Envisioning a Zero Password Enterprise
It’s past time for a passwordless identity and access management system.
The Situation at a Glance
Modern identity management relies on us evolving past the password.
Seamless availability of enterprise resources is essential for employee productivity and job performance. That being the case, enterprises are on the hook to supply a proliferating set of applications and databases to a rapidly expanding and diversifying workforce – where all employees expect instant and constant access to those resources.
The username/password architecture isn’t a sustainable path. It’s making these demands increasingly difficult and risky for businesses – and sometimes impossible. Passwords suck up time and slow down work. They are barriers to progress, impediments to growth, and burdens to workflows – not to mention serious threats to security and trust.
Eliminating passwords from the identity management equation is the only way to future-proof the enterprise and give employees the empowered work experience they deserve.
How can this can be achieved and what do we stand to gain from a passwordless enterprise?
Read on to find out.
The Connected Enterprise
Modern identity management relies on us evolving past the password.
The modern enterprise is always-on, hyperconnected, and operates on
a global scale with a fluid, flexible, worldwide workforce. That’s the default expectation. But just because it’s table stakes for a competitive operation doesn’t mean it’s easy to orchestrate.
Given enough time, a centralized password database will fall.
Business applications and data must be available to all employees, all over the world, at all times. That means cloud- based apps – and lots of them.
SaaS solutions and homegrown software applications are steadily integrating themselves into every essential business operation – most notably, business intelligence, data, analytics, and collaboration. Accordingly, investments in this area continue to rise year after year.
The Modern Workforce
Global, Remote, Flexible
An Important trend for worker productivity, morale, and work/life balance – but a real challenge for the enterprise network.
“Flexible working, supported by a professional on-demand workspace network, is now being discussed by senior leaders across functions in companies including risk management, business development, human resources, marketing and strategy.”
Competition for Skilled Workers Accelerates
Advanced enterprises that remove work barriers will win the best talent and give their companies the best chances of future success.
Some collaboration apps create risk and some employees use personal devices for work – creating security dangers.
“The cloud is now being relied on as a growth catalyst where the apps it enables are removing barriers to growing revenues and gaining new customers while stabilizing operations.”
“Software has become the dominant medium for engaging with customers, documenting transactions, and managing employees and assets. What’s next? Software will spread to every corner of enterprise operations”
Security: The Permanent Priority
Expanding, evolving, accelerating, and facing new challenges on the global stage.
With a spreading enterprise presence to protect, CISOs are working around the clock to face bigger pressures than ever before. The demands on enterprise networks are massive and the margin for error is nonexistent when one mistake can cripple an entire company. CISOs know all too well that such an incident is always right around the corner.
Security-related challenges redirect resources strategic & activities that include governance and compliance regulations, budgetary constraints, and employee awareness and cooperation issues.
“With so many data breaches caused by stolen or weak credentials, the enterprise is prioritizing identity management in its cybersecurity posture.”
With so many data breaches caused by stolen or weak credentials, the enterprise is prioritizing identity management in its cybersecurity posture.
Worldwide spending on Identity Access Management (IAM) rises steadily:
- 2018: $10.11B
- Projected 12.84% CAGR through 2025 o 2019: $23.38B
Privileged Access Management (PAM) is Gartner’s number one security project for 2019, and an important factor in making it more difficult for opportunistic hackers to target or compromise the credentials of privileged users.
This trend encompasses a spectrum of initiatives, but none as high profile as the main interface between users and those all- important and increasingly numerous business applications: user credentials. Nearly all user credentials are currently rooted in the username/password architecture. But given the proven shortfalls of passwords, they really shouldn’t be.
The Problem with Passwords
Deceptively expensive and inescapably obsolete.
Current identity management systems are mostly based around usernames and passwords, which are a an increasingly unwarranted hassle. Current attempts to reduce risk to the company too often put the burden on the workforce by demanding more frequent password resets with stricter and stronger requirements each time.
That’s because ostensibly the problem with compromised credentials is the people, not the framework. After all, people create weak passwords. People also get fooled by phishing scams and easily frustrated or delayed by barriers to login.
And users often have the same password for personal devices as they do for work, so if passwords are in use at all, anywhere in the company, the network always has vulnerabilities beyond what the enterprise can control.
Simply typing in the word “password” has allowed fraudsters to gain access to 3.6M accounts worldwide.
When people forget their password:
- 37% are locked out of their account
- 37% cannot access something they need
- 19% delay work -Okta
People have to remember 10 passwords on average, and forget 3 in a typical month.
Let’s be clear: the end-user is the weakest point in the network. But it’s not the user’s fault. Enterprises have piled exorbitant requests onto them, claiming a lack of real solutions and scapegoating the user’s inability to handle increasingly burdensome password requirements for an unforgivably weak security posture.
So, as companies continues to place more stringent demands on their workers, the workers expect the company to bear the burden of the security problems.
Currently, that responsibility takes the form of booming IT support costs – if the companies aren’t already bearing the fallout of (what some CISOs perceive as) an inevitable breach.
Microsoft spends $2 million in help desk calls a month helping people change their passwords.
“Passwords are the weak link. They have terrible characteristics about them, and they’re hard for you to keep track of. Passwords are also super expensive for companies.”
Passwords Cost Big Bucks
IT & Help Desks Bear the Brunt
Employees encounter password update reminders 67% more often than any other element of their companies’ cybersecurity policies.
Getting Past Passwords
Identity management doesn’t necessarily mandate any connection at all with passwords or usernames.
CISOs are starting to understand that the employees are correct: this is a business problem, not a people problem. It must be solved from the top down in a way that empowers the entire, global workforce without increasing risk for the company.
To continue to attract talent with competitive skill sets and ensure job satisfaction for current employees, the enterprise must meet the demands of the modern workforce – not dismiss them as luxuries.
“Going passwordless means removing the burden from the users and the risk from the enterprise. It’s a win-win. And when companies cross that threshold and start to see that things can be done differently, they tend to wonder how they managed to wait so long.”
The enterprise must improve its capabilities for user-friendly identity access and management. To do that, it must address the main culprit of cost, productivity, morale, and risk: the username/password scenario.
How are they accomplishing that? A combination of biometrics, multifactor authentication, single sign-on, and a little bit of contemporary ingenuity.
“By 2022 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases.”
“Eliminating passwords has been a longstanding goal, but is only now starting to achieve real market traction. Passwords are a magnet for attackers and are susceptible to a variety of attacks such as social engineering, phishing, credential stuffing and malware.”
Biometrics are Becoming Default
Convenient, user-friendly, and more secure than passwords.
One popular tactic to reduce user hassle while keeping the enterprise secure is to utilize biometrics in place of passwords. The introduction of biometric keys to mobile devices is a huge benefit to the user and the enterprise – if used correctly.
Biometrics are directly tied to the individual. In fact, they are the individual. Since this solution ties the person’s identity directly to their devices and data, it removes the unreliable, inconsistent layer in between person and application that stresses the network’s security.
But biometrics should be always be part of a truly passwordless architecture – not just one that appears passwordless to the end-user. User accounts should never have a password attached to them, even at creation, or the risk of compromising it will always be present.
“The connected economy is forcing a need to redefine digital identity and to rely on new ways to make sure people are who they claim to be.”
Nearly 90% of businesses will use biometric authentication by 2020, up from 62% in 2018.
- 67% of respondents are comfortable using biometrics today.
- 87% will be comfortable with it in the near future.
Putting Biometrics to Work
The ubiquity of consumer devices in the workplace is mutually beneficial for employees and the business. It means the biometric hardware and software that comes packaged with most consumer mobile devices are readily available for integration into identity management systems.
Now, seamless integration of tools like fingerprint and face ID into enterprise workflows is not only possible, it’s cost-effective and convenient. As long as the biometric data is ephemeral and decentralized – not stored on a hackable, centralized database – the risk of compromise is essentially eliminated.
And if you can cryptographically verify user credentials through a self-sovereign identity system, you can reduce friction while increasing security.
But biometric integration isn’t a complete solution to the identity management problem; it’s an iterative improvement in security and convenience. And it’s important to note that biometrics are not flawless.
Some software is stronger than others at confirming facial or fingerprint recognition across different circumstances. Spoofed or inaccurate sensors have been reported. Some users have privacy concerns about their personal biological data being active on the company network. And a software or hardware lapse can cause a lockout from the network.
A biometric key is also is a single credential that enables access to the network, so enterprises must carefully verify the user’s identity at the creation of any account that will allow biometric access.
Biometrics are also, of course, more secure when combined with additional factors of ID verification.
Multifactor is Now Mandatory
Strong security rests on many factors, and it’s important to use every tool at your disposal.
Multifactor Authentication (MFA) takes many forms, but always involves verifying credentials through an additional factor. In a password/username scenario, that’s often a PIN, email confirmation, security questions, or one- time-use code delivered by SMS – all additional layers of security that create additional filters for would-be criminal actors
MFA can eliminate up to 100% of hacking attempts. But those commonly- used scenarios add a layer of complication for the user along with the extra layer of security. They’re inconvenient and come with a risk of being hacked.
- IT & Help Desks Bear the Brunt
- “what you know” (like a password)
- “what you have” (like a device)
- “who you are” (a biometric key like fingerprint, face ID, retinal scan, etc.)
- “where you are” (GPS location-based factors)
Fortunately, MFA does not necessarily mandate an extra action by the user. It can also use automatic factors that provide a smoother end-user experience, like biometric data, device ID, or time of day. Additional capabilities similar to biometrics are also in development that will aim to increase the seamlessness of the technology, integrating data on things like the way you hold your phone, your swiping patterns, or the amount of pressure you use when typing. (These might fall under the “who you are” factor in a subcategory of “how you behave.”)
Gartner recommends that, as part of a PAM plan: “At a minimum, CISOs should institute mandatory multifactor authentication (MFA) for all administrators. It is also recommended that CISOs use MFA for third- party access, such as contractors.”
SSO Saves Hassle
Single sign-on allows for seamless, automated re-authentication of user credentials to save the time spent on repeated log-ins, removing some obstacles within workflows.
Some enterprises use identity federation tools to enable access to the entire suite of enterprise applications. Similar to SSO, this enables one identity management system to facilitate access to multiple platforms as authorized by the company.
Tools like SSO and federated identity make it easier for workers to continuously access the proliferating set of enterprise resources, but linking one identity across multiple applications or through a centralized management system also comes with risks; if that credential is compromised in one application, it functions as a breach to all of them.
That’s why it’s best to combine SSO and federated identity solutions with biometric access and MFA measures.
A passwordless biometric interface that utilizes multifactor authentication is well-suited for a blockchain environment. User credentials are stored and verified on a decentralized infrastructure, eliminating the possibility of a central data breach and retaining a permanent, tamper-proof record of all actions taken on the network.
“Gartner estimates decentralized identity services to be generally ready for broad production scenarios in 2020.”
In a sufficiently advanced identity management system, users may create accounts built solely around biometric keys that are confirmed based on ephemeral tokens (never creating a password/username); that integrate automated MFA (using “where you are” data, for example); and that operate those standards on an SSO architecture.
A Zero Password Enterprise
Inevitable, if only because of its competitive edge.
Trust is more important than ever for the enterprise – between partners, clients, and customers, and within the company. The enterprise must project stability, safety, and certainty.
It is no longer sustainable to displace any fraction of the enterprise network security demands onto the user’s ability to handle password requests. Doing so will inevitably damage the company’s trust, perception, and the company’s capacity for innovation and growth. It will diminish the work experience of its employees and its ability to attract the top talent that will sustain it into
There are no longer any excuses for this trade-off to be the expectation; for increasingly complex passwords to stifle growth and suffer trust.
A passwordless interface between enterprise resources and the workforce is close at hand. The tools are available, if nascent. And if done correctly, it not only accelerates the pace of business, it increases security and trust as well.
"Let’s face it: we’re living in a post-password society. Millennials know it, workers know it. But legacy systems are always slow to catch up with the demands of their users. Risk mitigation, education, due diligence, and IT overhaul costs are legitimate reasons for apprehension or delay – but they’re also excuses for procrastination."
Services (subscription and managed) will represent at least 50% of security software delivery by 2020.
“Security as a service is on the way to surpassing on-premises deployments, and hybrid deployments are enticing buyers. A large portion of respondents to Gartner’s security buying behavior survey said they plan to deploy specific security technologies, such as security information and event management (SIEM), in a hybrid deployment model in the next two years.”
Stack the evident weaknesses of the status quo against the demonstrated improvements in security, productivity, availability, and performance of newer methods and the solution is apparent. The organization that removes barriers and empowers employees will find its footing in the future, because its workforce will carry it there.
Get the free whitepaper
Fill out a quick form and we’ll send you your free whitepaper.