It is well understood that identity-related security issues are the most common cause of breaches today. A key component of identity security is password, which unfortunately, are susceptible to various attacks such as phishing, brute force, and credential stuffing. Why not take passwords out of the equation entirely? Some organizations are embarking on this journey and I’d like to walk you through the details of this passwordless journey.
Implementing a passwordless approach for an organization workforce involves eliminating the conventional reliance on passwords for user authentication. Instead, employees are asked to utilize something they are (biometric identifiers) or something they have (mobile devices) to security access systems and data. This transition requires the establishment of alternative identity verification methods, leveraging individuals' distinct attributes or approved devices. And while passwordless projects can span to include devices, applications, infrastructure, etc…, many are prioritizing core requirements including configuration of IdP, SSO, SaaS apps and cloud infrastructure. Despite the long process, many organizations are banking on passwordless to provide them enhanced identity fabric immunity.
If passwordless indeed addresses one of the biggest issues with identity security, why don't all companies adopt it? There are two primary challenges: First, the passwordless solution can be very complex to roll out, requiring insight into one’s identity posture few organizations have. Second, organizations don’t have the insight into the adoption of passwordless solutions by various users and departments to effectively adjust their strategy along the way. These are the most common challenges I hear from CISOs and IAM managers who seek help from Spera Security with their passwordless projects.
Inline with the two primary challenges, here are some of the most common passwordless-related issues I’ve heard from organizations:
With all these challenges and hurdles, what are the next steps for organizations embarking on the passwordless journey? Here are the steps I recommend to many organizations: These are the same steps followed by Spera Security when supporting organizations embarking on such projects.
As I partner with CISOs and IAM teams who are deploying Spera Security, it's obvious they are gaining for the first time, a comprehensive visibility and context of their identity program including Identity providers, SaaS applications, Cloud providers and beyond. Speaking from real-world experience, many of our customers realized that such visibility and actionable context are game-changers for IAM projects including passwordless. If you’re strategizing or implementing identity security projects, contact me for a discussion on how you can leverage our experience.