57. The Password Trap: What It’s Costing Your Business (And How to Escape) with Raul Cepeda

Justin Shelley (00:01)
Welcome everybody to episode 57 of Unhacked. We are cybersecurity made simple for small business owners. I'm Justin Shelley, joined as always by my good friend, Brian LaChapelle. Brian, you're supposed to say hi. And Mario Zaki. God, we've got some Bueller moments going on here. Bueller, ⁓ We're here to help small business owners navigate the chaos of cyber threats. And guys, correct me if I'm wrong.

Bryan Lachapelle (00:12)
Hey, I just, yeah.

Mario Zaki (00:17)
How are you?

Raul Cepeda Jr. (00:22)
you

Bryan Lachapelle (00:23)
You

Justin Shelley (00:29)
Is cybersecurity chaos? Would you classify it that way?

Bryan Lachapelle (00:32)
No, it's just pure,

simple, linear, everything's fine.

Justin Shelley (00:36)
Everything's fine. Everything's fine. And it never changes. That's the good news. Never changes. ⁓ Didn't catch. Anyways, do you guys remember? man, last year at least, maybe longer ago, we had an episode on passwords.

Mario Zaki (00:38)
Easy peasy.

Bryan Lachapelle (00:40)
Yeah, set it and forget it. That's sarcasm, by the way.

Yes, it was our worst-viewed episode ever.

Mario Zaki (00:53)
⁓ our, ⁓

Justin Shelley (00:57)
I haven't gone, I don't, haven't gone back and look at the stats to see if it ever picked up. We've talked about it so much at this point. Maybe it has. Um, but we are going to dig in today. Uh, we're going to talk about passwords again, but we're going to add a little bit of a little spice to it. We've got joined today by Raul Sopeta jr. Vice president of product and marketing at RF ideas. Raul, thank you for being here.

Mario Zaki (00:57)
I don't even think we watched it.

Raul Cepeda Jr. (01:23)
Yeah, thanks for having me, gentlemen. Appreciate it.

Justin Shelley (01:26)
Tell me just a tiny bit about ⁓ what you do in this RFID as company.

Raul Cepeda Jr. (01:33)
Yeah. I mean, I simply put RFID is a manufacturer of credential readers. And what we do is we enable enterprise organizations to authenticate their frontline workforce, but in a passwordless way. ⁓ So that's basically helping them authenticate into different critical endpoints or business applications.

Justin Shelley (01:52)
I love that.

Raul Cepeda Jr. (01:59)
And there's three main levers we're trying to help them do, right? It's increasing their security, it's enhancing their efficiency, and then helping them maintain compliance.

Justin Shelley (02:09)
Beautiful. And we're going to get into all those. I usually I do introductions a little bit different normally, but today I wanted you to go first because guys where we had a total flop on the subject of passwords, this episode designs to take away passwords altogether because if I had to summarize passwords, would be a password suck and be password manager sucks slightly less. Correct. Fair enough. Okay. So,

Bryan Lachapelle (02:09)
Excellent.

Mario Zaki (02:31)
Yes.

Bryan Lachapelle (02:32)
Correct.

Justin Shelley (02:36)
With that, guys, let's go ahead and run around the room and do some brief introductions. Brian, we'll start with you. Tell everybody who you are, what you do, and who you do it for.

Bryan Lachapelle (02:43)
Yeah, thanks, Justin. My name is Brian Lashpell. I'm with B4 Networks and we are based out of beautiful Niagara, Ontario, Canada. And we're also supplying services to Simcoe County and we help business owners remove the headaches and problems and frustrations that come with dealing with technology, be it cybersecurity, applying AI in your business or improving operations using technology.

Justin Shelley (03:03)
hell of an elevator pitch right there. Mario, can you beat that?

Mario Zaki (03:05)
Yeah,

I'll try. Mario Zaki, CEO of Mastek IT, located in beautiful New Jersey, right outside of Manhattan. I've been in business for 21 years, so work with small to medium sized businesses, keeping them secure and helping business owners sleep better at night.

Bryan Lachapelle (03:13)
you

Raul Cepeda Jr. (03:15)
I'm

Bryan Lachapelle (03:16)
You

Justin Shelley (03:28)
Beautiful. And I am Justin Shelley, CEO of Phoenix IT advisors. And I help businesses build wealth and then protect that wealth from the Russian hackers. I hate them. The government fines and penalties. Don't love them either. And guys, the class action lawsuits are coming for us. ⁓ it's crazy. That's like the, the, the biggest rising threat I believe is not only do you get, if you get breached, do the bad guys get your money, but then the government comes for whatever's left. So the attorneys, both of them, all three.

All right, guys, let's go ahead and jump in here. Yeah. It's, a fun world we live in. And by the way, I don't know about you guys, but I got into technology, because I was a criminal justice major. You guys.

Mario Zaki (04:00)
Try FECTA.

Bryan Lachapelle (04:10)
Same, I became like one of the highest rated, no, I'm kidding.

Justin Shelley (04:13)
Yeah, no,

Raul Cepeda Jr. (04:14)
Hahaha

Justin Shelley (04:15)
no, didn't, didn't think I'd be fighting crime. Here we are. all right. So Raul, you, you came at me with this really cool idea. As we mentioned, our, our password episode flopped and you are here to take away passwords. ⁓ but like not just to make things a little bit easier, but you've got a story that really caught my attention that made a ⁓ huge difference. can you, know what I'm talking about and can you give us the details?

Bryan Lachapelle (04:19)
Right.

Raul Cepeda Jr. (04:41)
Absolutely.

Justin Shelley (04:43)
Okay.

Raul Cepeda Jr. (04:43)
Yeah, so it's a it's a healthcare application, right? It's we pair our readers with single sign on software. So think of the healthcare clinician experience, right? On a day to day basis, a nurse is walking from one patient room to another patient room throughout the day. Each time they walk into a room, they have to enter their username and password to access.

not only in a specific endpoint, right? Their workstation, their PC, but they also have to then log into every instance of their different healthcare systems, right? If it's Epic, if it's Workday, whatever it is. All right, all right.

Justin Shelley (05:21)
Well, Raul, stop right there. want to,

I'm calling bullshit because I've seen plenty of clinics where they don't use passwords or everything stays logged in.

Bryan Lachapelle (05:30)
Yeah.

Raul Cepeda Jr. (05:33)
Yeah, everyone stays logged in, right? We'll talk about that one as well. But but let's but but you think about that process, right? Where they're having a login to every instance, right? It can be pretty time consuming, right? So they have multiple passwords that they have to remember. And so we actually did a clinic where a study where they basically came back and said that they're having to log in on an on a daily basis, 70 to 100 times a day, right?

Justin Shelley (05:34)
Okay, okay.

Raul Cepeda Jr. (05:58)
and that it actually equated to about 40 minutes of lost time per clinician per shift. Right? So when you think about that time, you know, rather than spending it on logging in or resetting your passwords, because you forget your passwords all the time for all these different systems, what have they spent that time on patients instead? Right? So we came up with the solution where rather than having to type in a password, you take your badge, you tap it on one of our readers.

and it authenticates them and it gives them a whole single sign-on experience, not just for the endpoint, but for every business application that they have as well. So it's seconds, right? We're not talking about minutes, we're talking about seconds, and that's what's called single sign-on.

Mario Zaki (06:42)
I like it.

Bryan Lachapelle (06:42)
So

out of curiosity, how to, ⁓ when ⁓ one of the nurses come to the station, a card, they ⁓ scan it on, is there any second authentication that goes through like some sort of ⁓ biometric or anything like that?

Raul Cepeda Jr. (06:58)
Yeah, great, great question. Right. And so we have the ability to do because we obviously, you know, really promote having multifactor authentication out there. Right. So there's different methods that they can use as that other factor. The first actually factor can be a password. Right. But that's not we know that's not productive. Right. So rather than you tap your badge, a lot of times there's a four digit pin that is assigned to each individual. Right. Or four or six can make it however long you want. That can be a second factor or

Bryan Lachapelle (07:16)
Right.

Raul Cepeda Jr. (07:27)
What we are starting to see a lot of an uplift is biometrics, right? So they'll use their fingerprint and that's another method to authenticate. And we actually have a reader in our portfolio today that can read cards. It can read their fingerprints. It could even read their smartphone if they wanted to leverage their smartphone as a credential as well.

Justin Shelley (07:45)
Thanks.

Mario Zaki (07:46)
Watch.

Raul Cepeda Jr. (07:48)
The watch as well. Yeah. So it's funny you say that while, while healthcare hasn't been as quick to adopt the mobile credentials, we have seen other industries like banking or retail or others where they're starting to leverage what we see as mobile credentials. Right. And what do you say? Well, what's a mobile credential? Right. We actually use it every day. You think about the Google wallet or the Apple wallet. You go to your grocery store.

Justin Shelley (07:50)
You

Raul Cepeda Jr. (08:14)
And rather than pulling out your credit card, you take your smartphone, you tap it on the payment terminal, right? That's actually leveraging the wallet, right? For payment. In this case, the scenario now is leveraging your ID card that is actually stored on your Apple or Google Wallet. And the same it's the exact same process. You tap your smartphone on one of our readers and that wallet credential is stored in your Google or Apple Wallet. And now you're authenticating into a device.

Bryan Lachapelle (08:42)
Right, and since you have to, go ahead. I was gonna say, since you have to log into your phone to begin with using some sort of biometric or password, once you have done that, now you can use the phone to authenticate to whatever application you're authenticating to. So it has the dual authentication right there, yeah.

Mario Zaki (08:42)
Yeah, love, sorry, sorry, go ahead, Brian.

Raul Cepeda Jr. (08:57)
Yeah, Brian, that's that's the beauty of it, right? Is there's

Mario Zaki (08:57)
Yeah.

Raul Cepeda Jr. (09:00)
now an extra layer of security because you could steal somebody's ID card, right? Like somebody can grab a badge off of a nurse or clinician. And yeah, there's there's a vulnerability there where I can take that and I have that person's credentials. But with the phone, because a lot of times we lock our phones right now, there's that extra layer of security because not only do you need to have the password to get into their phone, but then you need to have the password to get into the wallet. Right. So so there's an extra layer of security.

Bryan Lachapelle (09:04)
Great.

Justin Shelley (09:27)
Mario, did you have a question?

Mario Zaki (09:28)
Well,

yeah, what I was saying is my wife actually works in a hospital in the emergency room. And I remember one time I was on the phone with her and somebody like, ⁓ came up to her and like, Hey, you know, they're using like a tablet for something. And they're like, what is, what's the password into the tablet? And she's like, it's one, two, three, four. And I'm like cringing on the phone. like, what's on this tablet? She's like, it's, you know, they're doing something where we can just.

Justin Shelley (09:49)
yikes.

Mario Zaki (09:57)
go in with a chart and stuff like that. I'm like, why is it so, like, why is it one, two, three, four? And she's like, oh, because typing on that thing is so annoying. And we were all getting annoyed when IT told us you have to use something secure. And we all hated it. So we changed it to one, two, three, four. I'm like, oh my.

Bryan Lachapelle (10:16)
All right, so now list out

the hospital and what department so that criminals can go and use that tablet.

Justin Shelley (10:19)
Yeah, right.

Raul Cepeda Jr. (10:19)
haha

Mario Zaki (10:21)
Okay.

Justin Shelley (10:22)
I mean, but.

Raul Cepeda Jr. (10:22)
So Mario Mario, it's funny

to say that. Do you know what the most common password that's used in the world right now? 123456 is the most common password that is still used.

Mario Zaki (10:28)
What?

Bryan Lachapelle (10:28)

Justin Shelley (10:34)
Followed by password, followed by QWERTY, Q-W-E-R-T-Y, password one, two, three. I mean, guys, if you're using any of these and you heard me just say them, change it right now. Although I'm still going to hold that it's better than what I see a lot of times in the healthcare world of no password at all. Yeah. No logout, no, no timeout on the screen. You know, they walk away from their computer. It's wide open. ⁓

Raul Cepeda Jr. (10:37)
Exactly.

Bryan Lachapelle (10:39)
Yeah. Welcome one.

Raul Cepeda Jr. (10:44)
Page it.

Bryan Lachapelle (10:45)
Summer,

spring, autumn. ⁓

No passwords, right.

Raul Cepeda Jr. (10:54)
No

passwords.

Mario Zaki (11:01)
Actually, Rob Wool, that actually brings up a good point. Can your reader detect when they walk away? it automatically lock? Yeah?

Raul Cepeda Jr. (11:08)
Absolutely.

Justin Shelley (11:09)
Really?

Raul Cepeda Jr. (11:10)
Yeah, so we actually have a reader that has BLE capability into it, right? And so you can set a range on the device where as you're approaching it, you don't actually even need to pull out your badge or your smartphone. It'll actually recognize the individual as they're walking up to their workstation. And then it'll prompt up the screen to say, okay, first factor is that BLE, you're close to the workstation.

Bryan Lachapelle (11:11)
Love, nice.

Raul Cepeda Jr. (11:36)
Now we're gonna prompt whatever that second factor authentication, right? A pin or a biometric, whatever it is. But then as you start to step away from that workstation, ⁓ once you get, let's just call it three feet away from your workstation, it automatically locks you out, right? So we call it with one of our partners, again, joint collaboration, we call it the walk up walk away solution. So it starts to recognize you as you're walking up as well as you walk away.

That's a great point, Mario. Like you look at the vulnerabilities or people that forget to log out. And then all of a sudden a patient comes into that room and I see Mario stuff on the screen. I'm like, there's their social. There's their medical history, everything. And guess what that violates? Hypovolation. There you go.

Bryan Lachapelle (12:13)
Right.

Justin Shelley (12:14)
HIPAA violation, HIPAA violation.

Mario Zaki (12:18)
No, I've seen I've seen I've been there I've been in a room where the person walks away and they're like, all right, we'll we'll be back when you know, we hear back about your results or whatever. And I'm sitting there in a room, the computer is logged in, you know, and I'm just looking at it. I'm looking at like what RMM tool they're using. I'm looking at this or whatever. I could switch charts if I really wanted to. I exactly.

Bryan Lachapelle (12:36)
you

run a file.

Justin Shelley (12:42)
That's what I'm saying. Yeah.

Raul Cepeda Jr. (12:43)
Hahaha

Justin Shelley (12:44)
Yeah. There's a, there's a bigger problem than people using, ⁓ one, two, three, four, five, six, or whatever. She said is the biggest, you know, the most common password. It's just like not doing it at all, which, ⁓ I mean, it's, it's security fatigue. There's a lot of words for it. I like to say that if security isn't a giant pain in your ass, you're doing it wrong, but you're here to prove that wrong as well. So I absolutely love this.

Raul Cepeda Jr. (12:53)
⁓ yeah.

Yeah. And, Mari, like, I think the example you gave is great, right? There was a major, ⁓ health care system here in the Chicagoland area that was breached because, ⁓ somebody left their, their, device unlocked and bad actor came in, who had been kind of monitoring the hospital for a while. They went into the act that as a patient, they went in and saw that one of the screens was left open, and they plugged in their little USB connector and left some malware into the device. Right. And.

shut down the whole hospital.

Justin Shelley (13:39)
It's crazy stuff.

Bryan Lachapelle (13:39)
That's ballsy.

Mario Zaki (13:40)
Do they find

Raul Cepeda Jr. (13:40)
Yeah.

Mario Zaki (13:41)
them?

Raul Cepeda Jr. (13:42)
Did they find that? I don't know if they ever found the actual individual. I know they were shut down for quite a while.

Justin Shelley (13:48)
Probably enough.

Mario Zaki (13:49)
Like

I wonder if he uses his real name and his real chart.

Raul Cepeda Jr. (13:51)
no, I'm sure. Yeah.

Justin Shelley (13:52)
Well, there's gotta be cameras,

I would hope. I would hope, but then I also hope that people use passwords. ⁓ Okay, so let's talk about limitations because what I'm trying to figure out is can I throw away my password manager?

Raul Cepeda Jr. (14:07)
You can throw away your password manager, right? mean, I password managers, you know, they're a great tool out there, right? The help kind of manage. So there, there's some efficiencies with them, but you think about your password manager today. What, what do you need to get into your password manager today? ⁓ password. So guess what happens when ⁓ somebody cracks into your password manager, they now have every password to everything. Right. And so.

Justin Shelley (14:23)
A giant password.

Mario Zaki (14:24)
Password.

Bryan Lachapelle (14:24)
password.

Justin Shelley (14:30)
⁓ they own you. Yeah.

Raul Cepeda Jr. (14:35)
You know, when we look at it, there are some efficiencies, obviously, with password managers, but they themselves are just as vulnerable, especially if, you know, people don't have MFA enabled into their password managers. So if you are going to leverage a password manager, the only thing we kind of recommend folks to do out there is make sure that ⁓ that those things are secured. Right. You have multifactor authentication into those password managers, because again, they're just as vulnerable as the endpoint that you're trying to get into at the hospital.

Justin Shelley (15:02)
Right.

So where, but where do you find places that your system won't work? So for example, you have to have a physical device on each end point that you want to access, right?

Raul Cepeda Jr. (15:15)
Yeah, that's I think that's the biggest I mean, if you look at some of the biggest roadblocks, right, like I want to make an investment in the solution, but I got to buy the hardware for it. Right. And so you'll see a lot of kind of hesitation to say, can I make an investment, you know, into this? Right. I got to buy one device per endpoint. You know, our response usually back for that is, you know, the average cost of a data breach out there in the US last year was 9.36 million.

So when you're thinking about making, ⁓ let's call it a $100,000 investment in hardware and software, it's peanuts compared to what the consequences could be if you experience a data breach. And an enterprise organization, 9.3, it's a drop in the bucket. But a small to medium business, that's crippling to a small medium business, to have to pay

Bryan Lachapelle (15:59)
you

Justin Shelley (16:12)
yeah.

Raul Cepeda Jr. (16:14)
even hundreds of thousands of dollars out, let alone the millions that are averaging per data breach every year. So, so yes, there is, there is a cost investment to it. It's fairly minimal. You know, we're talking about 150 to $200 per reader, along with some software that will manage that, right. A single sign on type software, which I think we see at about $55 or so per license per year. So there's an investment to it, but again,

Justin Shelley (16:43)
Per year per year. when you and I talked before this, I think I wrote down per month. So it seemed like a bigger price than it is. That's actually not bad at all. We're talking four or five bucks a month. Like that's, that's not even, that's not even hitting the radar when, okay, now you're comparing it to the cost of a breach, ⁓ which is a what if, and a lot of people can stick their head in the sand and say, it's not going to happen to me. So I don't, I don't care, but

Raul Cepeda Jr. (16:43)
If you look at the investment per year, per year.

Yes, 55 per year. absolutely.

Justin Shelley (17:09)
You let's let's talk about this 40 minutes a day. The study that you guys did. Did you did you turn that into a dollar figure per user by chance per employee?

Raul Cepeda Jr. (17:20)
Yeah, so we actually, ⁓ so there was a cost at some point where it wasn't necessarily tied to the amount of logins per day, but they were able to give us some statistics about how many password resets they were having to conduct. Because again, you have to remember multiple passwords throughout the day. A password reset cost is generally about $70 per password reset. That is

Justin Shelley (17:37)
Mm.

Raul Cepeda Jr. (17:50)
everything from the loss productivity to the IT staff that you're having to manage to do that. And so when we did that, I believe we came to the conclusion that ⁓ one of the organizations where we did this study, that they were having to pay out in the hundreds of thousands of dollars per year, just on password resets alone. So there is a cost savings there from having to do those password resets, let alone the 40 minutes of time that they're losing every day, every clinician each day.

right, that can be more focused on the patient ⁓ themselves, right. Now, the cost there, it's hard to put an actual cost to that, but what a lot of these hospitals in this scenario, right, they're measured on patient satisfaction, right. That's a very, very critical thing for IT folks and even the staff that's there is that the critical care that they're providing the patients and the customer satisfaction, which is coming from surveys.

And if you hear the number one complaint most of the times is I'm having to wait very, you know, too long or, you know, I can't get my, into the doctor quick enough. I'm waiting in the waiting room and where's that? Where's that loss savings coming? Part, partly to this, right? It's not the only problem, but that's one of the problems.

Bryan Lachapelle (19:06)
So in the case where ⁓ somebody who wants to access their systems ⁓ on a device and or like for example mobile device or maybe you have somebody working from home that day and they're on the administrative side and they normally use your device to log in but they can't now because they're not working on a computer and or a device that has the endpoint or the device, how would they authenticate then?

Raul Cepeda Jr. (19:32)
⁓ Actually, no different, right? So a lot of folks that are working remotely ⁓ can leverage this exact same device, right? They're on the network and a lot of times they have VP add, right? So it's really no different if they're remote or in the office. ⁓ Mobile devices, we actually have what's called a nano product. It looks like a little dongle, like, ⁓ you know, the dongle that goes in for your keyboards or your mouse. And that will actually get plugged into an industrial mobile computer or smartphone.

Bryan Lachapelle (19:34)
Okay.

Raul Cepeda Jr. (20:03)
And actually it's the exact same experience, right? So I plug in that little dongle via USB-C into my smartphone. I take my badge out. I could tap it onto a smartphone. when we say endpoints, we're not just talking about your laptops and PCs. We're talking about mobile devices and we're agnostic whether you're in the office or you're in a remote environment as well.

Justin Shelley (20:09)
really?

Really?

Bryan Lachapelle (20:24)
Okay.

Justin Shelley (20:25)
What about for web pages? mean, is there a way to authenticate through to websites and applications, stuff like that?

Raul Cepeda Jr. (20:32)
Yeah. So, ⁓ there's a big, ⁓ you know, Association out there. we'll call it the Fido Alliance, which is basically what their, what their goal is, is to eliminate passwords altogether. Right. So they have kind of teamed up with a lot of the major tech corporations like Google and Apple, Amazon, a lot of these organizations to basically, ⁓ eliminate passwords, right? Like their, their mission is to develop and promote authentication standards out.

And so one of the things that they do is they leverage kind of web often to kind of help organizations, ⁓ log in not again, it's not just about your workstations, right? But it's about all the business applications, especially those that are web based. And so some, some nice stats around there, you know, actually just recently I attended, attended a, ⁓ industry trade show where they were kind of giving the state of authentication or the state of pass keys, which is the,

the term that they coined for this type of authentication. And today there's more than 15 billion accounts that are actually leveraging pass keys to authenticate into different ⁓ websites. And some of those websites include Netflix, Amazon, your banks, right? That you're trying to log in. If you go into like your Gmail or things like that, a lot of times you're going to get the option. Do you want to authenticate via your password?

Or do you want to authenticate via a passkey? Right? That passkey is what the FIDO Alliance has actually established out there as the most secure method of authentication.

Justin Shelley (22:08)
Question for both you, Mario then Brian, do you guys see pass keys being used with your clients?

Bryan Lachapelle (22:15)

Mario Zaki (22:16)
Not as much as I would like it to be. Even myself, I don't do it as often as I should.

Justin Shelley (22:24)
Yeah, Brian.

Bryan Lachapelle (22:25)
I would agree. It's not a technology that we're seeing wide adoption on yet, even internally with our own teams. Having said that, it's probably because not a whole lot of people are out there talking about it. And so I remember when it first came out, we were talking about pass keys. And there was a lot of hype surrounding it. And we'll never need a password again. And then it just sort of died on the vine. I don't hear a lot of people talking about it anymore.

whether it's in the industry or whether it's with consumers or even the big three, they're not really promoting it as much as they were when it first was introduced. Almost like it's like a secret.

Raul Cepeda Jr. (23:01)
Yeah.

Justin Shelley (23:03)
or it'll just take

Mario Zaki (23:04)
Now, Raul,

Justin Shelley (23:04)
time. Go ahead, Mario.

Mario Zaki (23:07)
I have a question, Raul. Like, is this something like that we, like as MSPs, like I know when, you know, we offer, and I am pretty sure these guys too, we offer a password manager to our clients. Is this something that we can start like replacing a password manager ⁓ with and say, you know, we go to our clients, like, all right, we're gonna...

Raul Cepeda Jr. (23:21)
Mm-hmm.

Mario Zaki (23:30)
you know, for a similar price as your password manager, we're going to put this on all your computers. Everybody can use a card or use their phone or something like that. And that would replace their password manager altogether. But also my second part of that question is kind of like what's related, you know, Justin was right. What if that person wants to like log into like 365 from home or wants to log into their like bank at home or something like

Do they need another one at home?

Raul Cepeda Jr. (24:04)
Yeah, I mean, we probably got to differentiate a little bit of the workforce versus the consumer use cases. Right. Like when you look at Paschis as an example, yeah, it's absolutely true. Like most of the adoption there has been up to this point on the consumer side. Right. Google and Apple in particular, Microsoft have really made a mission on eliminating passwords. Right. And it's starting on the consumer side. Right. Because if you can, if you can get the adoption there.

then you start to see that adoption start to come and transition into the workforce, right? Think about the tablets, right? We all had iPads at one point, right? When iPads were brand new and it's like, I'm using it for my games. I'm using it for this. Now all of a sudden you start to see iPads transition into the workforce and they're leveraging tablets and that nature, right? So it's, think that's what Fido is trying to do is let's get the adoption rate out there on the consumer side. ⁓ And we have seen a steady increase in adoption of.

But going back to your question, think, ⁓ you know, can you can you leverage it for, you know, I'll talk specifically about the workforce. Can it replace a password manager? We look at our platform. We call it Converge ID. Converge ID with that platform enables you to do is take a smart card that you use for your building access today, right? And convert that actually into a passkey.

Right. So now I can leverage the ID card that I use to get into the buildings for what we call logical access. So everything beyond the door, those different use cases are a variety of different things. Getting into a workstation. ⁓ When I do secure printing on a MFP on a multifunction printer, right. Pull printing ⁓ or even doing time and attendance, right. I can leverage now my badge for all these different use cases. And so.

What the Converge ID platform does is not only does it convert it to pass keys, right, that ID badge, but now you can manage all your users there, right, and all the different, you know, and within the Converge ID platform, we have integrations into things like ping identity, into Okta, into all your different IDPs, as well as the different business applications that you're trying to get into. Now,

Are we 100 % of the way there? Are we going to have an integration into every platform that you leverage on the work side? No, right? But that's the nice thing about the platform is it's pretty, ⁓ it's easy to kind of start to build out those integrations. It's very seamless to kind of start to build out more more integrations into the different business applications. So ⁓ yes, to answer your question, I think it's yes, we can kind of replace that password manager because again, that password manager in a way is,

I don't want to say it's an apples to apples comparison to our platform, but it does, we are able to fill some of those gaps with our Converge ID platform that a password manager would be doing for you today.

Mario Zaki (27:07)
And in the conversion process, like say, I don't know, like you have like 200 passwords in your password manager. Is there a way to like, I know you could export it out there, but is there a way to import it into your system or how does that process work?

Raul Cepeda Jr. (27:21)
Absolutely.

Yeah, as long as as long as we understand what the systems are, we already have connections in our platform, so it should be a pretty seamless experience, right? The other thing is, you know, pulling in your active directory, right? If you have some type of directory there where you have users and they're tied to a badge, right? So they have some unique identifier. ⁓ We're able to upload your whole ⁓ employee list into our thing via, you know, as simple as a CSV file.

Mario Zaki (27:51)
and does it work with just plain website? Like say you want to log into onhack.com or I'm sorry onhack.live, sorry. ⁓ If you want to log into there, can your system log into that or you have to have an integration with it?

Justin Shelley (27:59)
You're be fighting words right there, Mario.

Raul Cepeda Jr. (28:10)
So the website, ⁓ first off, the website themselves has to be able to meet the conformity of pass keys, right? So, or the FIDO Alliance, right? So if you look at right now, most of the web browsers, I think there were some stats that like 96 % of active browsers today and 98 % of mobile devices support pass keys, but your website needs to kind of conform to the standards of the FIDO Alliance to be able to do that.

Mario Zaki (28:38)
Justin are we conformed to the Fido alliance on Unhide.live or? Alright good, alright so we're covered.

Bryan Lachapelle (28:40)
you

Justin Shelley (28:41)
Hell yeah we are.

I mean, you know, because you don't need a password for on hack.live.

Mario Zaki (28:51)
You

Bryan Lachapelle (28:52)
Hahaha

Justin Shelley (28:54)
We ain't got nothing to hide. Come on guys. well, like I'm trying to find a downside to this. I'll be honest. There's gotta be something. There's gotta be a reason why I shouldn't jump right now, kill my password manager and put all your stuff, by the way, guys, just in full disclosure, I've already signed up as a reseller with these guys.

Mario Zaki (28:56)
All right.

Bryan Lachapelle (29:13)
Hahaha

Justin Shelley (29:16)
Like what is it? What's?

Raul Cepeda Jr. (29:17)
Yeah, I mean, again, it really comes to the cost. comes to the cost, right? I mean, are people willing to make an investment? I think the other thing we often hear from a lot of IT and security professionals is, you know, we're not just competing with our competitors, right? It's not just about, do I want this? It's how do you make this a priority for individuals that are responsible for the cybersecurity within the organization? And they have a project where, you know, you know, I only got so much budget and I got to buy new laptops.

or I gotta put a new infrastructure in place. So we're competing with other IT and cybersecurity initiatives. ⁓ But again, for us, it all starts with access management, identity and access management as a whole. There's a few different pillars, right? There's the access, getting access first, then there's assigning privileges, right? So what we call privilege access management that's saying, hey, Justin, you have access to this network, but you don't have access to that network, right?

And then the last thing is about governance and monitoring, right? Once I actually get breached, how do I make sure there's red flags that go up whenever I see some unauthorized activity? Right. But again, it all starts with the access management, right? 81%. Yeah, go ahead. No, was going to say 81%. Right. I mean, I think that's a key thing, right? When you look at the data breaches that are occurring out there,

Justin Shelley (30:28)
I got two things I want to go ahead, go ahead, go ahead. No, I want your 81%.

Raul Cepeda Jr. (30:41)
81 % of the time it's occurring because of a stolen credential, stolen password, right? So we got to eliminate passwords, right? Otherwise we're going to continue to see these data breaches going on.

Justin Shelley (30:52)
Okay. So

two points. Number one, I'm going to keep saying this. I've already seen people eliminate passwords. They're doing it every day, with no alternative, unfortunately, but, but I think like that problem that I brought up in the very beginning, I think it addresses that as much as it addresses anything else, because security is a pain in the ass. And what you're doing is making it simple. Number one, number two, you, you talk about cost as, as a entrance barrier, but let's just use my

Bryan Lachapelle (31:00)
with no alternative.

Justin Shelley (31:21)
phenomenal math skills because I am brilliant, just like Einstein. And we're going to, we're going to put a dollar amount to these, uh, healthcare professionals that were spending 40 minutes a day. Let's just say they're worth $60 an hour to keep this really, really easy for my brilliant math skills. means $40 a day, 40 minutes, right? Dollar a minute, $40 a day is what they're wasting in that environment. Now everybody's environment is a little bit different. Everybody's waste is different, but just in that scenario, uh, $40 a day.

times let's say 20, 22, but we'll use 20 for simplicity. We're talking, check my math guys. Isn't that $800 a month?

Bryan Lachapelle (31:59)
$1,400 a year.

Justin Shelley (32:00)
Okay.

Like this is not a problem. The cost is not a problem. The waste that we are, ⁓ you know, the, absolute waste and not doing it seems to be a much bigger problem or, or barrier than the, like, it's not even a barrier. It's the opposite. It seems silly to not do this. And that's why I'm like in, in, all seriousness, in all candor, I'm looking for the downside. Cause I don't see it.

and the room goes silent. See? That's it. Episode over! Thank you for joining us today,

Bryan Lachapelle (32:28)
Silence.

Raul Cepeda Jr. (32:31)
episode over there you go

Mario Zaki (32:32)
I'm

Bryan Lachapelle (32:33)
I can't see the downside either. I mean, the only thing I can think of is that for some small businesses where they are operating from home, where the employees are expected to use their home computers to connect to corporate resources, that might be a challenge. But in a high security environment like a hospital and or any health care or military or anything like that, I don't see the downside because you shouldn't be allowing them to use personal computers anyway.

Justin Shelley (32:57)
Exactly.

And if they are, you have to secure them. So that means get them $150 device to take home. Guys, it's the cost of a monitor. The cost of a cheap monitor is what we're talking about. So yeah, cost just doesn't even seem like an issue here for me.

Bryan Lachapelle (32:58)
And so to me, that's, yeah. Right.

Justin Shelley (33:14)
All right, ⁓ any other kind of final thoughts, guys?

Bryan Lachapelle (33:19)
No, I'm going to buy one now. No kidding.

Mario Zaki (33:21)
Yeah, I want to like start reselling this and using it for instead of like, you know, doing password managers. This is definitely somewhat.

Bryan Lachapelle (33:25)
Yeah.

Justin Shelley (33:28)
No, no, no, no. This is my competitive advantage

and I'm coming for all you guys. Um, I've already signed up and it's exclusive. Only one host of unhacked can be a partner at a time. No. Okay. Fair. Fair. Uh, the device price just went up to $500 per device. No, but like seriously go, go join any other MSPs listening, go, go become a partner with these guys. Cause it, again, I don't have my first device yet. Um, I will have it soon and I can't wait.

Mario Zaki (33:33)
Heh heh.

Alright, I'll buy them from you Justin.

Justin Shelley (33:55)
to learn, you know, to actually put this into place. Maybe we'll have a follow-up episode after we've all implemented this with ourselves internally and all of our clients, a hundred percent of option, right? ⁓ that's, that's kind of my hope. So guys, ⁓ I, I think we've, kind of covered everything. We're going to go to key takeaways and we do this at the end of every episode and that we're going to go around the room. I'll start with Mario, then Brian, then you, if you just had one thing, if our audience listened to nothing but this, give us a sentence or two that they should know.

and an action item that they can ⁓ put into place right now. Mario, you go first.

Mario Zaki (34:32)
Yeah, it's pretty much something you said earlier. Passwords suck, password managers suck a little less, and there's now a third option. There's something to make people's life easier. And this is it.

Justin Shelley (34:49)
All right, Brian.

Mario Zaki (34:50)
That's it.

Bryan Lachapelle (34:51)
I don't know a single soul that loves having passwords, loves tracking passwords, loves remembering passwords or even using a password manager without pulling your hair out. So I don't see the downside. If you are a business, especially when it's in a high security environment that requires to know that the person logging in is the person at the other end that is supposed to be logging in. I mean, yeah, reach out to one of us because we'll probably all be partners by the end of the day.

Justin Shelley (35:15)
Exactly.

All right, Raoul, what do you got? Key takeaway.

Raul Cepeda Jr. (35:19)
Yeah, I mean, I would encourage, you know, any of the MSPs out there ask, ask the security or IT professionals out there, you know, when's the last time you can conduct it a access control audit of all your endpoints, right? A lot of times, an access control audit. Yeah, you're gonna hear crickets, right? Or you're gonna hear a what what? What are you talking about a checklist or what? ⁓ And if that's the case, right, they probably have a lot of vulnerabilities ⁓ in their environment, right? So

Justin Shelley (35:31)
Wait a what? I'm just kidding.

Right.

Mario Zaki (35:41)
the

Raul Cepeda Jr. (35:49)
This is an easy way to kind of help reduce ⁓ the possibility of a data breach out there. And so we encourage you to reach out to the MSPs and learn a little bit more about our solutions by going to RFideas.com.

Justin Shelley (36:02)
Love it. All right, guys. Yeah, as always, go to unhacked.live not.com Mario, go to unhacked.live for show notes for more information about our guests, Raul, Raul, you'll have your own profile up on our on our website. ⁓ And as always, we we all offer some version of a free security assessment. So ⁓ if you look at your IT guy and say, Hey, when was the last time you did a an access control audit, and they give you crickets or a blank stare, we'll give you one for free. So

jump on there and listen, like in all seriousness, there's no, ⁓ no strings attached, but know where your blind spots are. So that's, that's kind of my key takeaway that I I'll say a lot of times is you gotta know where your blind spots are. And I will tell you passwords right now is, is huge, a huge problem across the board for so many reasons. ⁓ all right. with that guys, we are going to go ahead and sign off. That's it for this week's episode of unhacked. Let's say our goodbyes Brian go first.

Bryan Lachapelle (37:03)
All right, with B4 Networks. Just, hey, everybody just start your cybersecurity journey today, improve a little bit every day, and let's get rid of passwords together.

Justin Shelley (37:12)
I love it, Mario.

Mario Zaki (37:15)
Thanks guys, and if you're staying up at night worried about your business help us help you stay secure

Justin Shelley (37:20)
Beautiful.

Raul, final sign off.

Raul Cepeda Jr. (37:25)
Yeah, thanks guys. I appreciate you having me today. And again, let's get rid of passwords.

Justin Shelley (37:29)
I love it. Thank you

so much for being here. All of you, especially Raul. I am Justin. Remember, listen in, take action, and keep your businesses unhacked. See you next week.

Creators and Guests

Bryan Lachapelle
Host
Bryan Lachapelle
Hi, I’m Bryan, and I’m the President of B4 Networks. I started working with technology since early childhood, and routinely took apart computers as early as age 13. I received my education in Computer Engineering Technology from Niagara College. Starting B4 Networks was always a dream for me, and this dream became true in 2004. I originally started B4 Networks to service the residential market but found that my true passion was in the commercial and industrial sectors where I could truly utilize my experience as a Network Administrator for a large Toronto based Marine Shipping company. My passion today is to ensure that each and every client receives top of the line services. My first love is for my wonderful family. I also enjoy the outdoors, camping, and helping others. I’m an active Canadian Forces Officer working with the 613 Fonthill Army Cadets as a member of their training staff.
Mario Zaki
Host
Mario Zaki
During my career, I have advised clients on effective – and cost-effective – approaches to developing infrastructure that fosters productivity and profitability. My work has provided me with a broad-based knowledge of business from the inside, with an expertise in areas that go beyond IT alone, ranging from strategic planning to cloud computing to workflow automation solutions.
57. The Password Trap: What It’s Costing Your Business (And How to Escape) with Raul Cepeda
Broadcast by