I’ve noticed from watching multi-factor authentication (MFA) trends over the past seven years that spending on passwordless technology has held firm, ranging between 17% ~ 21% CAGR. Today, analysts have forecasted accelerated growth through 2030 at around 29% CAGR. Why the acceleration to an already aggressive market? These technologies are spreading beyond just MFA into situations organizations are trying to move away from traditional usernames and passwords. The way that I see it is because so much of what runs a business is done through digital media. Simple and secure access to those resources has become a core requirement, both of which traditional credentials don’t deliver. It’s why we’ve seen so much emphasis on passwordless authentication these past couple of years. Meredith Wood, an executive for SMB online services, has noted the most frequently used business processes conducted on digital tools include:
- Project management
- Communication and collaboration
- Website builder
- Website performance monitoring
- Customer relationship management
- Email marketing
- Social media management
- File storage and access
- Video conferencing
- HR management
Not only are most business processes conducted digitally, but both the resources and the people using them are also universally connected, often using their own BYODs. In parallel, on the resource side, the volume of sensitive information from the organization’s digital transformation is enormous at the time that their traditional security practices are becoming less applicable, effective, and even relevant. So, while digital consumption is quickly evolving, IT continues to lose their traditional security practices, making it harder for them to maintain security levels at the same time that the business owners are pushing for simplified access to resources used to run their business. The result is, in large part, the security perimeter has migrated away from firewalls to a more identity-centric paradigm.
So how big of a deal are these security shifts?
Reminding Everyone of the business imperative
The reality of our heavy reliance on the digital world (B2B, B2C, G2C) makes accessing these resources simply and securely far more important because when done properly it:
- Directly results in increased workforce productivity and less social engineering around security
- Has the potential to dramatically accelerate business agility
- Improves user satisfaction for B2C relationships
You might be thinking that I’ve wondered away from the central topic of passwordless authentication. But the point that I’m working towards is how important it is to step back and take a big picture approach, resist tactical decisions, and be more strategic on how you decide to incorporate that technology into your environment. Consider how passwordless technology can be leveraged to:
- Introduce zero trust best practices to raise your security level of your digital assets
- Increase job satisfaction of your work environment that it makes a tangible difference in employee retention
- For your B2C services, increase consumer engagement of them while maintaining your risk levels against fraudulent access
Invoking the right Authentication
The key point that I’m proposing is that letting a specific service dictate your passwordless decisions may likely lead to a dead-end implementation as well as a missed opportunity to raise your security bar. You will get more out of your passwordless technologies if you incorporate them as part of an adaptive access architecture. This approach allows you to minimalize identify verification requirements for low-risk interactions while progressively strengthening them for the higher ones.
Now that the corporate network perimeter is gone, the traditional security premise that comes from a managed network need to be compensated for. That means that to be effective, new criteria needs to be gathered to identify risky situations:
- Location – IP address, geolocation
- The device itself using tools such as device ID, browser profile and history
- Behavioral analytics – is this identity behaving the way he has in the past
Measuring context and calculating behavioral analytics gives you the foundation to choose which verification type delivers the identity confidence that you need while still striving to keep it simple for the user.
While user context and behavioral analytics are essential metrics for calculating risk at a point in time, their assessment omits the risk inherent with the resource (data, service, application, etc.) itself. So, while security teams are building rules mapping authentication and authorization to context-centric risk scores, the policies that they’re enforcing are incomplete. Rather than just limiting risk assessment to context, access control architects should be factoring in the risk posed to the business by a potential consequence of a crippled or disabled service or the loss of sensitive information. Without this added perspective, the risk scores used to decide when to invoke another authentication request, restrict access, or even terminate the session are based on a partial picture. Conversely, because the Risk Service can receive risk scores for resources managed by NetIQ Identity Governance, its ability to incorporate explicit risk scores to be used in concert with the user’s risk information. It’s an essential component needed for an effective adaptive access environment.
Relating Passwordless Technologies to My Own Experiences
When it comes down to the best user experience, single sign-on (SSO) remains the foundational technology of low friction access. But while SSO continues to have the potential to reduce authentication demands significantly, the variability of situations (primarily location & device) and variety of resources (sensitivity and source) often span beyond SSO’s limits . That moves us to authentication technologies themselves, which ultimately leads to a focus on passwordless solutions. Why? Beyond usability, this technology provides meaningful security benefits in potentially transformative ways.
Remembering credentials – remembering credentials is hard. Before today's ocean of cloud and eCommerce services existed, I had ten or so credential sets that had to be maintained. At work, SSO covered a lot of the complexity, and personally, there simply wasn't a lot of online services like Amazon and eBay that I interacted with. Today is totally different.
Doing a quick check into my browser's credential stuffer, it says that it's storing 430 credentials. Perusing through the list of them, it's clear that at least 100 of them are variations of overlapping domains. It's so much more than most any other person or I can effectively manage. In fact, on several occasions, I've thought about using a password manager, but I have a fair number of native mobile apps that front ends to a variety of services, so at the end of the day, a password manager can only take my passwords so far in usability. It's also disconcerting each time a password manager shows up in the news for a breach. Imagine exposing your most sensitive information and resetting all those credentials.
Manual entry doesn’t fit the “anywhere” model – short and simple… entering credentials on the phone is an annoyance at best. What else needs to be said? The whole experience is prone to fat-fingered or mistaken voice recognition, which is a hassle to edit. For apps that support it, I move to fingerprint identification as fast as possible to get away from entering credentials manually.
More effective security – over the years, as I tried to stay on top of my credentials for at least my most commonly used services, there were three instances where I was bitten by shared credentials; meaning that when one of the services that I was using was breached, the common credential set was used to breach another. Sharing credentials are the most common tool that people use to drive down the number of credentials that they have to remember. The issue is that shared credentials are a primary tool for hackers to breach systems. IT and security teams are especially concerned that their employees are bringing their personal passwords to their easily guessed workplace claim. It’s a serious problem that depends on employees spending extra effort to create something unique. Security teams mitigate this issue by enforcing complex password policies that their employees are not likely to carry over to their personal life. And yes, this is another example of security trumping usability, as well as the fact that passwords are both inconvenient as well as insecure.
Up next in Part 2
I’ve covered reasons why passwordless should be part of a broader strategy rather than leading it. And I’ve also illustrated from my own experiences the value someone gets as they migrate to a passwordless paradigm. In Moving Passwordless Beyond a Short-Term Itch part 2, I review several passwordless options and observations about their role in the future of access management.