All-in passwordless strategies fall short: Jim Taylor, chief product and strategy officer at RSA, says today’s enterprise environment and existing passwordless approaches make “100% passwordless not possible just yet,” adding that “85% is possible, with the 15% representing the complicated and the very specialized” needs such as “security admins who need to log in to a door for building access halfway across the world.”Enterprises that support critical infrastructure face especially difficult passwordless hurdles, Taylor notes. “With critical infrastructure, look at the old switches out there. With drilling situations, you have these mini air-gapped networks that are disconnected. Now satellites are starting to connect these things.”Taylor estimated that enterprises should be able to hit 100% passwordless compliance “within the next couple of years. Maybe it’s three years to achieve that last 1%.”Part of the passwordless debate focuses on ROI strategies. The proverbial gold at the end of the rainbow is having all password credentials eliminated. That means an attacker with a 12-month-old admin password from a breach of a partner company would have nothing of value. But as long as some passwords must be supported, the risk of such an attack remains. Security practitioners disagree on how much benefit can be realized shy of achieving 100%. “Any password you remove marginally improves your security posture and gives you a slight reduction in your risk profile,” Taylor says. Oleg Naumenko, CEO of Hideez, says CISOs must think strategically when deciding the sequence of which systems to target first for their passwordless strategies.”You can’t get support for all of your working technology via one technology. It’s not possible. If a company begins by securing privileged users and critical systems, that alone can significantly reduce exposure. But if the rollout starts with the easiest integrations just to reach more users, the improvement will be superficial,” Naumenko says. “Many start by implementing passwordless access for cloud services because it’s easier, while the more complex, high-risk systems remain password-dependent. I usually recommend reversing that order and starting with the most privileged users.”By focusing on the users who will have the greatest impact, the progression of passwordless can go far more smoothly, Naumenko claims.
Proper sequence is critical: “Admins and engineers have the broadest access, so if passwordless works for them, scaling it to the rest of the organization becomes much simpler,” says Naumenko, who recommends first assessing how each service supports passwordless SSO.”Most cloud apps integrate easily via SAML or OIDC, while legacy or custom systems require a different approach,” he says. “The first option is to restrict access through a VPN protected by passwordless SSO. And the more advanced option is to use a reverse proxy service that enables passwordless access directly.”Or Finkelstein, head of marketing at Secret Double Octopus, has found it effective to trick legacy systems into thinking they are being given a password, when in reality they are not.One technique his clients have used is to “take over the legacy password field and replace the user-selected password with a machine-generated ephemeral token that rotates with every authentication,” he says. “Now, technically speaking, that is still a password, but no human will ever see or use it,” and it doesn’t have the cybersecurity weaknesses of a password and can’t be phished. “As long as it’s API-based authentication, it’s up to us to tailor it and make it work without passwords,” Finkelstein says, arguing that passwordless has become a fait accompli due to industry pressures. “You’ll end up doing passwordless anyway due to compliance demands, cyber insurance requirements or a breach that will make the next guy do it.”Another complicating factor for passwordless deployment involves dealing with critical equipment partners, such as POS providers for retail, who themselves have yet to embrace passwordless. If they deliver systems that still require passwords, it is sometimes difficult for enterprises to work around that.Erik Avakian, a technical counselor at Info-Tech Research Group, equates some of the passwordless decisions to those that CISOs have done with multi-factor authentication.MFA is not a technology but a series of authentication mechanism options. Some of those options, such as FIDO2, passkeys, or even authenticator apps, are relatively robust while others, especially unencrypted SMS, are comparatively weak. Many enterprises proudly say they support MFA but by not focusing on how robust their MFA mechanism is, they miss the point and rob their businesses of the cybersecurity protections. The same problem exists when choosing the various authentication options within the passwordless umbrella, Avakian says. “We have to learn the lesson of MFA” and not favor convenience over protection, he opines. “There is the security piece and the user experience piece.””On paper, passwordless sounds very simple, but in practice, organizations oftentimes can hit roadblocks because their environments are far more heterogeneous than they realize, or the people culture in the organization presents challenges to big changes when it comes to well-baked-in processes that have been in place for a long time,”Avakian points out. “In many ways, moving towards passwordless is very much like how most organizations are approaching their efforts to move toward a zero trust model, a multi-year, multi-phase journey rather than a single flash-cut event.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4085426/your-passwordless-future-may-never-fully-arrive.html
