Four steps to building a passwordless enterprise
By Robert MacDonald, VP of Product Marketing for 1Kosmos
Passwords have been a fact of life for 60 years now. Just like the sun rises every morning and sets every evening, we expect to enter a user name and password to access digital assets. That is changing with the adoption of passwordless authentication, but wide scale adoption has yet to become the norm.
Going passwordless will do more than change the way users logon; it upends the ways enterprises handle third-party and contractor onboarding, protect against contract hijacking, SIM jacking and other threats, and if done right, it gives users more control over who accesses their personal data, among other advantages. Once we are able to consistently trust that the user behind a logon is who they claim to be, and validate that it’s not just someone who got hold of those credentials somehow, there are many more things we can do online.
Setting up passwordless does face a number of hurdles, however, mostly because organizations have grown accustomed to doing things the old way. When users are confronted with a sudden change—sign on with a password on Friday morning, then come back on Monday morning to a passwordless environment—it can be uncomfortably disruptive.
Here are some common-sense steps that can help make the transition to passwordless a reality without burning out your IT staff or disrupting the organization’s workflow:
Set an identity-proofing strategy: Develop a passwordless multifactor authentication (MFA) strategy that meets the business’ goals. MFA is a potent tool for preventing impersonation attacks, phishing and other common threats, but bad actors are constantly finding ways around it. “MFA fatigue” has now entered the buzzword portfolio.
Most passwordless approaches today rely on possessing a device, usually a mobile phone, to verify the identity behind the account. But phones can be stolen, and hackers can use man-in-the-middle tactics to derail that approach. Even those authentication strategies that rely on biometrics or tokens have their downside. That’s because they don’t actually prove identity since multiple biometrics can be stored on the device and even spoofed.
A policy that relies on federated identity that is portable and tied only to the user can solve that issue, by separating the identity from a device. This requires proofing that identity during onboarding, in some cases by using government-issued identification to verify the user. Once that proof is collected, the system can rely on biometric identification—also collected at onboarding—to routinely match the identity to the right user, and store the information with an encrypted key only the legitimate user can access.
Choose a flexible passwordless platform: It’s hard to change your services simply because you want to grow as a company, so many enterprises tend to bolt on digital resources as they grow. This leaves many IT assets built up over the years within the network, and many of those may not be capable of passwordless authentication.
Additionally, many enterprises today have a blend of cloud-based and on-premise assets that need to be protected. Some organizations will also have multiple cloud vendors, each with their own security and identity structure and passwordless options. This can lead to the use of many different authenticator apps. Therefore, it’s important to choose a passwordless architecture that can accommodate legacy technologies as well as new cloud-based assets.
Choose a passwordless infrastructure that plays well with different apps, cloud vendors and single sign-on platforms (SSO). Many enterprises wrongly believe that a SSO platform serves that purpose. While SSO is a good way to manage access to the sprawl of apps most businesses use in their operations, separating identity proofing and authentication from the SSO function is important. Especially since SSO can’t cover all applications and services, which is a must.
Plan a deliberate roll-out: If there’s one thing that employees hate more than passwords, it’s change. A sudden deviation from routine processes will often result in negative impacts on productivity and daily operations, since many users will ignore training videos and other materials supporting the transition and will show up for work one morning, unable to log on.
There are challenges along the path to a consistent passwordless experience, but a gradual transition may let your people get on with their day-to-day jobs without inundating your help desk. A controlled roll-out can ease users into a new experience by switching over in stages, shifting different user groups or different departments together. Another useful change-management strategy is coexistence, where password users gradually sunset themselves as they transition to the passwordless system. Users can keep signing on with the previous, password-bound experience or transition to the passwordless environment at their own pace. Both experiences can be available at log-on, side by side; often, curiosity will win out and users will switch once they see others in the organization going passwordless.
Customize controls: Customer user experiences are different from workforce user journeys and those are different from the user experiences of vendors and partners, but all should be as secure and low-friction as possible. A poor user experience can lead to attrition as customers move to a competitor that offers a low friction alternative. But even in the case of internal workflows, the same rule applies, in this case for avoiding resistance by the workforce.
To avoid friction, it is best to tailor security controls and deploy them in stages that align with the business and IT objectives of the organization. The system should allow the administrator to customize journeys based on the end-use cases. For example, an admin at an insurance company can customize more stringent controls to prevent contractor hijacking, or a financial company can specifically implement measures designed to defend against phone SIM jacking.
Customizing controls also lets the organization “future-proof” operations, allowing security controls to grow and change to accommodate the decentralized operations of Web 3.0 and other evolutionary developments.
Password technology has remained relatively unchanged for 60 years, with users typing in their pet’s names and children’s birthdays to log on. Thanks to improved cameras and other biometric-enabling tools, we can now do things that were unthinkable in the 1970’s. But our expectations of security and user experience have also changed—to be more demanding.
The shift to a more mature passwordless journey that relies on verifying a user’s identity, not simply their device, can finally make passwords a thing of the past. This evolution requires planning and thoughtful deployment, backed by an identity strategy that is not bound to the digits of a one-time code texted to a cell phone.
About the author
Robert MacDonald, VP of Product Marketing for 1Kosmos has more than 15 years of experience in identity and access management with Micro Focus, ForgeRock, Entrust, Dell, Quest and Corel Corporation.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.