Envisioning a Zero Password Enterprise

It’s past time for a passwordless identity and access management system.

The Situation at a Glance

Modern identity management relies on us evolving past the password.

Seamless availability of enterprise resources is essential for employee productivity and job performance. That being the case, enterprises are on the hook to supply a proliferating set of applications and databases to a rapidly expanding and diversifying workforce – where all employees expect instant and constant access to those resources.

The username/password architecture isn’t a sustainable path. It’s making these demands increasingly difficult and risky for businesses – and sometimes impossible. Passwords suck up time and slow down work. They are barriers to progress, impediments to growth, and burdens to workflows – not to mention serious threats to security and trust.

Eliminating passwords from the identity management equation is the only way to future-proof the enterprise and give employees the empowered work experience they deserve.

How can this can be achieved and what do we stand to gain from a passwordless enterprise?

Read on to find out.

The Connected Enterprise

Modern identity management relies on us evolving past the password.

The modern enterprise is always-on, hyperconnected, and operates on
a global scale with a fluid, flexible, worldwide workforce. That’s the default expectation. But just because it’s table stakes for a competitive operation doesn’t mean it’s easy to orchestrate.

Given enough time, a centralized password database will fall.

Business applications and data must be available to all employees, all over the world, at all times. That means cloud- based apps – and lots of them.

SaaS solutions and homegrown software applications are steadily integrating themselves into every essential business operation – most notably, business intelligence, data, analytics, and collaboration. Accordingly, investments in this area continue to rise year after year.

The Modern Workforce

Global, Remote, Flexible

An Important trend for worker productivity, morale, and work/life balance – but a real challenge for the enterprise network.

  • 53% work remotely for half of the week or more
  • 11% of people work outside of their company’s main office location 5x/week
  • Dell’s workforce will be 50% remote by 2020

“Flexible working, supported by a professional on-demand workspace network, is now being discussed by senior leaders across functions in companies including risk management, business development, human resources, marketing and strategy.”

Mark Dixon, founder and CEO of IWG.

Talent Gaps

Competition for Skilled Workers Accelerates

Advanced enterprises that remove work barriers will win the best talent and give their companies the best chances of future success.

  • 83% report a skills gap in their organization
  • 78% expect their organizations will have a skills gap in the future
  • 75% say that the skills gap affects their organization’s service delivery, customers, or future growth. (ATD)

Some collaboration apps create risk and some employees use personal devices for work – creating security dangers.

“The cloud is now being relied on as a growth catalyst where the apps it enables are removing barriers to growing revenues and gaining new customers while stabilizing operations.”

Business spending on software has soared from $172 billion to $920 billion over the past 25 years.

“Software has become the dominant medium for engaging with customers, documenting transactions, and managing employees and assets. What’s next? Software will spread to every corner of enterprise operations”

Security: The Permanent Priority

Expanding, evolving, accelerating, and facing new challenges on the global stage.

With a spreading enterprise presence to protect, CISOs are working around the clock to face bigger pressures than ever before. The demands on enterprise networks are massive and the margin for error is nonexistent when one mistake can cripple an entire company. CISOs know all too well that such an incident is always right around the corner.

2019 has seen more than 1,300 data leaks exposing over 4 billion records.

Risk Based Report

51% of data breaches are caused by malicious and criminal attacks the leading cause.

Ponemon

Data breaches cost an average of $3.9M but average higher in the US ($8M).

Ponemon

Security-related challenges redirect resources strategic & activities that include governance and compliance regulations, budgetary constraints, and employee awareness and cooperation issues.

“With so many data breaches caused by stolen or weak credentials, the enterprise is prioritizing identity management in its cybersecurity posture.”

60% of CISOs report that they rarely, if ever, disconnect from work.

Dice

88% report working over 40 hs/week.
22% believe that they are on-call 24/7.

Dice

50% expect their security budget to increase in the next 12 months.

IDG 2019 State of Security Study

With so many data breaches caused by stolen or weak credentials, the enterprise is prioritizing identity management in its cybersecurity posture.

81% of hacking-related breaches were as a result of weak, stolen or reused passwords.

Verizon Data Breach 2019

Worldwide spending on Identity Access Management (IAM) rises steadily:

  • 2018: $10.11B
  • Projected 12.84% CAGR through 2025 o 2019: $23.38B

Privileged Access Management (PAM) is Gartner’s number one security project for 2019, and an important factor in making it more difficult for opportunistic hackers to target or compromise the credentials of privileged users.

This trend encompasses a spectrum of initiatives, but none as high profile as the main interface between users and those all- important and increasingly numerous business applications: user credentials. Nearly all user credentials are currently rooted in the username/password architecture. But given the proven shortfalls of passwords, they really shouldn’t be.

The Problem with Passwords

Deceptively expensive and inescapably obsolete.

Current identity management systems are mostly based around usernames and passwords, which are a an increasingly unwarranted hassle. Current attempts to reduce risk to the company too often put the burden on the workforce by demanding more frequent password resets with stricter and stronger requirements each time.

That’s because ostensibly the problem with compromised credentials is the people, not the framework. After all, people create weak passwords. People also get fooled by phishing scams and easily frustrated or delayed by barriers to login.

And users often have the same password for personal devices as they do for work, so if passwords are in use at all, anywhere in the company, the network always has vulnerabilities beyond what the enterprise can control.

Simply typing in the word “password” has allowed fraudsters to gain access to 3.6M accounts worldwide.

When people forget their password:

  • 37% are locked out of their account
  • 37% cannot access something they need
  • 19% delay work -Okta

People have to remember 10 passwords on average, and forget 3 in a typical month.

Let’s be clear: the end-user is the weakest point in the network. But it’s not the user’s fault. Enterprises have piled exorbitant requests onto them, claiming a lack of real solutions and scapegoating the user’s inability to handle increasingly burdensome password requirements for an unforgivably weak security posture.

So, as companies continues to place more stringent demands on their workers, the workers expect the company to bear the burden of the security problems.

Currently, that responsibility takes the form of booming IT support costs – if the companies aren’t already bearing the fallout of (what some CISOs perceive as) an inevitable breach.

Microsoft spends $2 million in help desk calls a month helping people change their passwords.

“Passwords are the weak link. They have terrible characteristics about them, and they’re hard for you to keep track of. Passwords are also super expensive for companies.”

Alex Simons, director of program management in Microsoft’s identity division

Passwords Cost Big Bucks

IT & Help Desks Bear the Brunt

Employees encounter password update reminders 67% more often than any other element of their companies’ cybersecurity policies.

  • Password protection is the most commonly practiced IT security behavior among employees.
  • 20-50% of all helpdesk calls are for password resets (Gartner)
  • Help Desk calls average $25 cost/instance (Forrester).

Getting Past Passwords

Identity management doesn’t necessarily mandate any connection at all with passwords or usernames.

CISOs are starting to understand that the employees are correct: this is a business problem, not a people problem. It must be solved from the top down in a way that empowers the entire, global workforce without increasing risk for the company.

To continue to attract talent with competitive skill sets and ensure job satisfaction for current employees, the enterprise must meet the demands of the modern workforce – not dismiss them as luxuries.

42% of millennials use complex passwords that combine special characters, numbers, and letters.

41% of people reuse the same password multiple times.

IBM Future of Identity Study

75% of millennials are comfortable using biometrics instead of passwords

“Going passwordless means removing the burden from the users and the risk from the enterprise. It’s a win-win. And when companies cross that threshold and start to see that things can be done differently, they tend to wonder how they managed to wait so long.”

Anthony Maley, Founder & CTO of Vouch

The enterprise must improve its capabilities for user-friendly identity access and management. To do that, it must address the main culprit of cost, productivity, morale, and risk: the username/password scenario.

How are they accomplishing that? A combination of biometrics, multifactor authentication, single sign-on, and a little bit of contemporary ingenuity.

“By 2022 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases.”

Ant Allan, Vice President Analyst in Gartner Research.

“Eliminating passwords has been a longstanding goal, but is only now starting to achieve real market traction. Passwords are a magnet for attackers and are susceptible to a variety of attacks such as social engineering, phishing, credential stuffing and malware.”

Biometrics are Becoming Default

Convenient, user-friendly, and more secure than passwords.

One popular tactic to reduce user hassle while keeping the enterprise secure is to utilize biometrics in place of passwords. The introduction of biometric keys to mobile devices is a huge benefit to the user and the enterprise – if used correctly.

Biometrics are directly tied to the individual. In fact, they are the individual. Since this solution ties the person’s identity directly to their devices and data, it removes the unreliable, inconsistent layer in between person and application that stresses the network’s security.

But biometrics should be always be part of a truly passwordless architecture – not just one that appears passwordless to the end-user. User accounts should never have a password attached to them, even at creation, or the risk of compromising it will always be present.

“The connected economy is forcing a need to redefine digital identity and to rely on new ways to make sure people are who they claim to be.”

Frances Zelazny, vice president at BioCatch

Nearly 90% of businesses will use biometric authentication by 2020, up from 62% in 2018.

Spiceworks

  • 67% of respondents are comfortable using biometrics today.
  • 87% will be comfortable with it in the near future.

IBM Future of Identity Study

Putting Biometrics to Work

The ubiquity of consumer devices in the workplace is mutually beneficial for employees and the business. It means the biometric hardware and software that comes packaged with most consumer mobile devices are readily available for integration into identity management systems.

Now, seamless integration of tools like fingerprint and face ID into enterprise workflows is not only possible, it’s cost-effective and convenient. As long as the biometric data is ephemeral and decentralized – not stored on a hackable, centralized database – the risk of compromise is essentially eliminated.

And if you can cryptographically verify user credentials through a self-sovereign identity system, you can reduce friction while increasing security.

But biometric integration isn’t a complete solution to the identity management problem; it’s an iterative improvement in security and convenience. And it’s important to note that biometrics are not flawless.

Some software is stronger than others at confirming facial or fingerprint recognition across different circumstances. Spoofed or inaccurate sensors have been reported. Some users have privacy concerns about their personal biological data being active on the company network. And a software or hardware lapse can cause a lockout from the network.

A biometric key is also is a single credential that enables access to the network, so enterprises must carefully verify the user’s identity at the creation of any account that will allow biometric access.

Biometrics are also, of course, more secure when combined with additional factors of ID verification.

Multifactor is Now Mandatory

Strong security rests on many factors, and it’s important to use every tool at your disposal.

Multifactor Authentication (MFA) takes many forms, but always involves verifying credentials through an additional factor. In a password/username scenario, that’s often a PIN, email confirmation, security questions, or one- time-use code delivered by SMS – all additional layers of security that create additional filters for would-be criminal actors
to navigate.

MFA can eliminate up to 100% of hacking attempts. But those commonly- used scenarios add a layer of complication for the user along with the extra layer of security. They’re inconvenient and come with a risk of being hacked.

Additional factors often used in MFA:

  • IT & Help Desks Bear the Brunt
  • “what you know” (like a password)
  • “what you have” (like a device)
  • “who you are” (a biometric key like fingerprint, face ID, retinal scan, etc.)
  • “where you are” (GPS location-based factors)

Fortunately, MFA does not necessarily mandate an extra action by the user. It can also use automatic factors that provide a smoother end-user experience, like biometric data, device ID, or time of day. Additional capabilities similar to biometrics are also in development that will aim to increase the seamlessness of the technology, integrating data on things like the way you hold your phone, your swiping patterns, or the amount of pressure you use when typing. (These might fall under the “who you are” factor in a subcategory of “how you behave.”)

Gartner recommends that, as part of a PAM plan: “At a minimum, CISOs should institute mandatory multifactor authentication (MFA) for all administrators. It is also recommended that CISOs use MFA for third- party access, such as contractors.”

The global Multifactor Authentication (MFA) market is
expected to reach $16,800,000,000 by the end of 2024, growing at a CAGR of 18.0% between 2019 and 2024.

SSO Saves Hassle

Single sign-on allows for seamless, automated re-authentication of user credentials to save the time spent on repeated log-ins, removing some obstacles within workflows.

Some enterprises use identity federation tools to enable access to the entire suite of enterprise applications. Similar to SSO, this enables one identity management system to facilitate access to multiple platforms as authorized by the company.

Tools like SSO and federated identity make it easier for workers to continuously access the proliferating set of enterprise resources, but linking one identity across multiple applications or through a centralized management system also comes with risks; if that credential is compromised in one application, it functions as a breach to all of them.

That’s why it’s best to combine SSO and federated identity solutions with biometric access and MFA measures.

A passwordless biometric interface that utilizes multifactor authentication is well-suited for a blockchain environment. User credentials are stored and verified on a decentralized infrastructure, eliminating the possibility of a central data breach and retaining a permanent, tamper-proof record of all actions taken on the network.

“Gartner estimates decentralized identity services to be generally ready for broad production scenarios in 2020.”

Homan Farahmand, Gartner senior director

In a sufficiently advanced identity management system, users may create accounts built solely around biometric keys that are confirmed based on ephemeral tokens (never creating a password/username); that integrate automated MFA (using “where you are” data, for example); and that operate those standards on an SSO architecture.

A Zero Password Enterprise

Inevitable, if only because of its competitive edge.

Trust is more important than ever for the enterprise – between partners, clients, and customers, and within the company. The enterprise must project stability, safety, and certainty.

It is no longer sustainable to displace any fraction of the enterprise network security demands onto the user’s ability to handle password requests. Doing so will inevitably damage the company’s trust, perception, and the company’s capacity for innovation and growth. It will diminish the work experience of its employees and its ability to attract the top talent that will sustain it into
the future.

There are no longer any excuses for this trade-off to be the expectation; for increasingly complex passwords to stifle growth and suffer trust.

A passwordless interface between enterprise resources and the workforce is close at hand. The tools are available, if nascent. And if done correctly, it not only accelerates the pace of business, it increases security and trust as well.

"Let’s face it: we’re living in a post-password society. Millennials know it, workers know it. But legacy systems are always slow to catch up with the demands of their users. Risk mitigation, education, due diligence, and IT overhaul costs are legitimate reasons for apprehension or delay – but they’re also excuses for procrastination."

Anthony Maley, Founder & CTO, Vouch

Services (subscription and managed) will represent at least 50% of security software delivery by 2020.

Gartner

“Security as a service is on the way to surpassing on-premises deployments, and hybrid deployments are enticing buyers. A large portion of respondents to Gartner’s security buying behavior survey said they plan to deploy specific security technologies, such as security information and event management (SIEM), in a hybrid deployment model in the next two years.”

Gartner

Stack the evident weaknesses of the status quo against the demonstrated improvements in security, productivity, availability, and performance of newer methods and the solution is apparent. The organization that removes barriers and empowers employees will find its footing in the future, because its workforce will carry it there.

Get the free whitepaper

Fill out a quick form and we’ll send you your free whitepaper.

  • This field is for validation purposes and should be left unchanged.