Navigating the path to passwordless authentication
Yves Audebert is chairman, president and co-CEO of Axiad IDS, a trusted identity solutions provider for government and financial organizations. He previously founded ActivCard / ActivIdentity, one of the lead providers of the Defense Department’s Common Access Card and HSPD12 FIPS 201 credentialing systems.
If you have been in business long enough, you have probably heard the quote often cited from Lewis Carroll’s Through the Looking Glass: “If you don’t know where you’re going, any road will lead you there.” And while this quote isn’t verbatim from the book (or the subsequent movie Alice in Wonderland), the sentiment has stood the test of time because it appropriately captures an important strategic premise — that it’s important to be clear on your destination and desired business goals before kicking off a strategic initiative.
While very true, this concept can’t be taken simply at face value especially as you formulate a cybersecurity strategy. The destination isn’t all that matters — often the road you take, and the steps you take down that path, matter equally.
Private and public sector security executives around the globe now understand that a password-based approach can present material risk to the enterprise because passwords can easily be compromised. In fact, passwords, along with stolen or weak credentials, play a part in more than 80% of today’s breaches.
The logical next step for most cybersecurity-conscious organizations is to go passwordless. At most cybersecurity events today, you’ll see a wide range of technology solutions focused on delivering a passwordless experience, promising to enhance protection by addressing the vulnerability of leaked passwords, while reducing end user friction by eliminating the need for someone to remember a litany of secret codes in order to access key enterprise systems needed to do his/her job.
Organizations ranging from the Fortune 500 to U.S. government agencies, including the Department of Health and Human Services, are evaluating and deploying integrated authentication solutions to meet zero trust requirements. However, it’s critical that they move forward confidently, yet cautiously.
Not all paths to passwordless are equal
Internal IT complexity often serves as a roadblock on the path to passwordless. Most organizations leverage numerous authentication methods, have multiple identity types to protect (e.g., user and machine), must support a wide range of use cases (e.g., Windows, Mac, Linux environments), and may already have existing investments in identity and access management (IAM) systems they don’t want to rip and replace. This disjointed reality can force security professionals to take a fragmented approach to authentication — in which they address passwordless requirements in small chunks across the enterprise.
This may not sound concerning on the surface, but one can dig a level deeper to uncover some alarming scenarios. For instance, a siloed strategy means that policies may not be applied and enforced methodically. It might also mean that organizations are asking users to leverage several different systems to authenticate — and when friction is introduced, users often find a workaround that can create added risk. There are also the added costs required to administrate the multiple silos across the organization. Perhaps most concerning, fragmentation leads to gaps and inconsistencies which bad actors can exploit.
The smart path forward is integrated
In response, contemporary authentication strategies are shifting from a fragmented to a holistic approach.
By casting a wide net across all identity types, use cases, authentication methods and existing IAM ecosystems, the organization assimilates all credentials in a singular manner, analyzes in context of the aggregate, automates processes more efficiently as one and ultimately authenticates systematically.
This integrated methodology systematically shuts down the gaps that have been historically exploited in fragmented models. It is also more adaptive, easy to manage, and provides optimal visibility across all credentials with a single pane of glass. And because it can be applied to the whole of the organization, and includes some important operational efficiencies, it can be accurately described as enterprise-wide passwordless orchestration.
The benefits of this holistic approach include:
- Phishing resistance: Security professionals can enforce day-one enrollment and enforce critical policies to protect the organization.
- User empowerment: Employees can access what they need, when they need it, without friction, so they are more productive.
- Enhanced administration: Management can streamline processes for admins and reduce workload (and related costs) for the helpdesk.
- Path to zero trust: With greater visibility across credentials, security professionals can continuously authenticate every user, machine, and transaction.
Key steps to enterprise-wide passwordless orchestration
While an integrated, holistic manner is the smart road to travel, sometimes the critical elements of success aren’t always clear. To help navigate to the correct destination, here are five key things to look for:
- Breadth: Naturally cast a wide net and focus on several key elements at the same time – for example, privileged users, mobile devices and securing the hybrid workforce.
- Integration: Ensure whatever solution you leverage has the ability to authenticate uniformly across multiple tools and operating systems.
- Automation: Make sure you orchestrate key processes to alleviate work on your administrators and helpdesk.
- Visibility: Attain a single pane of glass to easily manage various authenticators from one location.
- Control: Ensure your credentials are isolated from others, to minimize vulnerabilities.
Attackers are not slowing down and will continue to find innovative ways to get inside your organization. Stay ahead of the game by making passwordless a priority.
Learn more about how Axiad can help your organization achieve enterprise-wide passwordless orchestration.