Fannie Mae CISO: Passwords Should Be Dead

Anthony Johnson discuss how firms need to move towards two-factor authentication.

Security threats - password theft
Anthony Johnson, Fannie Mae's CISO, says passwords are no longer an efficient form of security.

But how long will that belief last?

Anthony Johnson, Fannie Mae chief information security officer (CISO), thinks passwords should be put to bed.

"I think passwords are largely dead," Johnson said bluntly, answering a question about the evolution of password security at the CyberRisk conference in Manhattan last week.

Johnson used online gamers as an example, comparing them to regular bankers. Since gamers have pushed for two-factor authentication, Johnson said that online gaming accounts are now more secure than online bank accounts.

"How many of us actually use two-factor authentication for our consumers to log in? There is only a handful. That is mindboggling," he said. "As an organization, we say, ‘Well, I don't want to take the risk that I might upset the consumers,' but at some point, I've got to give that line of thinking up."

Johnson said despite the fact they're outdated, passwords will probably stick around due to consumers' preference and habit. Uneducated users feel comfortable having a password because it makes them feel safe, even if it doesn't efficiently protect them.

Certificates Next?

A lot of it also comes down to users' misunderstanding of the security that a certificate — the primary alternative form of protection — provides. A certificate isn't a tangible form of security for the consumer. Because of this, it doesn't make them feel safe.

"It's transparent, but really great security should be transparent," said Johnson of certificates. "You should know that it's there, but it's not interrupting your life."

Further complicating the issue was the distribution of unauthorized digital certificates last week. According to Johnson, the certificates were, by default, accepted by everyone, causing major security concerns.

Johnson said he hopes the fake certificate episode doesn't detract more firms from adopting password-free security. 

"I think the password will eventually go away," he said. "I think, hopefully, we start to have strong integration from certificates."

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe

You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.

A tech revolution in an old-school industry: FX

FX is in a state of transition, as asset managers and financial firms explore modernizing their operating processes. But manual processes persist. MillTechFX’s Eric Huttman makes the case for doubling down on new technology and embracing automation to increase operational efficiency in FX.

Most read articles loading...

You need to sign in to use this feature. If you don’t have a WatersTechnology account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here