gain or as retribution.

OCR presented its own recommended best-practice guidelines on how best to manage an insider threat program. It said all organizations should:

  • Understand where their data is located, the format in which it resides and where it flows throughout the enterprise;
  • Establish who is permitted to interact with their data and what data those users are permitted to access, in order to determine appropriate access controls; and
  • Consider how an organization’s users will interact with data.

OCR additionally recommended achieving greater real-time visibility and situational awareness through systems that detect suspicious user activities, audit controls and audit-log reviews and security incident tracking reports. And it advocated for understanding the human element of risk through continuous awareness, assessments and preventive actions in the face of changing personnel circumstances such as promotions, demotions, transfers and – especially – involuntary separations.

There are broader lessons to be learned from the way the healthcare industry has responded to data breaches and other attacks, in particular with an increased focus on insider threat mitigation.

Healthcare companies are now required to conduct risk assessments to uncover potential data breaches. Moreover, they must document the assessment findings and address any vulnerabilities they have found. And you can bet that identifying signs of financial stress or motivation is a key component of their assessments, along with monitoring exfiltration methods and analyzing peer groups within the organization.

Even if your company isn’t nearly as tightly regulated as those in the healthcare industry, there are benefits to following their lead on standing up an integrated insider risk mitigation program that combines clearly articulated policies, cross-departmental cooperation and leadership buy-in with the right analytical processes and tools.

It’s not just good corporate practice – it can save your company from loss of data, reputational damage, civil liability exposure and, potentially, federal and state regulatory enforcement actions.

#    #    #

Note: Want to conduct a risk assessment to find your hidden insider threats, regardless of whether their intent is malicious or – whether they are unwitting or negligent actors? Contact a Haystax rep or click here to find out how.

The Cost Factors for Why You Shouldn't Build a SOC In-House

In a recent blog post, we introduced a new series we will be curating over the next couple of weeks about why you shouldn’t build a SOC in-house. Though the alternative of using an MSSP (Managed Security Service Provider) can be a frustrating experience, almost no one can defend building a SOC in-house.

To help bridge the gap between these two solutions, and to provide a good alternative to an in-house SOC, we wanted to build an operation that is different from other MSSP offerings and effectively do away with all of the negative connotations that come with the territory. That solution is CYDERES, our 24/7 human-led and machine-driven security-as-a-service.

So, let’s look at one of the issues with building a SOC in-house, and how CYDERES can be an effective alternative. Today we will be looking at why cost is a huge factor as to why you shouldn’t build a SOC in-house.

SOCs are Expensive

We’re not talking about pricey options to warm your feet up, although apparently there are also some pretty expensive SOCKS as well. We’re talking about the costs that come with trying to put together world class security operations centers.

There’s no doubt that any organization that’s building out their cybersecurity program needs to utilize a security operations center. Unfortunately, it can be pretty difficult to put one together in-house, and there are a number of factors as to why.

Cost Factors for Why You Shouldn’t Build a SOC In-House

The first factor is people. You will need a minimum headcount of 12 to 15 people to make sure there can be someone available for every shift, and to make sure all of your bases are covered when anyone goes on vacation or gets sick. Along with the salaries for these positions, you will also need to invest heavily in training off the bat, which can be a huge initial cost upfront before you even get rolling on protecting your organization.

The second factor is technology. If you were worried about the initial upfront costs of training, you may want to shield your eyes from the price tag on acquiring the necessary threat detection technology, which is again something you need to focus on before you even get operations going. The costs for these technologies aren’t just isolated to the acquisition stage either. These technologies carry significant annual or on-going costs as you continue to use them, and can get out of hand quite quickly.

The third factor is facilities. You are already investing so much into the people and technology necessary to build out your in-house SOC that facilities can take a back seat. Either you will have to pay huge sums of money to build out a nice facility adding to your previously incurred costs, or you may be forced to cut corners and relegate your people to less than ideal spaces. This can become prohibitive over time as many of your professionals may leave your organization over such conditions, and in an industry that is already facing talent shortages, this can become a huge problem for your long-term viability.

Using CYDERES Over an In-House SOC

To remedy many of these cost issues that arise when trying to build your own SOC in-house, we created CYDERES, our human-led and machine-driven security-as-a-service, while creating a better alternative to MSSPs that carry their own problems.

We have been hiring new talent to bolster our already phenomenal cast of cybersecurity professionals, and have built out an ‘a’ team that can provide 24/7 enterprise managed detection and response, among other services.

We have also recently built a world-class Cyber Defense Center to house our CYDERES professionals to make clear our dedication to becoming the best managed security provider in our industry.

Furthermore, because cybersecurity is a core competency of our business, we are able to continually attract the best in the business, because we can make these talented professionals the centerpoint of our business, rather than be a specialized wing of other businesses trying to build out a security team in an organization whose core competencies may place emphasis in other areas.

On the technology front, we have heavily invested into any solutions that give us the capabilities we need to succeed. We have an engineering team with 15+ dedicated developers to help build the tools we need to integrate 3rd party products and help us do our jobs better. We also have access to Fishtech sales engineers and partners to create a team of people to help get us up to speed on the latest and greatest in our industry and troubleshoot any issues along the way.

As an alternative to in-house SOCs, we are more cost effective. As an alternative to MSSP, we are better, faster, cheaper, scalable, and we can prove it.

So that just leaves one question… When can we prove it to you?

Fill out the form below to get connected with one of our CYDERES experts to see how you can leverage CYDERES to get world class protection, without the unnecessary cost burdens of building your own SOC in-house. Focus on your business, we’ll handle your threats.

Fishtech's James Grow: YubiKeys Aren't a New Hardware Token

Before this post on YubiKeys, we recently published a couple blog posts over the last few months on passwordless authentication and emphasized the importance of multi-factor authentication in our National Cybersecurity Awareness Month post.

We’re always keeping our ear to the ground on advances in these areas, and with a recent announcement at Microsoft Ignite, Yubico, the leading provider of authentication and encryption hardware, and YubiKeys, the authentication devices they manufacture, have been in the news. We have also been seeing a lot of conversations pop-up on LinkedIn regarding YubiKeys and their uses in both the passwordless authentication and multi-factor authentication spaces.

In an effort to provide some clarity on these devices, we talked to our own James Grow, Director of our DevOps and Security Automation practices at Fishtech, and asked him to define what YubiKeys are, and why he uses them. Below you’ll find his quick write-up, and a video of James demoing how he uses his YubiKey.


YubiKeys Aren’t A New Hardware Token

YubiKeys aren’t a hardware token. They’re a radical shift in the fundamentals of how we do trust, authentication, and identity.

YubiKeys work with new, standard/open APIs such as WebAuthn. They implement strict controls and checks to provide better guarantees, such as trust. They also enable passwordless multi-factor authentication that, at least so far, completely mitigates phishing attacks. It seems to have eliminated an entire class of security threat.

How often do we see an entire threat vector eliminated? Once or twice in a lifetime?

Here’s a little more detail on how it works, and I encourage anyone curious to check out WebAuthn and FIDO2.


  1. When a user first logs onto a service – they provide their username, and it’s passed to the relying party (service/app we are signing on to use). No password is entered or exchanged.
  2. The server sends back a challenge key for the user for one-time registration and provides its relying party info – the client verifies this for authenticity, then checks against it any time the user connects to this app again.
  3. The authenticator (YubiKey) is triggered to perform user verification and consent (pressing the button, entering pin, biometrics).
  4. Authenticator – YubiKey – generates and exchanges a public-private key-pair that is explicitly associated with this app via a credential ID. The credential ID and public key are combined to create an “attestation object,” and provided to the relying party/service. The attestation object is a mechanism to do verification checks of the authenticator’s integrity.

No password, PIN, or anything else has been exchanged or can be phished/spoofed.

  1. Finally, the server/relying party verifies the challenge-response and signatures are good and registers the client/authenticator.


  1. User signs on by providing their username to the server (relying party).
  2. Server provides a challenge, and it’s relying party info
  3. The client verifies the relying party ID against the origin. Then the YubiKey is given the domain name the challenge is associated with and requests consent from the user. If the domain doesn’t match the data saved during registration, the server/relying party is considered a risk and not trusted.

That last point is a very crucial distinction and why YubiKey/WebAuthn hard counter phishing attacks. The YubiKey has the server/relying party’s domain and info from registration stored directly. If an attacker tries to trick the user into entering credentials into a spoofed site, the authenticator fails the verification check, helping to eliminate the weakest-link – untrained or careless users, or even experienced users duped by a sophisticated counterfeit.

  1. The authenticator/YubiKey creates and sends a signed assertion and authenticator data partially derived from the key exchange during registration.
  2. Client/browser forwards auth data from YubiKey/authenticator and includes the PublicKey associated with the service/relying party.
  3. The server/ relying party validates the challenge and checks the keys/signatures against its records from registration. If all checks succeed, the user is authenticated and is verified/trusted. And we can be confident of this. No one entered a password or struggled to get their phone out to authorize a push.

So, the service and the user mutually can be confident of their authenticity/integrity, and that the interactions are intentional via multi-factor authentication.

Hopefully, this has helped bring some awareness and understanding, and hopefully, excitement about how game-changing this is!

If you would like to talk to one of our experts more on security keys, passwordless authentication, and multi-factor authentication, fill out the form below.

Making the “Bad Words” in Cybersecurity Better with CYDERES

There are many notable instances in cybersecurity when acronyms take on lives of their own. They become new words with instant associations. For us, we hear “SOC” and immediately think of our world-class Security Operations Center facility housed in our Cyber Defense Center in Kansas City.

In some cases, these acronyms become bad words in the industry. Two of these acronyms we will be talking about today are MSSP (Managed Security Service Provider) and SIEM (Security Information and Event Management). Let’s briefly dive into why, starting with MSSP.

MSSP is a bad word

MSSPs have a bad reputation. With managed services, other people are taking over the control of your data and don’t always give you visibility into your own information. You’re locked out of your data, and locked in to legacy tools. MSSP has unfortunately become a literal 4 letter “bad” word.

These negatives offset the obvious benefits that you also receive with MSSPs including giving you the talent you need that would be difficult to assemble on your own, knowledge that you wouldn’t have access to otherwise, and often at a fraction of the cost of hiring the talent to cover you 24/7 or even 8/5.

Unfortunately, due to the costs of building a SOC in-house, many organizations have to settle for MSSPs taking the good with the bad. Talk about needing a spoonful of sugar to help the medicine go down.

SIEM is a bad word

SIEM is slow and costly. You may recall one of our blog posts from a few weeks back that looked deeper at both of these issues in regard to legacy SIEM.

In the era of big data, your SIEM has more information than ever to comb through, and that can delay the amount of time it takes to detect credible threats leaving your business vulnerable.

SIEM cost structures also aren’t conducive to modern businesses. These license costs along with sluggish speeds have caused SIEM to become another 4 letter “bad” word in cybersecurity, despite the necessity of it to go through your logs and data.

CYDERES: A Worthy Addition to the Cybersecurity Lexicon

For many cybersecurity teams, MSSP and SIEM are necessary evils. Compromises have to be made to make sure you have the tools necessary to protect your organization, right?

There IS a better way. CYDERES’ 24/7 human-led and machine driven security-as-a-service gives you the people, process, and technology to help organizations manage cybersecurity risks, detect threats, and respond to security incidents in real time.

CYDERES gives you the good parts of MSSP without getting dragged down by the same-old problems traditionally giving MSSPs a bad name. Our full EMDR solution gives 24/7 expertise with full client visibility, unlimited incident response, or, the ability to respond yourself should you choose to do so.

Similarly, Chronicle gives you the good parts of SIEM without speed and cost issues. It’s literally the same platform that Google uses to defend itself! The cost of Chronicle is calculated per employee (not amount of data ingestion), and the platform searches petabytes of telemetry data in under a second.

With our partnership, we’re re-writing the cybersecurity lexicon and making these bad words better. CYDERES (CY-ber DE-fense and RES-ponse) gives you managed security in a way that not only gives you total visibility into your data, but many other solutions conducive to a well-oiled security machine including:

  • 24/7 Expert Team.
  • Scalable infrastructure.
  • Lab-tested technology.
  • Industry-leading speed and data science.
  • Real-time response.

CYDERES is 100% powered by Chronicle, Google Cloud’s security telemetry platform. As we have mentioned in our blog posts in the past, Backstory provides 10x the performance of traditional SIEM at a fraction of the cost. Better yet, our CYDERES professionals are the leading Backstory experts.

A Solution Without an In-House SOC

We want to make the bad words in cybersecurity better. That’s why we created CYDERES and fostered partnerships that allow our organization to excel. Almost no one can defend building a SOC in-house, so we wanted to build an operation that is different from other MSSP offerings to do away with all of the negative connotations that come with the territory.

To put it succinctly, we are better, faster, cheaper, scalable, and we can prove it.

Over the next month, we will be looking at some of the reasons why most organizations shouldn’t build a SOC in-house, and why CYDERES is a better choice for managed security. Stay tuned to the blog for more insights! In the meantime, if you’re ready to connect with CYDERES experts for more information on our people, process, or world class facility, fill out the form below!

Redefining the Hunt for Insider Threats

By John Boatman

The Fishtech CYDERES Threat Hunt Tour, powered by Chronicle continues this week in Detroit, MI and Bentonville, AR.

One of the questions we’ve repeatedly been asked during our nationwide Threat Hunt Tour is: “How can we do a better job of mitigating our insider threats — not just the external ones?”

Good question. And very timely, considering that 70% of companies in a recent survey said insider attacks have become more frequent in the past 12 months.

At Fishtech Group, we believe the most effective insider threat mitigation programs seamlessly combine policies, processes, and technologies into a comprehensive risk-based approach that can detect insiders regardless of whether they are malicious, willfully negligent, or simply unaware of the harm they’re causing.

As part of that approach, the optimal technologies use a blend of analytic techniques to assess and prioritize workforce risk. For example, Fishtech Group’s Haystax subsidiary employs probabilistic models, enhanced with rules-based triggers and machine learning algorithms, to detect and prioritize anomalous behavior among trusted employees at government and private enterprises alike.

September was Insider Threat Awareness Month, which presented an ideal opportunity for the Haystax team to reflect on some of the top challenges that small and medium enterprises need to focus on as they hunt for insider threats:

  • Take the variety of insider threat personas, for example. Haystax was supportive of a Verizon study that took organizations to task for looking primarily for malicious insiders, ignoring several other kinds of threat behaviors that are often just as harmful. Verizon lists not one or two, but five, categories of insider threat: Careless Worker; Inside Agent; Disgruntled Employee; Malicious Insider; and Feckless Third Party. It takes a particular kind of analytics to distinguish between them.
  • Continuous vetting is the new black. It’s no longer sufficient for an organization to screen employees once before they walk in the door. There are examples abound of people ‘going rogue’ after a few years of employment, due to a variety of factors that can include financial stress, failed relationships or poor HR reviews. As a result, employers need to find a way to continuously vet (aka evaluate) their staff, executives and even their vendors and contractors. Haystax has blogged numerous times about the issue.
  • Most malicious insiders are smart enough to conceal their behavior and blend in well with the normality around them. In these cases, it takes the ability to turn qualitative information collected from a wide variety of sources, including fellow employees and anecdotes, and transform it into quantitative evidence used to ‘connect the dots‘ and catch a spy or saboteur or fraudster before he or she can do real damage. See the Haystax use case on Cuban spy Ana Montes for an example of how that works.
  • Despite its wide use, the term user behavior analytics (UBA) has come to mean something quite narrow: analysis of user behavior on networks and other systems, and the application of advanced analytics to detect anomalies and malicious behaviors in those systems. Find out why that network-centric approach is not adequate to the task of catching your most dangerous insiders — and why a person-centric analytical approach is.
  • Also find out why small businesses are most vulnerable to insider fraud, and how the U.S. government’s latest Insider Threat Maturity Framework still leaves some key questions unanswered.
  • Finally, the Haystax white paper To Catch an IP Thief lays out in detail the events that lead a senior executive down an unhappy path from star executive to full-blown insider threat in the space of less than four years — and how the Haystax Analytics Platform would have detected him before he could steal his company’s valuable intellectual property.

Since October is Cybersecurity Awareness Month, it’s also an opportune time to showcase Fishtech Group’s Security-as-a-Service division, CYDERES, a top-rated managed security services provider (MSSP) for detecting internal and external cyber threats.

A brand new partnership with Alphabet unit Chronicle gives CYDERES the ability to deliver managed detection and response services for Chronicle’s new platform. This partnership offers clients unmatched capabilities for threat hunting, incident investigation and ultimately detection and response.

There are nine Threat Hunt Tour sessions between now and the end of the year. Click here to register for the one closest to you, and learn how CYDERES and Chronicle can help you prey on your external and insider threats in an entirely new way.

The Rise of Passwordless Authentication

Last year, in a time before lockdown, a couple members of our team went to a Kansas City IAM Meetup. One of the first facts on our presenters’ screen said:

2 of 5 people have had their password hacked

Another recent article on our radar highlighted that hundreds of thousands of people are using passwords that have already been hacked.

Passwords have traditionally been a standard authentication tool, but over time, their flaws have become more apparent. Often, users will create easy to guess passwords, and will use the same password across multiple platforms.

Another factor at play: Hackers have become better at cracking passwords over time as well. By using methods including utilizing special-built hardware designed for password cracking, implementing botnets that try different login and password combos using credentials stolen from other sites, or even hiring out the attacking to other experts, “most attackers will usually crack 80 to 90 percent [of passwords] in less than 24 hours.”

Is the authentication landscape just all doom and gloom? What hope is there when our most recognized form of security isn’t as secure as we thought? Our friends at the Kansas City IAM Meetup brought forth some solutions that mirror some of our Identity and Access Management philosophies. A big focus was on passwordless authentication. In our continued effort to help you Level Up Your Identity Program this month, let’s take a closer look at passwordless authentication.

The Low Down on Passwordless Authentication

There are many ways to provide authentication without a password. The subject of the recent meetup we attended was FIDO2.

FIDO2 is a joint effort between the FIDO Alliance and the World Wide Web Consortium. It’s the overarching term for this partnership’s newest set of specifications to move the world beyond passwords.

The FIDO (“Fast IDentity Online”) Alliance supports many password alternates. We’re going to run through a couple examples today.

Biometric Authentication

Biometric authentication methods include things like fingerprint, voice, and facial recognition. These methods have gained prominence in mainstream applications due to their implementation in smartphones, for one example.

A recent article in the Wall Street Journal highlights some of the benefits of biometric authentication in financial institutions, which have increasingly implemented voice recognition software to confirm the identity of users, but there have been other concerns raised on the risks associated with reliance on biometrics alone.

In order to alleviate some of the concerns surrounding biometrics, it is advised to use biometric authentication as a part of two-factor authentication in your organization, which pairs multiple authentication methods, like biometrics with, for example, security tokens.

Security Tokens

A security token is a physical device used to gain access to an electronically restricted resource. Security tokens can by utilized through a physical connection to a device by way of a USB port or smart card reader, among other examples. Security tokens may also be utilized through disconnected tokens that do not involve an input device. These disconnected tokens may have a screen that the user must then enter via keyboard or keypad.

Again, it is advised that security tokens are used as part of established two-factor authentication implementation within your organization.

The Future of Passwordless Authentication

The FIDO alliance has grown rapidly since its inception in 2013. It now includes more than 260 member organizations, including Amazon, Bank of America, Google, Intel, and Microsoft, among others.

As the FIDO Alliance continues to pursue its mission to develop and promote authentication standards that help reduce the world’s over-reliance on passwords, we can expect passwordless authentication solutions to become more refined, and to see more organizations adopt passwordless authentication solutions.

It can be overwhelming to keep up with these updated standards and procedures to keep your organization secure. We’re dedicated to helping you find the right solution for your business the first time.

If you would like to discuss how to keep your organization more secure through Identity and Access Management and the implementation of passwordless authentication, let’s take some time to connect. Fill out the form below, and one of our IAM experts will reach out to answer any questions, and discuss ways we can help you Level Up Your Identity Program.