One of the primary challenges, and risks, when running an identity services, application, or program is going to be managing passwords. Whether its enforcing secure passwords, sync’ing passwords, resets and self-service, or preventing breaches due to their use, passwords present a number of challenges. To improve security, reduce risk, and improve the user experience, we are moving to passwordless (see the difference) and modern authentication strategies. These provide a more secure means of authenticating users internally and externally, reduce risk and attack surface of infrastructure, and improve user experience.
But, did you catch the difference in how I termed things? Moving to Password Less by implementing passwordless? Aren’t they the same thing? No, not at all, and let me explain why.
The primary goal, and selling point or modern authentication (e.g. SAML, Oauth / OIDC) and passwordless technologies, is the removal of passwords and the risks associated with them. But, in actuality, we are not, and will not, for the foreseeable future eliminate the use of passwords. And this is why passwordless if failing with a lot of organizations. Is not a technical / implementation problem, is an expectation and support problem.
Most organizations I work with in terms of implementing SSO projects will have 100+ internal and external applications that need to be integrated. This means, 100+ applications (both internal and self-developed) need to support some form of modern authentication to 1) secure the authentication and 2) pass back to central IdP where passwordless can be applied. What I’ve ended up finding is we are getting ~50% coverage then running into issues around custom development, small / point solutions, etc. that still require legacy authentication methods. So, you’ve spent all this infrastructure and time and still have these legacy applications causing risk.
How do we fix this?
First and foremost, we need to reset our expectations on passwordless and change the narrative to using passwords less (see the wordplay there). Yes, modern authentication, and passwordless is going to be more secure and provide better experience, but when talking and selling this to our leadership and peers, we need to set the expectation that this is like anything else, a continuous improvement initiative. Rather than saying we are going passwordless, change the conversation to we are going to more secure authentication to reduce the usage and prevalence of passwords. Regardless, passwords are going to still be required and used in different circumstances and will be secured using other means (see below). Secondly, do the ground and infrastructure work. Most passwordless vendors and technologies integrate with existing SSO technologies to exchange secure authentications with targets. If you do not have central SSO technologies (Ping, Okta, Entra, etc.) then buying passwordless isn’t going to go very far in terms of integrating. So, look and focus on integrating applications with your central SSO first then layer in the passwordless and strong authentication on top of that experience.
Since passwords are still going to be needed for the foreseeable future, look at ways to improve user habits and reduce risk. One of the things I recommend to my customers is to look at Enterprise Password Managers (e.g. LastPass, OnePassword, Keeper, etc.). Heresy I know, and why would you do that. Well, the biggest risk with passwords and users is that they are going to set them to something they can easily remember. And 4 out of 5 times, they are going to set them all to something similar. So, given that they are all similar, and probably something close to the user (easily phished, guessed, etc.), why not take that out of their hands and give them a tool that sets strong passwords (and stores / enters them) for them? There have been breaches of these technologies, but, the risks have been largely that we have not embraced and set controls around their usage, configuration, etc. All the password managers I mentioned above support enterprise strong authentication and policy management. So, we can set a strong authentication, policy, etc. in place to unlock a user’s vault, then automate strong passwords for anything they may use as part of their normal day.
Lastly, for those ultra secure and high risk credentials (root, cloud root credentials, SA, etc.) look at enterprise PAM products. These are literally the keys to the kingdom and should be discovered, secured, and rotated regularly. These are always going to be in place and as such should be secured and integrated into the larger authentication and security strategy of the environment. So, with all this in place, you can go back to your teams and start talking password less and securing your IAM program and user experience.
