Listen to "All Things MSP" on Your IT Podcasts!
Justin Esgar:
What's up buddy? I have a great story for you. I sent you this. You didn't even respond to me. Liquid Death. Hashtag not a sponsor. I got it back. Apparently went to war with the Arnold Palmer family. For those who don't know, Arnold Palmer was a professional golfer who used to drink a lot of iced tea and lemonade mix. He sold the rights to Arizona Iced tea or something like that. Liquid Death had their own lemonade iced tea mix called the Armless Palmer and the Palmer family in Arizona went after them and gave 'em the cease and desist and now they call it dead billionaire.
Eric Anthony:
Well, and I think the great thing about that story, right, because I did read it, I am sorry I didn't respond. It's been one of those weeks. The great thing about that story is so liquid death, though.
Justin Esgar:
They posted it to their Instagram. If you like our armless Palmer, you're going to love our dead billionaire. Why? Because it's the exact same thing. What's up everybody? Welcome to the All Things MSP podcast. I'm your host, Justin Ker. With me always is my good friend. Podcast host, producer extraordinaire, pirate pal. Pipe dream. I'm running out of. That's because he's
Eric Anthony:
Waiting for his first royalty check, folks.
Justin Esgar:
Yeah, I'm running out of p words that are podcast appropriate. Don't have, but if you can't tell, I don't have a pop filter on my microphone and I purposely pee out my piece. Side note, there's a great college humor turned into a show called Game Changer, and there's a great sketch if you want to look this up, and I think we've talked about this before, where the guy had to sell the host on a keyboard that was all the letter P, and they were like, well, why should I buy a P letter keyboard? And the guy goes, because it's perfect. And the other cast members were like, no. They just lost their mind over it. And then someone asked, they were like, if I wanted to write an email like, Hey Eric, how are you? Hope things are well, xo, xo, Justin, how would I write that on the P keyboard? And the guy literally goes, blah, blah. But it was the funniest thing. Go check it out. We've talked about that before. What's up, dude? Another episode. Here we are. We have a guest today. As always, I love it when we have a guest.
Eric Anthony:
Yes. I mean, it depends, right? Because sometimes we cover topics that just you and I run across that we think are things that the audience needs to know or would like to know. The recent one we did on compliance, that one actually has gotten a lot of tragic, no traction.
Justin Esgar:
No, it was a tragedy is what the word you're looking for.
Eric Anthony:
That's what this podcast is. This podcast is tragic promise.
Justin Esgar:
We'll do better next time.
Eric Anthony:
But that one is picked up some great traction, which is good. Shows that the content that you guys want are the things that at least every once in a while Justin and I are pulling out.
Justin Esgar:
I do know what they really want. They really want to know the information about the name change of the Arnold Palmer drink of Liquid Death, which is why you're here for the show.
Eric Anthony:
Well, maybe we'll do an entire show on that. Probably not. Well
Justin Esgar:
Marketing, we'll do a show on marketing, but today we're doing a show about security. We have a guest. Let's bring up our guest, Mr. Joe Scone from uco, senior Solutions architect at uco. Joe, what's up buddy? How are you?
Joe Scalone:
I'm doing well. How are you guys doing?
Justin Esgar:
I'm good, Joe. Just people know I met you only a few short months ago at the Mac Adams PSU. You were sporting that same shirt. I'm really hoping you've washed it since then.
Joe Scalone:
Luckily I've got a couple of them.
Justin Esgar:
Do you pull this? I know we haven't even introduced you yet, but I'm going to jump right in. Do you pull the Steve Jobs and is that your just go-to outfit every day? You just always wear the UBI Cico shirt?
Joe Scalone:
Not every day. I don't have that many and I've got a variety of them, but it definitely makes life easier.
Justin Esgar:
You just eat seven, that's only seven black turtlenecks, one pair of Levi jeans and a pair of, what did he wear? New Balance shoes, the white ones. I forget what he was wearing.
Joe Scalone:
Yeah, new Balance. But yeah, I don't think turtlenecks would work well for me.
Justin Esgar:
Joe, while we got to hear, why don't you tell everybody a little bit who you are, what is UBI Co? And since your last name is Stallone and we had this conversation pre-show, tell everybody which is your favorite Rocky movie.
Joe Scalone:
Got it. Well, we'll start first. It's Rocky three. I love Mr. T. Always have, always will seen every episode of a team that I'm willing to talk about. So some about me, Joe Colon. I live in the Maryland area. I've been working with identity for, I guess we're coming up on 10 years now. And really I'm passionate about making people safe online. I've got three little kids and it scares the bejesus out of me. Some of the things that I've seen in my travels similar to you guys, I imagine there's a dark underbelly, the internet that really, if more people knew about, we could do something about. And if you look at the numbers, cyber crime is the third largest economy in the world behind China and the United States. And there are things we can do about that that are not very hard. So yeah,
Justin Esgar:
Enter Player three. Joe Stallone coming in to talk about it
Joe Scalone:
Pretty much. So I work for uco. UCO specifically provides modern hardware authentication that stops phishing attacks and account takeovers for the world's largest organization, small businesses, individuals and more. I also do work with the Fido Alliance. I'm the co-chair of the US Government deployment group and the Gut World government deployment group. That's probably new from the last time we chatted.
Justin Esgar:
Yeah, no, that's awesome. I agree with you about the scariness of the internet. I have an 8-year-old and he's getting into Fortnite now, and I've turned off all the chat and I've tried to manage his computers actually as an IT person. One of the things I pride myself on is that I manage my kids' devices and I think I do a pretty good job, but I wanted ran my own pen test and I had a friend of mine try to FaceTime my son just to see if he would answer a random phone number. And he did, and I was like, I screwed up in two ways. One, I didn't teach him, don't pick up FaceTimes of random phone numbers, and two, I should have blocked all of the outside callers. But yeah, the internet sucks, but we're on it. You're here listening to this show, right?
Joe Scalone:
It has its purpose and it's a tool, whether it's a tool for entertainment, a tool for work, a tool for making several hours of your day just randomly disappear. It is a tool, but it's a tool that good guys use and bad guys use. Just like everything else.
Justin Esgar:
Just like all other tools. Bad guys use hammers also. Yeah. Yes, but they use 'em differently. Yeah, it's exactly what it's, so let's get into a little bit of the security stuff here. So it's going to be hard to show on camera. So if you're watching this on YouTube, I apologize. And if you're not watching this on YouTube, youtube.com/at all things. I have a couple of these ubi, I have actually a stack of UBI keys here. Not for any other reason than a couple of these were mine. A couple of these belonged to staff members. A couple of these were gifts. So you can see I really do like them, but let's get into why should somebody be using, whether it's UBI or some other sort of encryption key, I'm assuming, and you'll correct my terminology, Fido key and why use this? Is this necessary when we enforce two-factor authentication on everybody's computers? Where is this fitting into the play here?
Joe Scalone:
It all comes down to risk. We will start with the idea of implementing phishing resistant authentication, which is really only a Fido authenticator and a smart card. Not many people are signing up to go back to smart cards. There's a large cost associated with setting up a PKI infrastructure to manage the certificates behind that. You don't really need that necessarily with a Fido authenticator. Just doing that alone would stop 90% of internet breaches because it's been discovered that truly 90% are due to stolen login credentials. Think of how much money you could save just from that. Now, why a security key? I also have a couple, as you can imagine.
Justin Esgar:
It's not fair though. Hold on. You have the branded shirt. I don't have a UBI shirts.
Joe Scalone:
Yeah, I do have the branded shirts. We'll, maybe next step Mac admin conference. I'll see if I can get you a branded shirt as well. Why a security key? Well, let's talk about the opposite side of that. A passkey. And really passkey just means a phyto authenticator. Most of us know passkey as the synable passkey. Very convenient. Set it up on your Mac, it's on your iPad, it's on your iPhone. Other companies are either actively out with them, Google conveniently set them up for you on all their devices, but they own the private key. What's getting synced around? If you're comfortable with that, I'd rather see you use that than a password any day of the week. If you want to control your private key, you need a hardware authenticator, which is effectively, it's a hardware backed Fido credential or a hardware backed pass key. This way, you don't want somebody to access that private key. You unplug it, nobody's going to get to it.
Justin Esgar:
So let's backtrack this one a little bit. For those who are not aware with what PAs keys, right? Because you and I were talking a little bit before the show, we started recording. My entire team uses one password, password management. We like it. It's probably one of the safest ones. And I've noticed that one password now is like storing pass keys for Google. And I've talked to my lead tech and I'm like, what is this? And he is like, it's just passwordless passwords. And I was like, I don't know if that's a hundred percent right. Let's break down what a passkey is, why people should be using them. Where does that sit in the realm of let's say two-factor authentication or multi-factor authentication? And then I guess we can stop on top of that, the idea of using a key hardware key.
Joe Scalone:
So let's start with defining multi-factor authentication or two-factor authentication by saying really there are three factors. Something you have, something you are and something you know you have. Something would be a pin number, a password, something you are retinal scan. I know you have one of those at home, Justin, to get into your front door, fingerprint veins in your wrist, the way you walk. These are all biometric factors. The way you type the patterns of your life, these are all things that are really predictable from a biometric standpoint. Why use two-factor at all? Well, it's harder to break into. It's harder to sit there and say, well, I've copied your password. Well, now I need to copy the SMS code, which is really not that hard off of somebody else's phone. Or I need that digit from an app, an authenticator app that's on your phone.
So then from there, why ask key or what is a Paki? A Paki is a Fido credential. Full stop. But what does that mean? So think of it as a certificate based authentication. That is one-to-one tied to an individual website in this case because it's really meant to be making passwordless authentication easy for this mobile web environment. We all effectively live in at this point. Why use it? It's significantly more secure and in some cases just as convenient if not more convenient. You really don't have to remember a password. You'll get prompted for a pin for some cases, but that's it. And it's significantly more secure,
Justin Esgar:
Right? So in the case of one password, in order to unlock one password, I have literally one password which unlocks to all of my passwords. So effectively, if that password got out, someone can access my entire life if they had access to the vaults that I have. But that password is complex and I'm never using it anywhere else. But I could also unlock one password with just my finger because at least on the Mac, and I know there's ways to do this and Eric will tell me I'm wrong or right, that there's ways to do biometrics on some PCs. I know some PCs have a, what is it? The ThinkPads have the little touch thing, right? Yep.
Just by touching the keyboard on my Mac, which unlocks my one password, which then unlocks all the other passwords and then access to the pass keys. I mean, I feel like I'm playing a game of get smart here, like that intro scene with all the doors. When do I get in or am I overdoing it? Where should, let's take this two ways. Where should one, the MSP stop and two, where should they get the clients that they take care of to stop? Because you could go down a rabbit hole and never come out of it when it comes down to security.
Joe Scalone:
So the one place, and I can see this is a good market for a lot of MSPs, is ask your clients about risk. What happens if that master password gets out there and somebody shuts down your business? Well, are you ever coming back from that?
Justin Esgar:
Right?
Joe Scalone:
I know when I had my own business, I wouldn't be coming back from that. I'd be looking for a job instead of trying to come back for that. It's the same argument we always had with backups. The thing that I was always told from my clients 15 years ago when I was in your guys' shoes is why do I need a backup? I've never lost any data
Eric Anthony:
Until that first ransomware event happens. Quite honestly, I had one of those events where I very nearly went out of business. It was early on in ransomware, and if I had not been able to recover that client and get them back up and operating within four days, I think we did with no good backup, it would've been devastating.
Joe Scalone:
And think of it, if that ransomware attack really came in from basically a credential attack, a passkey would've stopped that, whether it was hardware backed or not, and you get to stay home for those four days and do other things instead of being at the office probably 24 hours straight.
Eric Anthony:
It actually pulled me away from an Autotask conference that I was speaking at.
Justin Esgar:
I was going to, Eric would've been at the office anyway, because
Eric Anthony:
Back then, yeah,
Justin Esgar:
Yeah, he just wanted to get out.
Joe Scalone:
Understood. So back to the idea of when is enough enough. It comes down to personal choice and risk. We talked about kids. We all have houses. Where is the limit of security at your house for your kids? I don't know about you. Mine changed the second I had a wife, the second I had kids. Otherwise we were younger and we all did dumb things. That's normal. The risk with cyber is no different. Maybe the password to buy a pizza is not super important to you, but the password to a multimillion dollar stock portfolio is one. Don't use the same password. Preferably don't use a password because I can go online right now and spin up a password cracker and your 16 character password is mine in less than a day and I spent $12.
Justin Esgar:
The problem is that my multi-million dollar portfolio password is, I like pizza.
Joe Scalone:
I didn't know we had the same password. That's kind of cool.
Justin Esgar:
But the thing is, when it comes to pass keys, especially on websites as IT providers, we're stuck. We can't do anything. We are waiting for the websites to update and take on this new technology. I have seen very few websites that I can log in with Pasky. Facebook doesn't even have it. As far as I know, LinkedIn doesn't have it. Google does, Google Mail does and I think that's where the buck stops. Like why are we waiting? So why are these companies not just doing, it's an obvious good thing and we should be informing our customers about it, but what good is informing my customers when 99% of the websites that they go to go to don't have it?
Joe Scalone:
So there's two ways of, oh, go ahead, Eric.
Eric Anthony:
Well, and I was just going to say that that's one of the reasons I like YubiKey because they seem to be one of the more widely adopted other forms of multifactor authentication besides SMS and an app authenticators.
Joe Scalone:
So I can answer that two ways. One as a side, it's not just Fido. We can do on here. You can also do that same app authenticator and protect it with a UIC key. It's not phishing resistant, but you have to present your UIC key to your device to unlock that authenticator app, and that's the UBI authenticator. You can download that Mac or iPhone Android. So why haven't more sites really implemented this? Think back when did your bank institute multifactor technology and my point exactly until somebody forces them to do it or they've been burned bad enough and it becomes a risk thing. The other way to implement it is through federation. If you set up something like Okta or entra now and federate into these sites, you can use a passkey to get in and then it's SAML on the backend from there, which I would recommend anyway really for any MSP because now you can control that access differently without passwords and you can manage it and you can track it.
Justin Esgar:
Well, I've had clients who've come to me and complained about the idea of using something like Okta or Entra or any of these IDPs as well. Then they just need the one password to get into everything else. They would get that. So again, going back to this get smart door concept, you need to Fido control the access to Okta, which is a single password to allow SAML into these other websites that don't allow phyto control. Yeah, it becomes a headache and it becomes a problem. And then it comes down to what you keep calling risk. I call, is the juice worth the squeeze? Do I need to really put IDP on pizza one's website or my login for my pizza one website so I can get my chicken bacon ranch, which hashtag they don't deliver to where I am so pissed that I moved, but I don't know, I already asked this, but in my head I keep spinning around the idea of where's the end point? Is it worth it to do all this? So let's go from the other side of it. Okay. All MSPs are promoting two-factor. All MSPs are promoting some sort of, if you're not promoting idp, you should be promoting some sort of I dp, whether that's Okta ra, JumpCloud or whoever else you're doing. You can even use Google as single sign on for a lot of stuff. Okay?
They're already promoting that, so that's what they're considering. Step one, we're going to bump that to step two and say a Fido key, in this case, a UBI key should become new step one. So what are the risks of rolling it out? Because my fear, and I talked to you about this at Mac admins, is I have the UBI O mini, which by the way is a silly device because I never took it out of my computer. If I lose this, I am bleep. Yes, thanks for doing the work for me there. You got it, buddy.
Joe Scalone:
Yeah, we recommend getting two keys for that reason. Multiple keys is really the thing. This is why when you buy a car, you get two keys, you go re-key your door at home, you get at least two keys having multiple keys really to have that backup is key. I've said key way too many times here, but
That's really the process you want to go with. I would also take a step back and instead of saying implementing a security key is step one, I would still go the route of implementing an IDP and then add this version of multifactor, whether it's Fido of any form or smart card, move to a phishing resistant authenticator. Go on the path to passwordless. Are we there really as technologists? No. All companies need to do a little bit more, but we're still making steps in the right direction. There is no perfect solution for every company. I'm a really firm believer in that, but really we want to raise the floor up for security. Let's stop the easy attacks. Let's proverbial lock your door at the end of the night. So nobody walking by, just randomly walks in. Getting off of passwords to me is the same thing.
Justin Esgar:
I don't remember what movie this is from, but some movie's like, I don't know about you, but we, oh, it's from Ironman two, where Justin Hammer goes, I still lock my door at night. This isn't Canada,
Joe Scalone:
So maybe only certain Canadians might want to get this for the reference, but we'll still talk to you anyway. I'll still find a solution that'll help protect you, whether it's you can leave your front unlocked, whether it's with us or not,
Justin Esgar:
Leave your front door unlocked, but sleep with a UV key under your pillow to get into all of your stuff is what you're getting at.
Joe Scalone:
Maybe put it on the nightstand. Alright, on a nice key ring.
Justin Esgar:
On a nice key ring. Yeah, so let's talk about this real quick there. And I'm trying to get to my web browser, but my teleprompter concept is still not working for me.
Eric Anthony:
Well, while you're doing that, I have a question. The process guy, it seems to me in my experience it is easier to use a Fido key than it is to do SMS or app-based authentication. So as an MSP, if I'm trying to sell this to clients, is it not a selling point that it's just easier and it's more secure?
Joe Scalone:
Yes, and you don't have to reimburse on a cell phone. You don't have to maintain unless you're obviously buying cell phones as your primary source of communication. But I know a lot of companies are moving to things like teams where everything is based off of your computer for telephony as well. Yes, this is easier, this is quicker and ends up being less expensive because then the flip side of that is how many of us have gotten calls to reset a password, something in the middle of the night? This eliminates that eliminates all of those calls. Obviously it changes them to something else. Hey, I've lost all of my keys, but then you got other issues.
Eric Anthony:
Well, and that was going to be my next question because my next question was if I'm an MSP or an internal IT admin, is there a way for me to have one key that I keep locked up that would give me access to these other accounts? Should I need that break glass type of scenario?
Joe Scalone:
If you have an IDP set up that's managing these, yes, because it's your admin key to get into something from an MSP perspective, I would be using these as my admin tokens everywhere because now you have effectively made sure that you are not the reason for a hijack attack. It's not you using the same password at 40 sites because obviously nobody's ever done that before and none of your listeners ever do that. And you happen to write it down on a post-it note for a new employee and he leaves at the company and that company turns around and realizes that it gets into their competition and now you're having to explain yourself, how did this happen? Even if they left a UB key behind, they still need to know the PIN number to unlock the device and they have to physically be somewhere to plug it in,
Eric Anthony:
Right? Yeah, it is like our friend Matt Lee says, right defensibility. It gives the MSP another layer of defensibility of, Hey, I did everything physically possible including adding this key to make sure that nobody but me could get into these systems,
Justin Esgar:
Which is the first time we're actually doing something physically possible, right? Because normally when we say I did everything physically possible, it just meant how many taps on a keyboard. So I'm on the UBI O website. You have a lot of different versions of keys, right? There's the ubi, O five five C, the NFC, non FC, the nano, the five CI help somebody who's never done this buy the right thing.
Joe Scalone:
So conveniently, I do know they have a new thing on the website that you can go through and answer a couple of questions that will help you find the right one, but let's talk about it. What's your form factor that you need? Do you need a lightning port? Are you USBC only? USBA only? Does it matter? Do you only need Fido? Do you need NFC? Do you need FIPs certified authenticators? Those are really your choices and kind of lead you down a certain path. If you don't need FIPs, you don't want a biometric key, which this is instead of your PIN number, you use your fingerprint, then to me it's A or C. And do you want nano or not? For me, and for a lot of admins out there, multiple keys are the way to go, but also not having the nano, because I'm using multiple machines, I'm bouncing around everywhere.
Justin Esgar:
The problem with nano is that it's so tight. I never took it out of my computer. I felt like it defeated the purpose. I never take it out.
Joe Scalone:
And that's the key. If you are a one computer user and that's it. Buy a nano, plug it in, kind of forget it's there for that purpose.
Justin Esgar:
Unless of course someone steals my laptop,
Joe Scalone:
But then they would need to know your pin number
Justin Esgar:
And they would need my fingerprint or something like that. Right,
Joe Scalone:
To get into your machine. Yeah. I mean with any type of security, if somebody owns your machine digitally or physically, a lot of betts are off, whether it's from a digital or a physical aspect, we've got a different issue there and there aren't many vendors that are going to really be able to help you out.
Justin Esgar:
Can I ask you, I'm going to ask you a really, people are who are listening to this think, I'm really stupid for asking this question, but I got into an argument the other day with somebody about this. I feel so dumb just even thinking about this question.
Joe Scalone:
Lay it on me
Justin Esgar:
On a biometric device like this one, if they cut off my finger, shut up Eric. For those who are listening and not watching, Eric is losing his mind right now. If they cut off my finger, will it still work on a device like this?
Joe Scalone:
Yes, and it will also still work on your neck. And the scary thing is bullshit. There are certain, how do I put this? Certain gloves that can be made to mimic your fingerprint as well, and there have been studies done that they can make something known as a master fingerprint. There's about 40 of 'em that would cover the majority of the United States.
Justin Esgar:
That's a scary thought. Yeah, that is scary.
Joe Scalone:
And that's the thing with generative AI that everybody, AI is big everywhere. Everybody's talking about it. Think of it, what people are listening to and watching right now could actually be AI manifestations of the three of us.
Justin Esgar:
Tell them the secrets.
Joe Scalone:
Sorry. It's not hard or expensive to do now and it's only getting better. It's thinking of those applications where like in biometrics or facial recognition that tend to get scary. The one advantage that we have, as you've seen when you use the key, you have to touch that touchpoint, whether it's the gold Y or the little gold nub on your key, which is known as a liveness check. That's to make sure somebody's physically sitting there to do it. You can't really do that remotely when you're passing through.
Justin Esgar:
Well, now that you've given up the secret, obviously it's very obvious to tell everyone that Eric and I are AI because we repeat the same lines such as, we'll do better next time. Hashtag not a sponsor podcast producer extraordinaire, and Eric and I are ai, but you sir, are not you a very smart gentleman, especially when it comes to this stuff. Real quick before we finish up, Joe, where can people find you online? Where can they find out more about uco? Where should they go to buy it and when should they start implementing it?
Joe Scalone:
We'll go backwards, implement now where you can buy it. You can actually get 'em off of Amazon. If you go through somebody like Ingram, you can also get them, you can get 'em right from our website as well. Where to find out about more uco. Just go right to the website. As for me, you can Google me. I've got a couple other things out there, a couple white papers I've helped write. And you can see actually your talk from the Mac admin conference and mine out there on YouTube. Otherwise, you can email me, joe.scalone@yubico.com.
Justin Esgar:
Awesome. We'll put that in the show notes. Joe, thank you for scaring the absolute bejesus out of me and everyone who's listening. More about Yubico or hearing more about the podcast, check us out facebook.com/group/all things MSP watch Eric crack up at youtube.com/@allthingsmsp. I'm Justin, that's Eric, that was Joe. I'm going to go take a nap now. Bye.
Eric Anthony:
From your host, Justin Esgar and myself, thank you for listening to the All Things MSP podcast. Join the All Things MSP Facebook group or follow us on LinkedIn, Instagram, and YouTube. The All Things MSP podcast is a biz POW LLC production and even though we drink a lot of it, this podcast is still not sponsored by liquid debt.