Amit Prakaash | Senior Product Manager at Thales
More About This Author >
Amit Prakaash | Senior Product Manager at Thales
More About This Author >
In the face of rapidly evolving cyber threats, the traditional method of securing sensitive information through passwords has become alarmingly vulnerable. As organizations urgently seek to fortify their defenses, a paradigm shift towards passwordless authentication has emerged as a compelling solution to enhance security, streamline the user experience, and mitigate the risks associated with password-based systems. The time for this shift is now, as the threat landscape continues to evolve at an alarming pace.
As we know, passwords are the weakest link in an enterprise's security landscape. However, passwords are also the oldest authentication method, not only in the computing world but also in our daily lives. Eliminating passwords will create a paradigm shift for all corporations and end users, ushering in a new era of cybersecurity where the risks associated with passwords are a thing of the past.
Given the pressing need for enhanced security, it's crucial to understand the reasons behind the current push to passwordless authentication.
Evolved Enterprise Landscape
- Perimeter Less - Many enterprises have adopted cloud-based systems with the recent shift to remote work. This 'work from anywhere' model is now a permanent fixture, making a return to traditional security models impractical. However, this shift also exposes hackers to a larger attack surface, particularly vulnerable passwords.
Heightened Security Measures – Regulatory and Organizational Mandates
- Password Complexity - Many organizations' commitment to regulatory compliance requires them to enhance authentication processes to meet industry standards and legal requirements. For example, password complexities can bolster authentication processes; however, there can be a downside, which lies in the potential impact on user experience and the likelihood of increased password management issues.
- Pervasive MFA - Pervasive MFA is another mandate that introduces complexity. Implementing MFA across various systems and applications may lead to user frustration and longer authentication times, as users must go through multiple steps to verify their identities. This could impact the overall user experience and potentially lead to resistance from employees who perceive MFA as an additional barrier to their workflow.
Escalated end-user friction
- Productivity Loss - Challenges related to end-user friction with password authentication are well known. The complexity and frequency of password requirements often lead to user frustration and decreased productivity. Users may struggle to remember intricate passwords, especially when required to update them frequently, leading to an increased likelihood of forgotten passwords and subsequent account lockouts.
- Increased OPEX - From an administrative perspective, managing and supporting complex password policies may require additional resources and support, as IT teams may need to handle an influx of password-related requests and issues.
What's keeping enterprises from adopting passwordless technology?
Several factors can hinder enterprises from adopting passwordless authentication. Many enterprises rely on legacy systems and applications that may need to support modern passwordless authentication methods. Integrating new authentication technologies with existing infrastructure can be complex and costly, posing a barrier to adoption. There are also compatibility issues to consider, as some passwordless authentication methods may not be fully compatible with all devices, platforms, or browsers, leading to potential usability and accessibility challenges for employees and customers.
Implementing passwordless authentication requires educating users about new authentication processes and technologies. Resistance to change and the need for comprehensive user training can slow an organization's adoption of passwordless authentication. Implementation costs are also a consideration, as the initial investment and ongoing costs associated with implementing passwordless authentication, including hardware, software, and employee training, can deter enterprises, particularly those operating with constrained budgets.
Passwordless Authentication - A Journey
The journey to passwordless authentication represents a significant evolution in how organizations approach identity and access management. As such, enterprises cannot go passwordless on day one, and setting expectations is the first step towards onboarding their passwordless journey.
The journey typically encompasses several key stages, with MFA being the first step. There are different views on how an enterprise should begin a passwordless journey, but the common denominator is MFA. When considering MFA, enterprises must opt for one solution that meets all their landscape's diverse user authentication needs.
Also, an enterprise must consider the devices used, as these devices are access gateways of any enterprise landscape. Even the best efforts to ensure the landscape may be futile if these gateways are not secured, primarily because of the number of such devices.
Begin at the Edge
Modern-day applications support SSO, so users do not have to provide passwords frequently. Machine access (unlock) is the highest friction point for end users, who must provide a password on each unlock attempt. Hence, it is imperative that an enterprise's passwordless journey begins with Windows devices and must extend beyond machine access. If users must provide passwords for access after a passwordless machine logon, the value of passwordless is null and will be an adoption barrier.
That's why a non-proprietary, standards-based, futuristic solution should be considered to avoid vendor lock-in and unpleasant surprises while being sustainable in the long term.
The Thales Approach to Passwordless
Thales has just introduced Passwordless Windows Logon as part of our Passwordless 360 approach. SafeNet Trusted Access Passwordless Windows Logon is lightweight, feature-rich, and MFA-by-design software that secures workforce access to Windows machines. It eliminates the need for passwords for machine access and beyond by replacing the password with a more secure, certificate-based authentication mechanism.
Passwordless Windows logon leverages an existing on-prem Microsoft Active Directory Certificate Services (AD CS) for certificate management and does not need any hardware. The only other pre-requisite is machines with Trusted Platform Module (TPM) 2.0 and higher, which is already required by the following Microsoft Operating Systems –
- Windows 11, Windows 10
- Windows Server 2022, Windows Server 2019, and Windows Server 2016
Enterprises can opt for authentication methods (including offline authentication) most suited for their workforce and are from a wide range of Thales authenticators. This makes adopting in any enterprise landscape easy with no business or system-level disruptions. On successful enrollment for passwordless, the user only needs to provide the OTP from the STA authenticator to access the machine.
Fig 1 – End user passwordless enrollment message.
Fig 2 – End user passwordless enrollment process
The passwordless authentication experience is not only limited to desktops but also extends to STA integrated web application access. Users no longer need to remember and manage complex passwords for machine access and beyond, significantly minimizing user friction.
SafeNet Trusted Access Passwordless for Windows Logon also monitors the expiry of the logon certificate and prompts the user well in advance (as configured by the administrator) for re-enrollment, which is the same as enrollment. Customer-side admins control the Logon certificate lifecycle, enrollment, and re-enrollment windows and enable/revoke passwordless.
Final Thoughts
The journey to passwordless authentication represents a strategic shift towards enhancing security, improving user experience, and preparing organizations for the future of identity and access management. It requires careful planning, effective change management, and a commitment to balancing security with usability throughout the transition.
SafeNet Trusted Access Passwordless Windows Logon augments the overall STA offering, starting right from the edge and triggering the paradigm shift for enterprises towards a passwordless future that is more secure and has an unparalleled user experience.