Join Sean and Marco as they connect with Parul Khedal to unravel the future of authentication with a focus on MFA, 2FA, and Passwordless solutions, offering unparalleled insights into cybersecurity strategies.
Guest: Parul Khedwal, Security Operations Lead, Trainline [@thetrainline]
On LinkedIn | https://www.linkedin.com/in/parul-khedwal-51612aba/
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
In this episode of On Location with Sean and Marco, hosts Sean Martin and Marco Ciappelli dive into the realm of authentication methods, focusing on Multi-Factor Authentication (MFA), Two-Factor Authentication (2FA), and the emerging trend of Passwordless Authentication. The dialogue with Parul Khedwal navigates through the evolution of these security measures, emphasizing the critical shift towards passwordless solutions for heightened security in the digital landscape. By exploring the intricacies of these authentication mechanisms, the conversation sheds light on the challenges and advantages of each approach, offering valuable insights for enhancing cybersecurity strategies.
The episode serves as a platform for discussing the future of authentication technologies, highlighting the importance of robust security measures in safeguarding sensitive information from cyber threats. Through engaging conversations and nuanced perspectives, the trio unravel the complexities of modern authentication solutions, paving the way for a more secure digital environment. Join Parul on location in London to continue exploring the evolving landscape of authentication methods and learn how organizations can adapt to the changing cybersecurity landscape for optimal protection against online risks.
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
Follow our InfoSecurity Europe 2024 coverage: https://www.itspmagazine.com/infosecurity-europe-2024-infosec-london-cybersecurity-event-coverage
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllTcLEF2H9r2svIRrI1P4Qkr
Be sure to share and subscribe!
____________________________
Resources
MFA, 2FA, and Passwordless Authentication – Rising to the Next Level of Protection: https://www.infosecurityeurope.com/en-gb/conference-programme/session-details.3783.219373.mfa-2fa-and-passwordless-authentication-%E2%80%93-rising-to-the-next-level-of-protection.html
Learn more about InfoSecurity Europe 2024: https://itspm.ag/iseu24reg
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
MFA, 2FA, and Passwordless Authentication — Rising to the Next Level of Protection | An Infosecurity Europe 2024 Conversation with Parul Khedwal | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Marco.
Marco Ciappelli: Sean, how are you doing?
Sean Martin: You seem, you seem so far away.
Marco Ciappelli: I am. This is not my usual office.
Sean Martin: The background is quite different.
Marco Ciappelli: I am, um, I'm close to our next destination. That's how go.
Sean Martin: And, uh, and you, you are where I want to be, but that's another story. Hopefully, hopefully I'll get a chance to, uh, to connect with you there.
I think our guest, Perul, and I were just talking about, uh, how we've both spent Spent some time in, in Florence. And uh, so I hope you're enjoying that. And, uh, you're closer to London. I'm, I'm, exactly, I'm not far behind you. Not far behind you.
Parul Khedwal: Yeah. Little longer. , where are you right now, Sean?
Sean Martin: I'm actually in, uh, California at the moment.
Parul Khedwal: Ah, then it's long.
Marco Ciappelli: You're way behind. He's way, way.
Sean Martin: I'm nine, I'm nine hours behind you. But I'm, I'm heading your way. Heading your, I'll be getting on a plane soon. And, uh. Sadly, I won't be [00:01:00] making a pit stop in Florence. I'm going straight to London. But anyway, I'll go later. And, uh, so this is our chats on the road.
People are probably wondering what we're talking about here. So we're on our way to InfoSecurity Europe in London, of course. And, uh, we like to have chats with keynotes and then presenters at the conference to learn about what's going on and, and get a sneak peek into what's going to be presented and discussed at the conference and I'm thrilled to have Parul Khedwal on.
Parul, how are you?
Parul Khedwal: I am doing very well. I hope that's the same case with you.
Sean Martin: Yes, I think we're both very well, in fact, and I'm excited to, uh, to meet and see you in person in London. Um, for those who don't know you, maybe a brief introduction, who you are, what you're up to, and, uh, we'll go from there.
Parul Khedwal: Sure.
So I have, my [00:02:00] name is Parul Khedwal. I have been working in cyber security industry for a decade now. And in that last 10 years of experience, I have done very, very different roles. Started as a SOC analyst, uh, way back in early 2014, uh, then quickly moved back to, you know, becoming a senior SOC analyst, SOC lead kind of roles.
Then moved to a consulting company, uh, did, uh, you know, uh, SOC establishments for a ton of clients, uh, across Europe, US, and then, uh, lately then moved to cloud security, did cloud migration because cloud became the buzz. And everything from on prem started moving to cloud. So started doing some of the cloud engineering security architecture project.
Then, uh, so for that, I was mostly based out of Stockholm, Sweden, uh, worked there for two years in COVID, moved back to India to be with family. Then [00:03:00] join another company, uh, uh, which was again, us based. I was doing consulting for them, uh, in threat intelligence space. I was also leading their security operations.
Um, and I was handling all of their, you know, MSSP providers, things like that. Off late then, uh, life gave me a chance to move to London and I joined train line, uh, where I'm employed at this moment. So I'm leading the security operations of train line as a whole, so I'm pretty sure whoever is based out of London and at least in some parts in Europe, you must have used train line and I mean, not really doing any sort of those promotions, but just trying to tell you what really I do.
So I protect. Customer data and all of the security within the train line employee infrastructure as well. So that's what I do at the moment, but that's like, really, really from, you know, my work perspective, but otherwise, if I have to introduce myself, there are more flavors [00:04:00] to it. So I like meeting people.
I like talking to people, which is why I'm here today, which is why I do conferences. I've been a part of ISACA Bangalore chapter and now recently joined ISACA UK And I really love talking about security. I have a. Done a couple of courses. I've designed a couple of courses and, you know, sold them to, uh, you know, I can't really, uh, code the companies, but yeah, I sold it to them for their internal training.
So, uh, speaking about security is my passion and, uh, definitely that is what I. Going to be doing it today as well. So yeah, I think that's that's about me. Unless you have any questions I have loads
Marco Ciappelli: of questions. No, that's it. Podcast is done. You told us everything we needed to know. Thank you very much
Sean Martin: I'm, uh, i'm thrilled to hear the the ASSOC.
That's a great organization. They do they do good things for the industry and um, Yeah, [00:05:00] congratulations on uh getting the the speaking spot at InfoSecurity Europe as well um, i'm curious a lot of Security Operations Center, Threat Intelligence, Security Operations in general, it sounds like as well. And then the session is around passwordless auth and multi factor, which is very specific.
And I, I don't know, maybe not directly. There are events, of course, for, for access and authentication in the SOC. But why, why this particular topic so focused on that? Is there a passion there or some findings or something interesting?
Parul Khedwal: I don't know. I think it's a combination of all of these things. So as a SOC lead, what do you think the kind of incidents that bother me the most?
It's not something big breaking. It's the small and the most, you know, easiest thing breaking in, which is as [00:06:00] simple as your password. Right. You know, we hear about these data leaks every single day. This company got breached, that company got breached. Your credentials are out there everywhere. I mean, I don't know if I really should say this, but I still would want to go ahead and say the statement that data privacy has become a myth now.
No matter how great rules we have in place, but at the same time, most of the data across the board is in a breach list somewhere, right? So Where do you draw the line? Right? You started drawing the line. I was like, okay, one factor is not essential. You need to bring in more, right? One time passwords, your, uh, you know, authenticator apps and whatnot.
But attackers have also figured out a way to deal with them as well. So what next, right? So when I started looking at this topic and I even researched about it and [00:07:00] it's like we are right now kind of taking a u turn and what we moved from physical to digital and now we are trying to take More advantage on the physical side.
So this whole password space is taking a new shift altogether and which is why this topic particularly interested me because I know from the ground reality how a small password can lead to a very big security incident at the same time. Even as a general user, like, you tell me, Sean, how many passwords do you remember?
40? Your bank, your Uber Eats, what not?
Sean Martin: I remember all of them. Right?
Parul Khedwal: All one. All
Sean Martin: one. Password. Oh
Parul Khedwal: my God.
Marco Ciappelli: You
Parul Khedwal: just
Marco Ciappelli: use passwords.
Parul Khedwal: You really need this session the most.
Marco Ciappelli: We're kidding. We're kidding. We're not that bad. We put a one at the beginning and an exclamation point at the end.
Parul Khedwal: Yeah, but this is so much talk around that you know what really you want to do with the passwords.
There have been always buzzwords like you don't [00:08:00] really use a single password, you know, use passphrases. For you, it's easy to remember, I don't like pineapple on my pizza at the rate 2, 3, 6, rather than you remembering combination of your name plus your wife's name plus your dog's name or I don't know whatsoever, right?
So, it's, it's taking a whole new shift and there are a lot of topics that needs to be discussed. Uh, topics that people need to be aware about, right? Uh, there are a lot of technologies which are coming up. So FIDO has done a really amazing job in bringing up fishing resistant MFA. So FIDO is basically, uh, uh, I think, first identity online.
That's what it stands for. I'm sorry if I'm not quoting it correct because that's what I remember, uh, vaguely. But, uh, yeah. So, I mean, there's a lot to discuss in this space. I've just thrown a very few keywords. But if you look at the agenda [00:09:00] of the session as well, you would get to know there's a lot in this space which is happening.
Sean Martin: You're correct. It is FastIdentityOnline.
Marco Ciappelli: Let me ask you something. Like, how did we get here? Um, It's a very long time. I hear password or not. You know, not good. I also know that password were used during the Roman Empire or maybe even earlier than that to authorize entrance somewhere throughout when you couldn't see someone behind a wall or a door or whatever.
And I understand that there wasn't the technology wasn't like, Oh, let me see your iris or let me scan your finger or whatever. But I feel like we had this technology now for a while. And I don't know, are we actually getting to drop the password finally? Or what is it are holding this industry to still using password?
Parul Khedwal: I think there are a couple of things, uh, which is holding the industry [00:10:00] back. Uh, first and foremost, it's the resistance from the user side. Because tomorrow, if I told you that you cannot, you know, Do your, uh, bank transactions with a password, but you need to have a passkey or a physical device, you might get immediately bothered that what if this device is lost, right?
I what if I lose this key? Password is something I can remember or reset, but what if I lose this key? Is it going to be, I mean, are we going backwards? Why not go, you know, to more secure parts or why do I need to have a physical scan of my, uh, Tom or my retina, or even have a, let's say a physical device as a key, which you can plug into your system and boom, your password is in.
What if somebody steals that? So there's a lot of reluctance from the user community side. Reason being there's not enough communication. There's not a good story being, uh, told to them, uh, especially by the security preachers, the vendors who, uh, are bringing this technology. And [00:11:00] overall there, there is, I think, less awareness in this space as a whole.
So I think that is one area because of which, uh, people are not really ready to implement this. Uh, secondly, it's also about, uh, you know, with. With new technologies would definitely come new threads, right? How ready are we to handle more sensitive data? For example, GDPR says that even your password, your passports, uh, sorry, your, uh, your full name and password as a, uh, passport number as a combination cannot be stored in the same place, right?
Because these two together can reveal your identity to another level. You have to be, you know, compliant with certain regulations to be able to store them in the same place. Now, if I, as a person, or as a company, want to store your fingerprints, want to store your biometrics, like, right, am I capable of having an infrastructure that can deal with the [00:12:00] security compliance requirements?
Maybe, maybe not. So there are a couple of roadblocks, but I think, I think, uh, we are heading to a good space, uh, because, uh, with these sessions, right, more and more people are starting to talk about why going passwordless is going to be the future. And of course, AI being the new buzzword, you can literally throw it anywhere at this point in time.
But of course, uh, with, uh, AI coming into a lot of. Um, uh, two lanes, I think it's going to make life easier in the long run. So, yeah. So
Sean Martin: AI is an enabler for some adoption or to make it easier to manage or?
Parul Khedwal: Yeah, I, I would not give it a direct yes or no, but I mean, it could be put to some good use of, I have to, I have to say in that way, because this is a technology, it's not.
It's been there for a couple of years, like five years, probably. [00:13:00] Now there are organizations which have been using it and they have seen good success. So even without AI, this has, you know, really shown results. But now with, uh, AI being an enabler, it could probably, uh, you know, take an easy path, but that's, that's something which future is going to reveal.
Sean Martin: And so don't, don't give anything away from your session, but is there, is there a story you can tell kind of sums up what you hope to talk about during your session?
Parul Khedwal: Yep. So, I mean, if I have to nail it down to a very short story, it's more like, you know, everybody now cares about security. Right. At the same time, everybody now cares about convenience.
How do we marry this together? Right. And how this approach is going to help in achieving this. We have talked [00:14:00] about a lot of different things, right? Phishing. What is a phishing resistant MFA? What's the need to go passwordless? Can't go passwordless, uh, you know, how to go with passphrases. If you don't even want to go with that, go to Yubikeys, passkeys and whatnot, right?
So there are a whole bunch of topics that you're going to, uh, listen probably in the session about, which would give you, uh, you know, an, uh, an end game to the story that How everything is making sense. Security, passwords, no passwords, keys, how it all comes together.
Marco Ciappelli: How much, you mentioned the user resistance to let go something that even if it is a pain, because the password is a pain, they are still thinking that anything else is going to be even more painful.
So, two factor authentication. But on the other hand, If you have a multi factor that involves, [00:15:00] I don't know, I know it sounds scary, but when you go to the airport, you're already using your, your face to board the airplane. They don't even ask you if you're okay with that or not. It's just the way it is. I just went through that.
So, on one way, I'm like thinking, okay, I'm in cyber security, privacy, blah, blah, blah, why didn't you ask me to do that? But then I'm like, you know what, if it makes the airplane more secure And I didn't even have to pull out my my boarding pass or my phone. It's kind of cool. So are we not? As you mentioned, are we not marketing correctly, too?
Parul Khedwal: I think, uh, marketing was not the word, but I think I did use a word for, like, we are not telling the right story to the users.
Marco Ciappelli: Well, but I'm in marketing, so I, for me, that's also telling, you know, the right story, right?
Parul Khedwal: Yes, and it's also about, I don't know, probably, uh, it's, it's more about, uh, trust, right?
Yes. Yeah. For security, you [00:16:00] have probably little more trust that, you know, it's an airport, it would be regulated by government authorities, there would be regular checks, but when it's a, let's say, a small vendor from which you order food, would you have the same level of trust?
Marco Ciappelli: Right. Yes.
Parul Khedwal: Right. So that could be one, um, barring factor for people to not really
Marco Ciappelli: buy.
I wouldn't, I wouldn't want to do retina scan to buy an espresso on a bar tomorrow. But I think to go on a plane
Sean Martin: I don't know, I need an espresso.
Marco Ciappelli: You'll give away, you're ready now for an espresso?
Parul Khedwal: Probably 20 years down the line, probably you walk away into a print with your iris, your bank account is linked, and you just pick the coffee and go away, you don't know?
Marco Ciappelli: Yeah, probably, that's possible. That's not very possible.
Sean Martin: A pint at a pub, maybe. I don't know, we'll see. Alright, well um, Bro, can you, can you give us, as we wrap here, can you give us a sense [00:17:00] of who you're speaking to during your session? So clearly, you have a lot of operations and security management.
Background. Um, your, your co, uh, your co presenter, Raul Ruhl, um, looks at ID and access management. So he has more, uh, more of it, but that, that perspective. So who's there? Is this practitioners? Is it security leaders? Operations center folks? Who are you speaking to?
Parul Khedwal: I'm not really directly spoken with him yet.
So we have, uh, you know, upcoming moderation session coming up where we would discuss more about, you know, what really, uh, his experiences are, what my thoughts are, but he, he comes from a consulting background and he has implemented identity and access management solutions for a ton of clients. I think he would definitely know the pain points.
So that from an organization side, how easy or, uh, not so easy the approach is going to [00:18:00] be and what the future road would look like. So I'm kind of more interested to even hear that side of the story as well.
Sean Martin: Yeah. Cause there's the, what's the strategy? How does it support the business? How do we put policies and start to implement the controls?
And then you have the, this helps us ensure security by monitoring and tying it back to the rest of the, uh, rest of the operations. It'll be a great conversation. That's why I, uh, that's why I picked it and I'm glad you were able to join us.
Parul Khedwal: This is, of course, going to tie back to all of security monitoring because, uh, you know, when MFA goes bad, there's a lot of phishing.
So all of this is tied back together to your credential, uh, security in the first place.
Sean Martin: Make it easier for the analyst.
Parul Khedwal: Definitely.
Sean Martin: I love it. Well, this session is called MFA2FA Passwordless Authentication Rising to the Next Level of Protection. That's on Thursday the 6th at [00:19:00] 1. 15 local time there in London.
And uh, Parul, congratulations again on, uh, getting this spot to, to tell these stories and, and help folks along with Raul kind of marry these two sides of the coin together.
Parul Khedwal: My pleasure.
Marco Ciappelli: Well, we will see you soon, soon enough, and we're very excited for another successful Infosecurity Europe. That will be Sean, our sixth one, I believe, so excited.
Sean Martin: Number six, exactly.
Marco Ciappelli: Number six. Yep, we're that old.
Parul Khedwal: Last time I was a visitor, this time I'm a speaker, so I think that's a good focus.
Marco Ciappelli: That's wonderful. That's wonderful. I love it. Congratulations on that. And, uh, yeah, we're looking definitely forward to see you, to see you there and have an in person, uh, In person, five minutes. Hopefully out of your busy schedule to say hi [00:20:00] to everybody else.
If you can be in London, we will be there. If you can't, that's you want to follow us because we will tell you what's going on. Everybody win.
Sean Martin: There's gonna be a lot going on working.
Marco Ciappelli: I know, I know you're ready.
Sean Martin: All right. Well, thanks for taking this time and uh, and for taking the time at the conference to share your stories Thanks everybody for listening and watching our chats on the road to infrasecurity Europe in london.
We will see you all soon. Please. Uh, please stay tuned subscribe share with your friends and enemies and We'll catch you on our safe journey. Everybody.
Parul Khedwal: Thank you