You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we tackle a critical security topic that every

backup admin needs to understand, passwords versus pass keys.

Listen, if you're still protecting your backup system with just

usernames and passwords.

You are asking for trouble.

Bad actors are targeting backup systems first, and they know

exactly what they're doing.

Persona and I will break down the what, why traditional passwords

aren't cutting it anymore.

Why MFA is better but not perfect, and why pakis are probably

the future of authentication.

Your backup system is your last line of defense.

Let's make sure that you're protecting it right.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.

Backup, and I've been passionate about backup and recovery for over 30 years.

Ever since.

I had to tell my boss that we had no backups of the production

database that we had just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated backup admins into cyber recovery heroes.

This is the backup wrap up.

Welcome to the show.

Hi, I am w Curtis Preston, AKA.

Mr. Backup.

I have with me a guy that I think might now be working on cars more than Me.

Prasanna Malaiyandi, how's it going?

Prasanna,

am doing well, Curtis.

Yeah, no, it, so two things.

One, it's not my own cars, but I am learning about cars.

I have taken an auto shop class at the local community college, which is

amazing because as a lot of longtime listeners know, I tend to be, uh.

I attend, or I used to attend YouTube University, which is

what my instructor calls it.

Basically watch a bunch of things on YouTube,

BMA,

that's funny.

learn about it, but never actually do anything with that knowledge.

So I decided to mix things up and so I decided sign up for auto class.

So this is my second quarter doing

chassis stuff.

So learning how to.

Uh, Mount Unmount tires, balance tires, patch tires, take apart

differentials and axles in a solid axle.

Uh, did ball joints and control arm bushings.

Going to learn how to take, uh, remove and replace, uh, shock absorber in the truck.

So

That's all so cool.

Yeah, very, very cool.

Um, I'm a little, I'm a little jelly.

Um, I, I, I don't have the, I don't have the time right now to, to, to do that.

I just got too much going on.

But, uh, uh, you know, the big thing right now, of course, all

of my spare time is being used to try to finish my, the next book

that, uh, uh, Dr.

Mike Saylor and I are writing on, uh, responding to and

recovering from ransomware.

Um, there are.

I, I think dozens of books

on how to prevent from getting ransomware.

I think we're gonna be the first book that's just about

responding and recovering.

And, uh, so I'm, I'm excited about that, but it is taking up all my spare time

Yeah.

of which I didn't have a bunch

of anyway, you know, so,

And, and, and and just a quick question though, uh,

the initial comment, you're like a guy who's working more on cars than you do.

You used to work on cars all the time

on

did.

Yeah.

You did.

all the work on your cars before.

It's just now your current vehicle does not require much

maintenance, if any at all.

Yeah.

Um, I like the first thing that it might need me to do, I'm still

like 120,000 miles away from probably my first break job.

Right.

Because, 'cause I, I have a Tesla and you don't use the brakes a lot.

And so the brakes tend to last like 200,000 miles right now, all

I have to do is, uh, water, uh, windshield washer and, uh, tires.

And, uh, I do the windshield washer, but I do not do the tires.

Um, I, yeah.

Anyway, so, um.

What are we talking about today?

Yeah, today I, I've been spending a lot of time with, again, with the cyber

side of things, and I've been learning a little bit more about the, you know, those

those that have listened to the podcast we're like, we're like, uh, immutable

storage, pa, password management, um, uh.

What, what do you call it?

Security updates and

MFA th These

are the things, if you did these things, then things would be so

much, so much easier for you.

Right.

And, and, and, and I'm, I'm, I'm still down with that, but I'm, I think time

enough time has passed with the new way of doing that, that I think it's

time for us to spend a little bit of time talking about the new way

to manage logins to a system.

Why

are you, you're, you're doing your thing.

the new way is basically things that started 11 years ago or 12 years

Yeah, but, but it's, but it's still, it's still not, for example,

it's still not available in many

systems and products and in other systems.

It's only available as a third

like a third party add-on to that product.

And

so it's still pretty freaking

new.

and I know we'll talk about it, but this is also useful because I've started seeing

this pop up in many places and always been

like, what is this thing?

Why is it

different?

How is it different?

So hopefully this episode, we can dive into some of those differences

and understand, is this really good for you and should you be using it?

Yeah.

And, and by the way, you know, just, just to not completely bury the lead,

we're talking about PAs keys, right?

We're talking about Fido, um, you know, PAs keys, which fall under Fido,

which is basically a whole other way to do authentication and authorization,

right?

Or, uh, would it, would it be IAM Would IAM would be the, the

overarching term that would cover that?

Yeah,

Yeah.

Okay.

So.

Um, we, we've made a lot of talk about that.

If you, basically, your, your backup system is all powerful.

Your backup system is, is I often say that your backup system is helms deep.

Do you get that reference?

Lord, the rings.

Yeah.

Yeah.

What was Helm's deep?

Do you remember?

It is in the, it is basically a fortress inside of a mountain that's

supposed to be impenetrable by pretty much anything, and it's

supposed to be like you lock it down and no one's coming to get you.

You will survive,

is the,

goal.

Yeah.

you watch the return of the king, like basically the battle gets

all the way down to Helms deep.

And like, if they get in there like the, but the battle's

over, right?

And the same kind of thing here that it, it's, it's the last defense.

If you lose your backup and recovery system, your disaster

recovery system, why even do it?

Right?

And so.

I spend a lot of time trying to explain to people that, you know, sort of two things.

One, that your backup system is absolutely a target for cyber attacks.

In fact, uh, last night, I, I went to very cool.

It's first, it's been going on pretty regularly and I I haven't

gone and, but now it's my first time and it's this big cyber event in San Diego.

It was great.

I, I kind of like forced myself to go.

I don't know why, because I don't know

I didn't know

you don't want to Yeah.

I had very low expectations and I got there and I'm just gonna

say this, lots of people, lots of fascinating people to talk to.

Um, some of them thought I was one of those fascinating people to talk to.

You just have a lot of stories.

And more.

Yeah, I do have a lot of stories.

More importantly, um, uh, free food and free beer.

So why, why did I wait so long?

Right.

Um, and, uh, I guess so you only got one free drink, but I managed to just

serendipitously be standing next to the guy that had the tickets and so he was

like, you guys want some more tickets?

Nice.

So I got three free beers.

Uh, and, um, no, no, I got two free beers and then I had one that I paid for.

And the craziest part was when they handed me the little, they

had the little, um, the payment

thing.

The choices for TIP were three, five, and 7%.

What

I, I, I

chose not to ask.

I was like, okay.

Um, anyway, I just thought that was interesting.

But it was great and, and I got a chance to talk to some people and I, and I

made this same comment about how much I. Um, the backup system is a target for

ransomware, and the guy's like, oh yeah, that's, uh, he's like, I have clients.

He goes, it happens all the time.

They get in there and they, they, he goes, they immediately, they

look for, and he named a vendor.

Uh, he's like, they immediately look for this vendor and if they find

it, they know what to do and they

take it out.

Right.

Um, and so.

I'm saying you need to understand the degree to which your backup

system is 100% a target of ransomware and that they want to take it out.

Because if they can take it out, then the, and, and, and this guy would,

and, and he clarified that, that they want to do this before they do the

payload of the actual attack.

Right.

Remove all the defenses.

Exactly right.

And so one of the things that you want to do is to make it really, really hard

to be able to log into your backup system

for, for an outsider,

you don't wanna make it really, really hard for you, but you made it a little bit

harder for you, but make it much, much harder.

And what is,

if people aren't doing the things.

That we're talking about either of the things that we're talking about

in this episode, what's the worry?

Uh,

Well, they'll come

into your

people do?

they'll delete your backups.

They'll set a retention time to zero days or one day,

Yeah.

now all your backups, your ability to recover from ransomware are gone.

They'll disable policies, so now you're not even backing up anything anymore.

They'll lock you out of the system.

So they'll reset all the access.

And then the other thing is they now know, like they could look and

say, okay, what are the important systems in your environment?

Because your backup system knows where everything is.

yep.

yep.

Yeah, it's great for exfiltration, it's great for all kinds of things that, uh,

by the way, that was a great answer.

It wasn't the question I was asking,

Oh.

the question that I was asking, and I, and I'll, I'll answer it myself then.

Fine, I'll do it myself.

Uh, what I would say was the problem is if you're not using either MFA or pass

Oh,

Right is that someone ulti.

Ultimately the security of your entire backup system rests on

every single person who has super user access to that backup system.

All it takes is one click,

one, you know, wrong email, whatever.

And boom, your password is exposed,

right?

Your username and password.

And if all that's stopping a threat actor from logging into your backup system is

a username and password, you are just

asking,

for,

asking for it.

Right?

Um, and, and, and honestly, you know,

I'm, I'm gonna have like a little bit of sympathy.

If you get hacked because of that.

But it's hard, it's hard for me to, to dredge up sympathy for

Here's my

little violin.

what's that

my little violin.

pilot?

Yeah.

So like, like I, I do believe strong, and we've talked about this

before, what's, what's our, we have a strong opinion on password managers.

What are they?

What is it?

Use.

Used.

Use.

one more.

Use.

You should be using a password manager if you're

not.

Something's wrong.

Yeah.

By the way, I, I, I saw a great, um, in researching for this episode, I saw a

great quote and it was, I've never known anyone that got hacked because they

used a password manager, but I knew all kinds of people that got hacked because

they didn't use a password manager.

Think about it.

There have been password managers that have been hacked, but the, um, but for

example, like the, the worst of course

was the LastPass.

It, even with that one, you had to severely misuse LastPass

to be attacked via LastPass

because the problem was that basically their, their, their vault got.

Got

accessed, compromised, but that didn't mean people got access to your

passwords, but what they got was access to encrypted versions of your passwords.

So as long as you had a decent password for your passwords, right,

if you didn't have like a six, a six digit password as your you're,

you know.

so I will fault them.

I know this is a long time episode ago, but one thing I will fault

them for right, is they did use weak encryption in the initial versions.

They did.

an old password vault that you've had for years, right.

It was using a weaker algorithm, which could potentially be broken

EP potentially.

Yeah.

Yeah.

But we still don't know, we don't know anybody that, yeah.

Anyway, but, but the, so don't do that.

Don't have a weak password and don't, you know,

I, I would investigate that, but, and, and you know, and not all

password managers are equal and all, that's all this kind of stuff, right.

Um, but I do believe strongly in having a separate password for everything,

using a separate password manager.

I also believe strongly in not.

And having your backup system use a completely separate IAM system

than your production network.

Right.

Not having your backup systems join the domain,

for example.

Right.

Which means that you're going to need something separate.

So I'm saying buy an inexpensive password manager for the backup side, only the

backup side, and have it be completely separate from the, you know, from your

main side.

have a question for you.

Yeah.

So you have a backup system,

you have a password manager.

How do you backup up the password manager for the backup system so you could

eventually restore it if you need to?

It's like inception.

The, the answer, the answer to that question will be dependent

on the password manager.

Right?

and we did have an episode, by the way of the.

The catch 22 situation of how do you, how do you delete, how do you

recover when you've lost everything, including your password manager.

Yep.

Um,

With

Suzy.

what's that?

With Suzy, right?

Yeah, Susie, uh, if we, if we could, uh, if you could help me with that, pull up

the spreadsheet and we'll get the link and

I'll put that in the show description of it.

That was a fascinating episode as well.

Uh, okay.

So generally most people are still using usernames and passwords,

hopefully strong passwords, hopefully with a password management system.

But even with all of that, if they're not using an additional

factor to log in, they are still wide open to all kinds of attacks.

Right.

And, um, vendors, SaaS vendors are starting to see this.

One by one.

They are at it literally.

This is in the last like five years, 10 to five years.

Um, they started number one supporting MFA

of some type.

Number two, the better ones, um, like Google for example, require MFA.

Right?

Um, and um.

And, and, and for MFA right.

There's sort of the good, better, best.

Right.

Even for MFAs that you need to take into consideration.

yeah, yeah.

Uh uh, so we we're gonna

cover that.

Yeah, yeah, yeah.

I'm just saying that that.

There, there's sort of two things of like, number one, supporting MFA

and they're

I think that any decent product should be requiring it

at this point.

Right.

Um, I pushed hard for that when I worked at Druva.

Right.

They started supporting it.

But they, at the time, they didn't want to like force it on their

customers.

And I was saying force it like what customer is going to complain that

you're forcing security on their backups.

And, and if that, and if that is a customer, like I don't,

I don't want that customer.

Yeah.

Um, but, um, I, I think that you should on anything that matters,

you should be forcing MFA at

this point.

Right.

Um.

So what, what, what, what is MFA, uh, you, you want to just

talk about what does that mean?

What is,

So, so MFA is basically multifactor authentication, so like you said, right?

You know, your, you enter your username and password to log into a

website, but they want to use another method as well to verify it's used.

So it might be something like send you an email to an email address, registered

in the system, send you a text message to a phone number registered call you.

Um, there's also applications, authenticator, applications like

ti, Google Authenticator, and others that you can use in order

to provide that second factor

to prove that, yes, this is me and not some malicious actor out there.

Right.

And, and the, the order, and by the way, the category of the, like the,

the, um, the, the last category that you talked, that's called an OTP

or a one-time password generator.

Um, the Google Authenticator I think was the first freely available one.

And a lot of people still refer to it as Google Authenticator,

even if you're using like Auie,

which is a competitor.

Um, but.

The, the lid, the order in which you listed them, I think would

be the order in of goodness.

Yeah.

Right?

Good, better, best.

Right?

Um, good is having something

right, using your email as your additional factor, not very good at all.

Email.

That means if that means, if your email was hacked.

Then your, you know, then your factor is hacked.

Right?

Um, and I have seen situations where the entire corporate email system was hacked

and people, and then the, the, the backup system used email as the factor.

And the people, they, they were again, uh, they were attacked.

They were successfully, they successfully took over the backup

system because they had already successfully taken over the email system.

So email not so good.

SMS is also not so good.

Why is

days, right?

Especially the why is that?

well, because SMSs could be.

Um, hijacked, right?

You

could do a sim swap and also if you're following the latest news, right?

Uh, many, many providers have had their SMS or actually their

communications networks compromised,

Right.

And you now have the US government telling people you should use

end-to-end encrypted applications.

Yeah, yeah.

Um, yeah, yeah, for anything that matters, you should totally use that.

Um, and so I, again, either of these is better than nothing.

So if you have a system that only supports email or SMS, then use it anyway.

But strongly encourage that vendor, whoever they are to, to

support, uh, uh, OTP or PAs keys.

We're gonna get

to PAs keys in a minute.

So there are cases where they actually had physical hardware that

would sort of rotate keys, right?

And then when you want to access something, you would basically

read the number off the key, right, and type it in to log in.

And of course it would synchronize with the backend and all the rest.

So it would always know like what the number should be,

and that's kind of how you would access the system.

Yeah.

Not as convenient.

not, not as convenient.

Yeah.

Um, but, but very secure.

Right.

Um, so you had to, you, in order to log in, you had to know the username and

password, and then the, the additional factor came from the fact that you

had physical possession of that.

Thing that key fob Right.

Um, and, um, and then, uh, use that,

right?

That did require that, um, device had to be able to be

synchronized to a, to a clock

so that it, so that it would know exactly when, you know the 'cause it would do like

an extra one every 30 seconds I think.

Okay.

Um, and, uh, so yeah, you were, you were, you were talking about

you, you had to be on the back

end to, so you had to be able to know what number was gonna be on

that device.

That's a very, very strong factor.

Not as convenient because you have to carry it around

Or if

it broke, then you couldn't log in.

Yeah.

Yeah.

If it broke you.

If you stepped on it.

Um, yeah.

And so that's why a lot of people, they have gone to the, uh, the OTP, you

know, the Auie or Google Authenticator.

That's what I Prasannally used.

I used Auie.

I used Google Authenticator for a while until I, um, went to, um,

move my phones and I didn't realize that I had to like, transfer it

while my phone was still alive.

And I ended up having to redo all my, all my MFA.

Um, and, um, and, and that's nice because it, it can be, uh, basically it's wherever

you, your, your factor is kind of.

The fact that you, you have sort of actually multiple factors because you

have to have possession of the phone,

the the device where this app is running and you have to be able to log into

that phone to get to that application.

So it's kind of like multiple factors.

Uh, by the way, some people also refer to this as two A.

Technically it's MFA because there could be more than

two factors.

Uh, but that's what some people call it was two FA

back in the day.

Um, and.

I think a strong MFA with, um, with a strong password is a pretty strong,

um, system.

Having said that,

there is, there is a thing called MFA exhaustion.

Do

you wanna talk about that?

Yeah.

This is basically, and we saw this in, what was that case?

There was, was it the Okta breach?

Right.

Where

basically.

People, right?

In the normal case, MFA is great, but bad actors have started exploiting

this and they will try to log in and it will send an MFA request to the user.

And sometimes it's like, okay, accept that this is me.

And sometimes they get so tired of always seeing it.

They're like, fine, screw it.

I'm just gonna

push

Fine.

Exactly.

And so now they've let the bad actor into the system when they shouldn't have.

Which is exactly what happened with the Okta hack, right?

It was actually an inside person at Okta that essentially fell for a, a, a, uh,

an MFA exhaustion attack, and they ended up letting the, the threat actor into

the system and bad things happen as a

result, right?

Um, and so there are exploits known for MFA still way better than the alternative,

right?

And, and I and I, when I think about the MFA exhaustion, me, my

brain, the way it, if I got 57 MFA requests, I'd be like, whiskey,

tango, foxtrot, man, what is going on?

The last thing I'm gonna do is go, yeah, yeah, yeah.

Stop bothering me here.

Let the person in.

I don't, I don't understand MFA exhaustion, but

people are gonna be people

but it could also be the case that while you're legitimately

trying to do something,

you also get a bad actor trying to do something as well.

And so you

may be

is true if, if there's some simultaneously and you may authenticate

the wrong, the wrong, uh, thing.

So there are known attacks against MFA, they are rare, uh, you know,

et cetera, et cetera, et cetera.

Um,

But, but, But, that,

what Go

but there is one downside with MFAs,

Which is.

Well, assuming that you're not using a password manager.

Right.

You still have to remember the password.

Yes.

in an IT environment, you have to rotate your password.

You're now adding password one, password two, password

1, 2, 3,

right?

It's like all the variations,

and so it's still that problem that you run into,

So is password 1, 2, 3, that this is not, that's not a good password.

oh, that is the best password in the world.

It's the most popular.

It's

the most,

dollar signs.

I used dollar signs for the SI know.

Oh, Lord.

Yes, you're right.

That is it.

It is, it is.

It's funny, like one of the, one of the things that people, there,

there's the, um, there's the, um, the horse battery staple, uh, thing.

Right?

Which is a, and, and, and there.

Story, they made a point of saying that by, um, coming up with longer

and longer passwords and more and more complicated passwords, we made sure

that that computers couldn't guess those passwords, but we also made

sure that humans could never remember

them.

Exactly.

So now

you write it down on a sticky note or

Yeah.

Um.

variations.

Exactly.

Yeah.

Um, and I used to have a system before I went to password managers that I've

talked about where I had like one core

password and then I upended and pre-end the, like a shortened

version of the domain name.

And, you know,

that was my, I, I had this way of having a unique password but

without having unique password.

Um, so if, like, if my password was password 1, 2, 3, my Gmail

password was GM password.

1, 2 3, GM.

Right.

That was a, that was a way that I did it back in the day before

I discovered password managers.

Could you imagine remembering all the passwords?

I can't, I can't, I have hundreds, hundreds of accounts.

1 thing that is starting to happen that I do like is being able to

authenticate via, like Google.

Um, I do like

Apple or

Yeah.

Yeah.

Um, all right.

So,

um.

So passwords have some downsides.

Remembering the

have some downsides.

MFA has some downsides.

A strong statement was made when I was discussing this with a colleague

the other day, and he said, there are no known successful attacks

against a Fido compliance system.

And I was like, huh.

Right.

And so I, I immediately had to Google Fido

because

this?

Is

this a dog?

what Pasky were.

I didn't know that it was called Fido.

I didn't know that it fell under this thing called Fi

by the

Fido is a framework

Fido is the framework under which Pasky fall, so Fido is a, an

acronym for Fast Identity Online.

Right.

And there is a thing called the Fido Alliance.

Um, you wanna talk about that?

Yeah.

So it's basically a bunch of companies where like, passwords suck,

yeah.

should do something better.

So Microsoft, I don't know if you remember this with Windows

10 or 11, they did Microsoft.

Hello?

Yeah.

Trying to ditch passwords.

This was probably

like five years ago, six years ago, right.

And so there's been this push because companies realize passwords are a pain,

Yeah.

And so there's been a push to sort of get rid of them.

And so Fido was created and it's joined by a bunch of companies and

organizations in order to try to eliminate passwords from the world,

if you wanna put it that way.

Right?

And Fido is a framework.

right.

keys is just one implementation of using Fido.

It is probably the biggest implementation,

but it is just one implementation,

right?

And the idea is that you don't have to remember a password.

Um, it, it's been interesting.

There's been a push by some vendors to do Passwordless login that

is very much not Fido compliant.

I dunno if you've seen this, where I've had some.

SaaS vendors that I'm basically, they don't want, they don't want

you to username and password.

They, they say, give us your email and we will send you a one-time

password to log in.

And I'm like, that's a single factor,

and it's a system that could totally be hacked.

So I, I, I hate that.

That is not what we're talking about.

Right.

Um, the, the, do you want to talk a little bit about what, again, I I think

we should state, we're now getting into.

The, the outer reaches of our, of our technical knowledge.

We are not cybersecurity professionals.

We know enough to be dangerous.

Um, and, um, and when, and if, if we were implementing something for

somebody, we would be bringing in

somebody like, uh, Dr.

Mike Saylor, uh, to, to, to do

this.

So, so do you

want me to walk through kind of how it works

at a high,

concept, first off, what, what, you know, it uses this

concept of, of, uh, public key encryption.

yeah.

So let's talk about first like how normal login works, right?

So

normal website you're logging in, you know, your username and password.

The, uh, hosting provider, whatever you're logging into, has a probably

an encrypted version of that.

And so it

does some computation, sends it over compared and says,

okay, you're all good to go.

Right.

Right now what they've

done is, um, they've gotten rid of the password part.

And, and there's a couple different ways, right?

One is many of these systems, for instance, if you're using a phone, right?

In order to access the, the private key that's stored on the phone, the phone will

require sort of a biometric verification.

So like

your face, your fingerprint, maybe a passcode, potentially.

right.

in order to be able to unlock access to that private key in order

to do the rest of the handshake.

So that's sort of that second factor or the multifactor

to prove that it is you.

So there's a device which contains the key, and then there's the you part to

say you are

that, that's gonna be, you know, like you said, you either like face ID thumbprint,

uh, passcode, depending on that, that that could be picked by the user,

right?

That authenticates you to that device and then the device, then the device

authenticates you to the other system.

Um,

And there's

one other thing to

also add is the private key itself.

So a lot of the new phones, they have a secure area that's completely

cordoned off from everything else where this processing happens.

So in, uh, windows desktop, it's called the TPM or Trusted Processor module.

I think, um, on your iPhones, it's usually called like the secure

enclave and things like that.

So this is a very special, secure area where cryptographic functions are done

and biometrics are being processed.

So your biometrics are never actually sent to the server,

Right.

It's all run locally just to say, you are who you are.

Okay, now I can access that private key.

Another very popular, at least in terms of its, I've seen it a lot.

Another implementation of this has been this company called Ubi O.

Mm-hmm.

And they have these things called UBI Keys.

And they are, uh, you know, little thumb systems.

You know, we call 'em thumb drives 'cause they, you

pull 'em in and out with your thumb, right?

Or, or they look like

they look like a thumb.

And basically it's something that plugs into the USB.

The later ones, they actually have biometric on the device.

Like meaning that you can put a, a, a thumbprint on the device.

They have other ones that don't have that, which means there must be some

authentication in software to the device.

Um, and I. Um, what this does is this, this allows for this

kind of authentication to happen on pretty much any computer,

uh, either a Windows or a Mac or a Linux-based computer.

All you need is that device and some method of authenticating

yourself to that device.

Um, and, and, and what I like about those is that they are incredibly affordable.

Um, you know, I'm not, they're not a sponsor.

I, you know, and, and there are other vendors, but what I really

like about YubiKey is that.

Uh, you, you can get a UV key for like, like their best UV key is like $55.

It's a, you can buy one of them and, uh, and you can start using this with

your,

please don't

in your world.

I, I knew you were gonna say that.

I was waiting for you to say that.

What did you just say?

Please don't just buy one.

Why not?

Because if you lose that UB key, you lose access to everything.

They should only sell them in pairs.

They do.

Actually sell 'em in pairs too.

Okay.

Yeah.

Yeah.

Yeah.

Um, so yeah, so re there are other

companies and, um, and those

companies are more than welcome

to, to, to reach out to me.

You go

but this is also where I think like Apple, Microsoft, Google, right?

They also all support PAs keys as well.

And one of the benefits of going with that sort of a software based approach is they

normally handle all the synchronization.

So Apple as an example, they will make sure on your iCloud key chain,

right, which stores all your pass keys and things like that, they'll

synchronize it across your devices.

Right, right.

Which is very helpful.

Um, another, um.

Um, and again, I, I'm on the outer reaches of my, of my knowledge here,

but I believe this also qualifies as Fido and a passkey, and that is how

I currently log into my credit union.

I. So my, currently, when I log into my credit union, I no longer,

I had to switch over to this system.

Um, and like at some point they told

me that this is your choice, right?

And, um, I need my username.

I. And then I need a pin code.

So, uh, in this case, four digits that I do need to remember the pin code.

And then they have an app.

In this case it's um, uh, the semantic VIP.

App that is a one-time password generator.

The, the, the reason why they like that, uh, versus the like Auie.

The problem with Auie is that like, is the synchronization aspect, I think the time

synchronization aspect, but, um, so they use, what they want me to do is they want

me to start up the VIP app, which again, I can only access the VIP app if I'm on.

The device

that's been authenticated.

Um, so I start at the, the, the VIP app, and then I put in my pin

code followed by the six digit, um, number that is generated by the app.

And that is my password.

Uh, you know, it goes in the password field and that way I'm, the only thing

I have to remember is the, the pen code.

And I'm pretty sure this qualifies as, as, I don't know if it does or not,

I, I, it's, so my thing with PAs keys is it's supposed to be seamless, right?

The fact that you have to jump through these hoops, I think is one reason why

I wouldn't say it's quite the same.

My question is, does it qualify under Fido?

Oh, that I don't know.

Is it Fido compliant?

Um,

Because the

process you just

saying is, what you're saying is that you don't have to remember anything.

Under a pasky situation.

Right.

The only thing I have to remember is how to authenticate to the

device that has the thing.

Right.

Um,

Right, because you don't even wanna remember, like you wanna

remember like very minimal, right?

And it shouldn't be something you remember per website,

right,

right,

It's like your password manager, you just remember the master password.

It remembers everything else,

right,

right.

In this case, you just don't even have to remember a master password, right?

You just bring you or whatever

you do to log into

your device, right?

So here's my, so here's my question.

If, if a Fido compliance system

is so much better, why don't we just use it for everything?

Like right now, I, I, I'm a backup guy and I wanna make sure that my backup system

is, is as secure as it could possibly be.

It sounds like Fido is better.

Why don't I just, tomorrow I start using this for everything.

Well, two things.

One is the vendor needs to support Fido, right?

So

it's not simple, right?

They need to actually build the mechanisms to support it.

The other thing too is I don't know if Fido works in a non uh, connected case.

Like if you're not connected to the internet, will it work?

Hmm.

Well, what scenario are you thinking of?

Where I would be running a backup system that's not connected to the internet.

Maybe you're in a skiff or you're

in a, in a secure location where you don't necessarily have outside access.

I'm sure it would work, but I just don't know.

Yeah.

Yeah.

Well, I'm not sure it work.

I think there's a pretty high chance it would work, but again, I also don't know.

Right.

Um,

but us, but, but here's the other thing is I think backup vendors, or sorry, backup

admins should be talking to their vendors and saying, please provide me pass keys.

yeah, and, and, and you, you can tomorrow, right?

You can start using something like UB Key to authenticate yourself if

you've got, if you have servers, right?

There are, there are UB key.

Uh, implementations for Unix windows, you know, or, or Linux, windows and Mac.

And so you could tomorrow.

Reconfigure your logins for all of your devices that have anything to

do with, uh, if, again, if you're using a, a traditional system

that that is based on some sort of server you could change so that the

o you, you can only log into the OS via UB key and, and and pass keys.

Right?

Um,

and two UB keys, by the way, please.

two UBI key two.

Um, and then, um, and then.

The, the harder one will be if you're using a SaaS provider, uh, you,

you, you should be pressuring them

to support, uh, Pasky.

Yep.

That's our, you know, again, we're not experts in this.

Uh, you should talk to an expert in this.

Um, if you like the UB key thing, check that out.

Uh, YUBI key, uh, that's the name of the product.

UB Co. Is the, is the company.

Uh, UB probably stands for something.

I don't know what it stands for.

U You be, you'd be more secure.

That's pretty good.

Maybe they could use you in marketing, Curtis.

Yeah.

Um, the, um, it's probably, I don't know.

I don't know where the name comes from, but, um, so all we're saying is.

All of this is more secure than just a username and password.

MFA's better, uh, than, than nothing.

Uh, there's three levels, right?

You got email, SMS and one-time password generators.

the the latter is definitely the best.

Um, probably the most secure is an actual key fob.

Most people aren't gonna use that.

Most people are gonna use it and as an app.

Um, and then.

The PAs keys is probably the most secure of them all, but it requires more changes

to your, um, to your infrastructure.

Uh, I will say that if you have servers or backup applications or

backup storage, that doesn't require either MFA or PAs keys to log in,

man, you need to fix that stuff now.

Oh,

you concur.

yeah, Oh, definitely.

Yeah.

You're just a matter of time.

Yeah, just a matter of time.

All right.

Once again, we managed to fill 45 minutes

talking about something.

In the beginning I was like, I dunno if we're gonna, if we're gonna fill

the

telling you, I'm telling you, we always figure out a way to fill the time.

It's like sand or

water.

could be that one of us can talk forever.

I don't know which one of us it

would be.

One of us definitely talks more than the

other one.

Anyway, I digress.

You have a nice day Prasanna

Thank you Curtis, and you as well.

I.

and, uh, I hope our

um, our, uh, listeners have a nice day as well.

That is a wrap.

The backup wrap up is written, recorded, and produced by me w Curtis Preston.

If you need backup or Dr. Consulting content generation or expert witness

work, check out backup central.com.

You can also find links from my O'Reilly Books on the same website.

Remember, this is an independent podcast and any opinions that

you hear are those of the speaker and not necessarily an employer.

Thanks for listening.