Three things’ organizations must do to secure “passwordless”
By Jerome Becquart, COO, Axiad
The pandemic forced organizations to accelerate their journey to passwordless with secure authentication methods such as multi factor authentication (MFA), as individuals were expected to access the corporate network from a diverse number of locations, without compromising security or operational capacity. According to Gartner, 60% of large enterprises and 90% of midsize businesses will be using passwordless authentication by 2024. But passwordless in isolation is not enough. In order to maximize the strength of your offering, you need to ensure your authentication methods are standardized and automated across your organization.
The Problem
Instituting new security programs—particularly when it comes to identity security—ultimately relies on the end user consistently adhering to the new policies. It only takes one instance of circumventing controls to expose your company to a hacker. This problem is further compounded by the fundamental failure of passwords as a method of authentication. Many organizations spend in excess of $1 million in password-related IT support according to Forrester, and by some estimates, over 80% of data breaches can be related back to poor password hygiene in one form or another.
Practically of course, it is a lot more difficult to enforce a passwordless system across every employee logging into each device or system they use. If an authentication credential is expired for example, or temporarily misplaced, how do employees regain access to the system without using insecure one-time passwords, costing the organization valuable resources? How long does the end user sit idly waiting for a solution before simply thinking (from an operational standpoint) that the lesser of two evils would be to find a workaround in the system, which would leave the organization open for threat actors to gain a foothold into the corporate network.
The 3-step solution – fostering a company-wide policy of security culture
Attempting to solve the problems described above can be difficult, often placing undue burdens and costs on an over-stretched and underfunded IT department, who are already dealing with the huge task of transferring huge swathes of the workforce to a remote model. Here are 3 key steps to help you increase security policy compliance, decrease IT burdens, adopt a passwordless security approach, and bolster end user self-sufficiency — all critical issues to address as you ensure secure remote work.
First, it is important that you make the case for security as a primary concern to all individuals. As it only takes one individual error in order to let a hacker into the network, then take responsibility for explaining the consequences of this action to your employees through security training, both in terms of personal consequences for them, and the wider consequences for the business should a breach occur.
Second, ensure that your passwordless authentication system does not exist in a vacuum. Users are often resistant to change, and will procrastinate and delay any proposed changes (renewing and replacing credentials) while their existing credentials continue to work: Don’t let them. Consider implementing technology that will flag users attempting to bypass the authentication protocols you have in place and automatically reroute these users to a system that requires specific actions to be taken before the user can access their corporate network. The empowerment this gives a company from a security perspective cannot be understated: It provides enterprises with a security standard, which can be consistently applied across the entire company, without impacting employee productivity.
Third – and arguably, most crucial – ensure that shaping user behavior happens without the involvement of IT support. If this process can be automated, it can avoid undue burdens being placed on already overstretched IT teams and their involvement in every individual incident of authentication being bypassed. In turn, this will help to free up IT teams for their own projects. When the teams are not constantly putting out fires, they can also work to proactively improve the IT posture of their enterprise.
A cultural shift in authentication
Strong authentication methods need to be recognized as a hugely successful and effective method of dealing with cybersecurity threats that impact the ability of a business to function, grow and thrive. Whether we like it or not, passwordless is coming: Gartner’s predictions tell us that we need to be imminently ready for this seismic shift in authentication. By making it simple for employees to uphold secure best practices your organization can successfully become passwordless and better protect themselves from breaches, no matter where your employees work and without adding any additional layers of complexity for the end user.
About the Author
Jerome Becquart is COO of Axiad. Jerome has over 20 years of experience in identity and access management solutions, including 15 years at ActivIdentity. Jerome’s management experience includes roles in operational management, sales management, professional services, product and solution marketing, engineering, and technical support. After the acquisition of ActivIdentity by HID Global in 2010, Jerome served as general manager of the HID Identity Assurance business unit. He chaired the Global Platform Government Task Force for three years, and served on the board of directors of this Industry organization.