Cyber Frontlines: Securing the Future with ECI - Part 1 Artwork

ECI Pulse

At ECI, it is our mission to be the most transformative business partner you will ever engage. We thrive in a state of constant progress and pushing the boundaries of what’s possible. Over the past two decades, ECI has emerged as the premier provider of managed services and technology solutions, across cloud, digital, and cybersecurity, to the investment management industry. To date, we have helped more than 1000 global clients, from financial hedge funds and private equity entities to asset management companies, to activate their full potential through technology, a consultative approach, and a relentlessly innovative spirit.

Join us as we explore the latest trends, innovations, and strategies that are shaping the industry. Each episode features insightful conversations with industry leaders and experts who share their experiences, challenges, and visions for the future. Tune in and stay ahead of the curve with ECI.

All Episodes

ECI Pulse

Cyber Frontlines: Securing the Future with ECI - Part 1

July 17, 2025 • ECI • Season 1 • Episode 6

Part 1 – Beyond Passwords: MFA Mandates and the Rise of Passkeys

In this debut episode of Cyber Frontlines, Jeff Schmidt, CEO of ECI, and Jonathan Brucato, Director of Security Operations at ECI, dive into the shifting cybersecurity landscape, focusing on the move away from traditional passwords toward more secure, user-friendly authentication methods.

They explore:

The growing mandate for multi-factor authentication (MFA) and its real-world limitations
The rise of passkeys as a phishing-resistant, passwordless alternative
The role of AI in modern cybersecurity strategies
Real-world vulnerabilities like “Pass-the-Cookie” attacks that bypass MFA by hijacking session tokens
The ongoing importance of cyber hygiene in a rapidly evolving threat environment

Whether you're a cybersecurity professional or simply looking to better understand the future of secure digital access, this episode offers practical insights and forward-looking perspectives.

Welcome to ECI Pulse. It's a podcast where we're going to break down the latest trends shaping the business world. I'm Jeff Schmidt, CEO of ECI. We are the leading provider of cloud services, cybersecurity, and digital transformation solutions for the alternative investment firms worldwide. Alongside me today is my co-host, Jonathan Bricotto, Director of Security Operations at ECI. Today, we're launching a new series, Cyber Frontlines, Securing the Future with ECI.

In this series, we'll explore the future of cybersecurity across three fronts. The shift beyond traditional MFA toward phishing resistant pass keys. The dual role of AI as both a threat and a defense tool in modern cybersecurity attacks. And the importance of cyber hygiene, compliance and the strategic advantage of a unified MSP and MSSP services. From zero trust to AI driven threat detection, we're going to unpack how ECI is helping clients stay secure and resilient in an increasingly complex digital world.

whether you're a security leader, tech strategist, or just interested in learning about the future of digital defense, I'd invite you to join us as we explore the tools, tactics, and insights that matter most. So with that, let's jump right in.

So Jonathan, an exciting time to be in the world that we're in, right? We're on the fringe of AI. We have 5G entering in, which really rapidly moves things remote and objects moving all over the place. So business happens everywhere and anywhere. With that, the Beyond Passwords, MFA mandates, the rise of passkey.

You're kind enough to to allow me to start using pass keys inside the environment. So I Have a history as you know in the in the password authentication marketplace, so I'm a firm believer that passwords Suck don't have a better way of saying it by turning that on you've made my life easier where I'm Not truly passwordless, but the pass key is allowing me to have a passwordless experience. It works across all of my devices. So

We have a press right now and we've seen it in too many cases where MFA is not implemented or exceptions put in place where somebody is exposed because they're not utilizing an MFA. So we know while it has its potential issues or maybe ways around it, the component of this is actually valuable in environments. so from your perspective, when we talk about our cross industries limitations, and in the face of evolving threats. Why is MFA so important?

You know, the full stop conclusion we land on is that passwords inherently are not secure. you know, passwords as a concept or a secret that you retain have been around for human centuries. In the digital age, they've evolved meaningfully, but I think that in general, know, conventional wisdom tells us that they are not a secure method of authentication.

A combination of a username and password can be phished. can be taken from a web browser in a cache credential. It can be stolen a hundred different ways. And over the last couple of decades, we've started to implement this multi-factor authentication concept, which is we recognize that usernames and passwords are not secure. So let's add this second factor to add an additional dimension that's malleable, that's sort of just in time, that's going to give us that

authentication setting around, you know, just the username and password. I think what I've seen in our industry and what I've seen elsewhere, colleagues in the industry all complain about the same thing. We're all trying to figure out different ways to train the same information over and over again, and to our users, into our colleagues, you know, don't reuse passwords, try to use passphrases instead of complex passwords. We've seen the genesis of

you know, use really complex, really long strings that you might be able to memorize to, you know, complexity doesn't necessarily matter. There's a whole debate, a whole debate about, you know, complexity and the relationship a human has to remember that password. So ultimately where it lands us is, you know, we can keep needling at this idea that, you we can find the best or perfect way to do passwords plus MFA.

And while I completely agree that MFA is a must on top of the username and password experience, it's really nice to see that the industry is trending towards passwordless authentication, right, which is interpreted by vendors differently across the board. But I think everybody's starting to swim in the same direction, which is really great to see.

How does that, if you look at FIDO, especially FIDO 2.0, which is really embracing a passwordless environment, companies like Knockknock Labs that were very related to the game, and you see financial institutions trying to figure this out as well, it's speed, ease of use, and simplicity. And then you have to take the variations, which is,

access to network on a plane where you're traversing and moving rapidly fast, where we know sometimes MFA doesn't work as well, at the mercy of the airplane's carrier and provider, whether they allow you to use the right types of tool sets. So we also have to take into account, I'm assuming we should be taking into account how the business works and operates alongside of the controls we're trying to put in.

So there's a delicate balance of workflow automation, ensuring that you're enabling the business versus just protecting the business.

You know, like the FIDO Alliance, think has done a great job at, you know, spreading the options out a little bit. You know, I think early on in this experience, we saw some folks try to use hardware tokens, which might have been solving for a little bit of the, I'm in a limited network connection space. I find that those can be a little bit tricky because you're going to end up having to buy, you know, you know, pieces of technology for people in case they lose them.

I certainly think that they have a place, especially when you get to military or government organizations. But for the lay person, it's perfectly accessible to use something like a password manager with pass keys stored inside of it to be able to log into your many different cloud accounts, even when you're traveling. It's not that it's going to be a high bandwidth or a highly available activity that requires difficulty with your technology.

You and I are using Paschis today in a way that allows us to authenticate to our accounts with some near field Bluetooth compatibility between our mobile devices, for example, and our mobile laptops. I think the ease of use and accessibility translates well to that on the go experience. It's going to be something where you don't necessarily have to think, but it's

It's incredibly phishing resistant in that it's, you know, what we're doing is essentially using a key pair, right? It's still cryptography at the end of the day. That's going to be, you know, authenticating, you know, Jeff gets to go here and that key pair is very specifically used for that particular service. It's not something that's, you know, in the wild discovered to be exfiltrated out of that experience. So we find it to be really comfortable. You don't have to think about it.

it allows us to be a little less stringent on potentially even rotating passwords. I think the direction we're heading in is fewer password rotations is more good, right? If we don't have to rotate until there's an indication of a compromise or an exposure of those credentials, that means that you don't really have to have the strain of thinking about making a new complex password, making something that's going to comply nicely with our block list, it's overwhelmingly frictionless, if you will.

Interesting. So taking that a step further, right? And so when we talk about pass keys, and in my past life of in the authentication arena, right? One of the things was how do you make it phishing proof or maybe tamper resistant? And so we found that the one thing most people wouldn't give away is a phone to somebody to go play with, right?

So how does a pass key then in the world that we live in today, if you think about it, is it, what's the resistant level? Why is it more resistant than just multifactor authentication? I'll call it relatively strong password because every time you change your password, like you have to go through memorizing what it is. it's amazing if you just went in and used a strength, you just use the password strength tool.

and looked at how good you think your passwords are. Typically it's one hour, two hours. Most people get up to maybe one day, right? But to your point is when you start adding and stacking things on, the way we used to explain it and even in layman's terms is this difference between a combination lock that has one rotating set of numbers to two, to three, to four. So layering your authentication mechanisms makes it harder.

not necessarily impossible. I think Bruce and I used to always say, a security is like a fire safe, right? It's fire ratings, right? It isn't that, and it's time to into the vault itself. It isn't a matter that you can't break into it. It's relative to time, to a time period and exposure level that you can reduce the amount of time that somebody's allowed to be inside without it becoming.

really apparent that somebody's tried to take over an account versus minutes to hours. like, how does this, how does this, why does it gain traction? Where's the significance in this from a standpoint of becoming more tamper-proof and knowing who's on the other side, you are you in the situation we're talking

Yes.

Yeah, you know, like, to go to where we were a couple of years ago, username, password plus MFA is sort of that concept of like something you know, plus something you have. So like an MFA token, a one-time, an OTP token, you know, whatever particular software you're using to run that Microsoft Authenticator, for example.

You know, it's going to be that something you have and something you know is going to be your credentials, right? When you start talking about passwordless and specifically this Doesn't limit to pass keys, but for the sake of conversation will riff on that the the pass key is a concept of building a a key pair relationship with a service from that particular asset where you're storing the pass key, right? So You know that that pass key I might make with Microsoft cloud or Google

is really a unique relationship where I have the passkey, you know, I'll use a password keeper, a password manager to store passkeys. Microsoft recently started making passkey support available in Microsoft Authenticator, you know, so you can use Microsoft products, the Microsoft products to do this experience. But generally speaking, know, storing a passkey in a location is like, this is the location, this is where it lives, this is where it dies.

I'm not picking it up and putting it down somewhere else. I'm not capturing it across the network and then able to activate it elsewhere. It lives and dies with the location that it's created and with the nature of the asymmetric key pair and then the relationship with the service. The service is storing an element of this passkey is valid for this particular service on that side. So it's really too

Two sides need to have a unique set of information to be able to authenticate, which is actually technically both factors, right? It's something you have and something you know. So it's able to satiate a multi-factor experience.

It actually throws in, I think, the third factor too, which is something you are, which is connected to the mobile device, right? So you get three and you're also getting location off of the mobile device, hopefully in proximity to whatever you're trying to log into. So like your vectors start to expand, the better that you can put the modeling into your threat management tools, similar to the product sets that you support at ECI.

Can you explain asymmetrical just in layman's terms what you mean by that? Two, just one other piece on that which was.

Can I use, if I use a Microsoft passkey, can I use it in Google and other places or do I have passkeys all over the place? Or is it a one to many inside that scenario?

Sure. In layman's terms, asymmetry is just going to be a piece of private information and a piece of public information that are used in conjunction with one another to make an exchange. If you and I are exchanging information, we're doing so through an agreed set of parameters in the realm of cryptography to say, I'm going to present to you as myself.

using a unique private identity that only I know about. Obviously cryptography can be really, really tricky for the lay person, even the technologist, I find that it's a class all on its own. But on the notion of pass keys, pass keys are really gonna be a one-to-one relationship. It's not a skeleton key to the city, right? So.

The Fido Alliance, again, we've talked about this a couple of times. You know, there's a litany of different vendors out there that are starting to contribute to this idea of let's move towards passwordless. Something that is actually producing some turbulence, in my opinion, is the nature of which, the nature in which different vendors are deciding to enter the passwordless journey or the passkey journey specifically. Some vendors might use a passkey as a second factor.

saying you're gonna still enter credentials, but you can use a passkey instead of MFA. Some folks, the bigger vendors like Google, Microsoft are gonna allow your passkey to be your first and second factor. You can make your way right in, but each of those passkeys is going to be a unique cryptographic pair for that service. So the key lives and dies with the service. I assume I have dozens at this point in my password manager personally.

for personal use across the internet. But as it pertains to Microsoft, like I said, they've just started to release into GA and kind of announced like a full throttle assault on use of passwords in general. know, come the fall, new Microsoft tenants are going to be default enabled with a passwordless solution. So we're heading in that direction. Existing customers can start making the shift.

Right.

our customers can start talking to our account teams on how to make that shift.

Yeah, I think that's really important. In the general availability components of this, right? So it's ready for prime time. And so what about recovery? So a lot of people might say, well, what happens if I lose my mobile device? Because that's where the authenticator or something within that is going to be my secondary use. How do I recover that?

I have to go get another phone. Like how do I get to a point where I can start operating again? Or if I have my computer, can I revert back to old standards and still get into my systems and operate temporarily until I get a replacement device? Or if somebody's nice enough to return it. It happens more now today than I think it did in the past. Before, people would take your phone and never give it back. Now they're looking for peripherals. They want your headphones and your really cool mouse, but not necessarily your laptop or your phone.

Right. Right. Yeah, it's a great question. In terms of in the realm of, of, you know, specifically pass keys, I think it's, it's about doing a bit of a rebuild, right? Regenerating a pass key, you know, killing the old pass key that might've been lost with that particular asset. I think traditionally we see administrators, you know, following practice of, know, if you lose your phone, like out of a button sub caution, let's re rotate your password anyway.

Let's assume that, you know, that that device has, you know, meaningful information on it and should it be cracked, then we want to make sure that, you know, it's not like overly permitted or that there's not something that that might have been saved inadvertently on that particular system. Similarly, if you have to sign into an account again for the first time where you're getting into enrolling in, you know, your MDM again and things like that, there's there's going to be some motions that are going to feel similar.

regenerating a passkey. Some types of passkey management might include recovery. theoretically a password manager or something of that kind might be able to account for, I've lost this device, but I'm signing back into this password manager. I think for memory even Microsoft Authenticator has some backup elements to it as well, where that can be recovered with additional factors.

It really depends on the experience. Like I mentioned, it's to the discretion of the third party that's supporting passwordless and pass keys to decide sort of what that experience becomes.

Got it. That's helpful. And I think it helps people to understand what they're going into, the complexity, right? And again, early to the game, I remember people just always ask me, like, what happens if I lose my phone? Recovery, the simplicity of recovery makes it way easier. There was always the, you can always go back and type your password in where you were because we weren't entering into the framework of pass keys. I think we'll continue to see that evolve as we're going forward. So that's helpful, I think. All right, so.

real-world vulnerabilities, right? There's one that I had noted down past the cookie, right? Sounds like maybe something on Sesame Street. Attacks that bypass MFA, right? And we do hear about those, right? We hear men in the middle attacks, the simplicity of somebody getting a phone call and asking somebody, hey, I'm from such and such, and I just asked for your PIN code. And a lot of times people ask us, well, how do they know to ask for the PIN code? Well, they know your email.

And maybe they know your password because it's on the dark web. Now the only thing they need to do, and they have your phone number, so they're going to enter it in and they're going to ask for the MFA to go out. And then they'll just call you on the phone and be like, I'm from Charles Schwab and we just sent you a passcode. We're working on your account. Can you please give that to me? And people can be fooled by that pretty easily inside those scenarios. It's not the fault of the primary care.

provider in this case, it's somebody circumventing from something that exists in the dark web. And a lot of times people are shooting from the hip trying to figure out usernames, passwords and getting there. But it doesn't take long, especially with AI tools, the good and bad. And I think we'll talk about that in our next one, which is how AI actually enables rapid and rapid fire at things without having to have humans typing on a keyboard. But maybe get a little more about that.

There was another one that I think popped up as well, was Microsoft 365 and YouTube as well. So if you have any insight to that, that'd be great to hear.

Yeah, I mean, we in terms of, know, let's go back to the prompt passwords aren't secure, right? So we we wrote we wrap MFA around it and sure as day like the the the threat landscape tends to move and okay, well, how can we attack MFA? You know, in some extreme examples, you know, we've seen cases where, you know, sim swapping attacks can happen where, you know, you might use a text message or a phone call as your second factor, which

I would recommend avoiding. Microsoft talks about this realm of phishing resistant MFA, which is going to be a combination of having an asset that you can enter a code into or a couple of other variables. But the SMS MFA is extremely beatable in that a threat actor can contact your mobile provider and impersonate you with some information that's readily available on the dark web.

You know, get through all of your security questions, read back your social security number and essentially grab your phone number on a different mobile device, lock you out of your mobile number and get in with that second factor. I would say like that's probably going to be an extreme method. That would be sort of like a holocaust takeover where the threat actor is clearly known because something is very amiss once that

once that phone number has changed hands. Other things like, you know, cookie hijacking or, you know, session token hijacking where the second factor has already been approved and that session's been, you know, allowed for a period of time. It can be extracted to be, you know, moved into a different asset. You know, those things are certainly more prevalent. There's also,

Can you explain that

just a little bit more on that session hijacking and just a simple kind of one two three version of Sounds like sounds like I enter my username I enter my password and I get my token and there's a there's for lack of better terms There's a man in the middle Who then takes over the session that I'm in and is able now to to imitate Me online or into whatever I'm trying to get into at that point

Yeah, depending on the approach or the attack, the kill chain is effectively the same, right? I am sitting and waiting for a successful session to be established with this particular service. And I'm going to take that session data that's been established for a period of time and move it somewhere else to be able to continue working as if I've already authenticated into that system, right? It could be Microsoft Cloud, it could be Google, what have you.

Whether that's somebody in real time grabbing that data or grabbing that data through an additional style of malware transfer, could be ultimately like the key outcomes are the same. So grabbing an authenticated session, moving it somewhere else.

I leave, don't.

Or I don't log out of my session, I leave the session active and somebody is able to come in and take over the session. Is that a possibility as well?

Absolutely, I mean, this is this is where we get into things like compensating controls. So as administrators, we have to be mindful of nullifying those sessions after a period of time, right? It's always best to, if it can be done so without friction, authenticate more frequently, right? So another form of passwordless for the Microsoft shops is Windows Hello. So Windows Hello is

Again, doing a relationship like a key pair relationship with your Microsoft Cloud where that device has authenticity to it, we can frequently re-authenticate against that. We can trust the device itself, which is an authentication form that doesn't get to be picked up and put down somewhere else. It's a form of key pair relationship that lives and dies with that hardware.

Does this solve, does this also solve, so I have multiple computers, does this help solve the problem of I have a computer locked up, and as I said, locked up at another place, like maybe my office in San Francisco that sits there and it's locked up. But when I go there 30 days ago, I changed my password in New York.

Does this help solve the problem the next time I go into that computer that I'm not having to worry about my old password, my new password, and if the domain's been updated, et cetera? Does that help solve the problem as well?

I would say it's opening the front door in which we need to walk through. So what I mean by that is now we have this easier solution that makes us more likely to rotate passwords less frequently. So in the example of, I haven't been to this place for a while, why did we have to rotate that password in the first place? It's probably because you know, a regulator or an auditor said, hey, you need to rotate passwords at X frequency. One of the provocative things is the technology is always going to move faster than the regulations. And even, you know, within our federal government, there are disparate opinions on, you know, rotate this complexity that, but I think with passwordless authentication, we have the luxury of starting to decide like, okay, do we need to be rotating these passwords for so frequently? If we're not using them at all? They're sort of a means to an end, yes, but I think that as we continue down this road, the frequency of rotation is going to essentially disappear altogether. I think we're on the precipice of that change. But yeah, I completely agree that this change is sort of like the start of the catalyst to eliminating some of those friction situations.

There's a lot of security icons in the industry that are anti-changing passwords if you have the right credentials, unless your account has been compromised for any specific reason. So it's an interesting standpoint. ending this session, a lot of good data points, Jonathan, and very helpful. From an ECI perspective and what I would invite our listeners to look at if they want to know more, at eci.com, you can look at the insights from cyber. There's a white paper, which is the values of pass keys, embracing passwords and protect, sorry, embracing passwordless protection. We also have more data and information about how we're helping clients implement the pass base, the pass key based authentication, reduce the reliance on vulnerability that exists today. These are conversations in a lot of cases and really sitting down and walking through the use cases.

how people work and in a lot of cases, just putting it in place like you did for me, starting to work it into the organization slowly and see where potential hangups are, roadblocks are with the use cases that come forward. And over a period of time, the industry tends to adopt because I do know when I'm using it, first question I ask is how did you just log in? Right? How do I get that? That seems really easy. And I would assume I'm probably one of the more difficult clients within ECI structure because of the movement where I'm at the duplicity of things that I have within the environment so there's and I actually enjoy being Maybe it's not probably a good thing to say but being the problem child because if I'm experiencing it Then there's a good chance our clients are going to experience it as well And I do mine across platform as well. So it'd be Apple can be MicrosoftIt be Unix-based. mean, it can be anything that I happen to be on at that point in time. So I do try and push the boundaries as we're going forward. Anything in closing, Jonathan, that are good points just for our listeners to remember?

Thanks. Yeah, I think for sure, you know, we can be, you know, strongly encouraging about, you know, moving towards a passwordless direction, embracing things like pass keys. Of course, these are incredibly personalized situations. You know, not every client runs the same tech stack, not every, you know, family member is going to be willing to. you know, install a password manager and do this, that, and the other thing. It is a journey. It's not a toggle switch, right? We have to, we have to be mindful and give ourselves some grace on, you know, changes is still change, right? But the, the entire idea here is that, you know, it's about reducing friction while increasing security and very rarely in security from my lens, do you get more secure with, reducing functionality or, or without creating some rub, right? Like this is less rub, more secure. And that's incredibly powerful.

It's awesome. Thank you for wrapping that up. So I'd like to thank our audience for joining us today. Jonathan, thank you for being here to spearhead the conversation and getting us thinking a little bit differently about how we interact and work on a daily basis. And what I believe is not only cool technology, but it's usually enabling for us as an industry and as individuals and how we work. So thank you. See you next time.

Thanks.