Practical Cybersecurity with Jen Stone
Practical Cybersecurity, hosted by Jen Stone (MCIS, CISSP, CISA, QSA), is the bridge between complex security frameworks and real-world business implementation. Whether you are a "Jack of all trades" IT manager or a business leader with limited resources, this show provides the roadmap to a defensible security posture.
Practical Cybersecurity with Jen Stone
Passkeys: An Upgrade You Didn't Know You Needed (ep. 9)
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Passwords were built for a different era of the internet. It’s time to move past shared secrets to close your organization's largest threat vector for good.
Traditional passwords and legacy Multi-Factor Authentication (MFA) are no longer enough to protect your business. Automated, scaling phishing toolkits easily intercept shared secrets, leaving small and medium businesses highly vulnerable to credential breaches.
In this episode, Jen sits down with Nishant Kaushik, Chief Technology Officer at the FIDO Alliance, to translate complex cryptographic standards into an actionable, resource-light deployment plan. Learn how to transition away from legacy authentication and close the hidden operational loopholes that hackers actively exploit.
What You Will Learn:
- The Flaw in Basic MFA: Why SMS codes and standard one-time passwords (OTPs) are failing, and what true "phishing-resistant" security means.
- The Account Recovery Trap: Why a weak "Forgot Password" workflow accidentally gives hackers their primary attack vector back—and how to fix it.
- The Bottom-Line Benefit: How moving to passkeys drastically reduces internal IT helpdesk tickets, manual password resets, and overhead costs.
- Right-Sizing Your Passkey Deployment: How to easily segment your workforce strategy:
- Standard Users: Synced passkeys via platform credential managers (Apple, Google, 1Password, Bitwarden).
- Privileged Users: Dedicated hardware keys (YubiKeys) for root admins and high-sensitivity infrastructure.
- The 1-Week Action Plan: How to leverage the identity infrastructure you already own (like Google Workspace or Microsoft Entra ID) to deploy passkeys today.
Resources Mentioned:
- Learn more about modern identity standards: FIDO Alliance Website
- Review baseline federal security recommendations: CISA Guidance on Phishing-Resistant MFA
- Discover SecurityMetrics compliance resources: SecurityMetrics Official Site
- Threat Intelligence Data: Read the data behind credential exploitation in the latest Verizon Data Breach Investigations Report (DBIR).
- Federal Passkey Standards: Review the updated identity and passkey frameworks via the NIST SP 800-63 Digital Identity Guidelines.
- Enterprise Identity Platforms: Learn how modern stacks integrate passwordless via Okta Verify and Microsoft Entra ID.
About the Guest: Nishant Kaushik is the Chief Technology Officer at the FIDO Alliance, bringing over 25 years of leadership in digital identity and access management (IAM). He holds nine patents, frequently serves on the advisory committees for the RSA Conference and Identiverse, and is a founding member of IDPro.
A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.
If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place
But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/