Executive summary
A large manufacturing conglomerate specializing in defense technologies faced a critical dilemma shared by enterprises worldwide: a need to deploy modern cybersecurity controls to protect both cloud applications and systems operating on-prem. For this United Arab Emirates (UAE) based company, that meant extending passwordless authentication across corporate offices and factory locations that used Active Directory™ (AD) and Active Directory Federated Services (ADFS, also abbreviated AD FS) SSO services to verify identity — a challenge only the Octopus platform can meet without invasive rip-and-replace upgrades.
When the manufacturer’s CISO declared phishing-resistant MFA, passwordless login the company’s new gold standard for identity verification, the team selected the Secret Double Octopus (SDO) platform to drive rapid deployment of high-assurance passwordless authentication to roughly 15,000 workers at corporate and manufacturing locations. The Octopus passwordless authentication platform quickly extended NIST AAL3-compliant identity verification to vital on-prem business applications —without passwords and without revamping the existing ADFS infrastructure.
What you’ll learn
- Why companies want to adopt passwordless login for on-prem apps that use AD FS
- How to overcome the challenges of extending passwordless authentication to all apps and directories
- Why did one leading industrial manufacturer choose Octopus to improve security and UX without replacing AD FS
What is ADFS authentication?
Microsoft’s Active Directory Federation Services (ADFS) software runs on Windows operating systems (OSs) to create a unified SSO experience for users while securing access to both on-prem and Internet-facing applications running throughout an organization.
Companies continue to regard Active Directory and other on-prem directories as reliable ‘single sources of truth’ for verifying identity before granting access to some vital business services. At the same time, there’s a strong desire to give users a single, unified, secure — meaning passwordless — experience.
Why Cloud-Only Passwordless Authentication May Not Be Enough
The allure of moving applications to the cloud includes scale, savings, and freedom from having to maintain complicated infrastructures and operations on-premises. Yet many companies choose to maintain large portions of their apps and IT infrastructures on-prem — where they can see and control them at all times — for security reasons and because the effort to update Active Directory proves prohibitive.
Since these legacy or custom on-prem systems tend to include the business’s most vital applications (like line-of-business apps and custom HR and financial programs) and sensitive data, they warrant adoption of best-practice security controls. That clearly means getting rid of user passwords and using modern tools like passwordless desktop login, remote access MFA, and single sign-on (SSO).
Here’s where things get interesting, or rather, complicated in terms of verifying identity.
Demonstrating Passwordless Login for ADFS-Connected Apps
Passwordless MFA to Active Directory app
First, Let’s look at a use case of passwordless authentication for password-based apps managed with Active Directory. The user passwordlessly log in to one of these apps. Octopus recognizes the app, initials passwordless push MFA, and then injects the assigned user token value stored in the directory to finish authentication without the user knowing the temporary token value.
Passwordless MFA to standalone DB ACL app
Many enterprises have standalone line-of-business apps managed with an access control list (ACL) embedded in a database (DB), e.g., MySQL. In this demo, the user passwordlessly logs in to one of these custom apps. Octopus recognizes the app, starts a FIDO authentication cycle, and then injects the user’s ephemeral token value stored in the DB to finish authentication.
What challenges do CISOs face in modernizing ADFS authentication?
Rolling out SSO and passwordless multifactor authentication (MFA) usually means having to modernize (read: tear down and rebuild) everything from apps themselves to directory infrastructures like AD and the ADFS software used in authentication. Not surprisingly, Microsoft’s guidance to customers is to migrate to newer SaaS-based offerings.
Modern solutions like Entra ID do offer the modern convenience we’ve come to expect from cloud — along with many of the drawbacks and trade-offs we’ve come to expect from cloud. Case in point: Entra replaces AD with scalable directory services for cloud-based apps and SSO services but does not extend coverage to those vital services that companies choose, for any number of reasons, to maintain on-prem.
Microsoft’s passwordless solution is Windows Hello for Business (WHfB), which works with Entra ID but does not work with Active Directory. For this manufacturing company, the limitations of WHfB and gaps in enterprise use case coverage represented an even greater drawback. WHfB only works with Entra SSO web apps and Windows Desktops, but this industrial enterprise, like most, uses—and needs to protect—many more apps and network services. These WHfB incompatible apps force workers to continue to use their directory passwords, and as a fallback method when WHfB authenticators are missing or fail.
To keep these vital apps where they can see and protect them, IT and security teams need to manage and maintain hybrid configurations. Authentication of SaaS and other Internet-facing services takes place in the cloud via Entra while users continue to authenticate into on-prem apps locally using AD FS and other traditional directory solutions.
Newer deployments may “go straight” to Entra, but migration of core business apps hosted on-prem represents a heavy lift. Change requires careful planning and considerable collaboration between security and IT teams, investment in SaaS offerings (the cost of which increases as you add users), integration resources, and employee training.
Like many companies in this same position, the manufacturing business faced a strategic dilemma; the CISO mandated passwordless authentication for security reasons but IT did not wish to make sweeping, invasive changes to applications and directory infrastructures. The CISO resolved the problem by engaging SDO and leveraging the Octopus Passwordless Authentication platform’s unique approach to solve this exact problem.
Achieving 100% Passwordless Coverage with Octopus and ADFS
The strategy behind SDO’s approach to achieving passwordless authentication coverage gives companies the ability to ‘modernize without modernizing.’ Our ‘secret sauce’ is, in a word, compatibility.
Octopus works with whatever identity infrastructures companies have in place and extends passwordless authentication coverage to any workforce application quickly. We call the technology that propels this strategy — the very feature that appealed to this high-profile government manufacturing partner — Invisible Token Rotation. Instead of using not-so-secret, phishable passwords, the Octopus platform replaces user passwords with random, ephemeral machine-generated tokens that workers never know exist.
Instead of relying on user-managed passwords, the Octopus platform automatically generates ephemeral tokens that function just like the passwords Active Directory and other on-prem systems expect to see. Password-based applications become passwordless with no tedious or invasive change required by IT to match up to certificate, FIDO, or SSO authentication compatibility requirements.
This simple change avoids the perennial security risk of credentials being phished and negates the need for users to ever again create, manage, remember, or reset passwords. From the worker’s perspective, the login experience improves as IT puts in place a single SSO or MFA process for all applications very quickly.
Strengthening IAM with Phishing-Resistant MFA for ADFS Authentication
Octopus lets companies achieve all the benefits of passwordless MFA and ‘SSO everywhere’ without having to migrate to Azure’s Entra ID, reconfigure applications, or convert existing identity directories to use PKI passwordless technology. Organizations can accomplish their goals for improving security and user experience (UX) with a unified passwordless login process out of the gate and migrate applications to Entra or WHfB in their own good time, or not at all.
Operational expenses remain predictable compared with cloud- or SaaS-based services, whose costs tend to balloon as solutions scale after customers essentially become locked in.
Octopus extends passwordless authentication to users with no change to ADFS
Octopus lets companies achieve 100% passwordless coverage while continuing to use Active Directory and AD FS authentication on-prem. The platform delivers the high-assurance, AAL3-compliant passwordless MFA that industrial manufacturers and other members of critical infrastructure (CI) ecosystems need to demonstrate — with no change to the network topology. Octopus simply integrates with AD, and customers are ‘good to go.’
With Octopus, the manufacturing company gained:
- Complete MFA coverage
- A single unified method of accessing all applications on-prem and in the cloud
- Compatibility with existing apps and IAM infrastructures
- 100% passwordless authentication use case coverage without having to revamp systems already in place
Easy onboarding helped level silos between security and IT
The company CISO mandated passwordless authentication for security purposes, but its IT team had to buy, implement, and maintain the solution. The Octopus platform helped level the longstanding silo between the two.
The company launched a proactive campaign to educate the initial group of users onboarded to passwordless MFA. The launch included valuable training and promotion of the new authentication capabilities on internal billboards and screensavers to generate excitement.
With the first phase of the rollout to more than 4,000 office workers completed successfully, subsequent phases will unfold across the rest of the company to enable and secure access for more than 10,000 factory and remote site workers. With support from their local solution provider and the SDO team, the rollout is set to progress quickly to other teams and locations.
What’s Next: Scaling Passwordless Authentication Across All Locations
As the manufacturing company progresses through its rollout of passwordless authentication to the remaining employees at field locations, their charter will include securing accounts shared by frontline workers at factory locations. Octopus offers the industry’s only known solution able to secure a shared account easily (and without revamping apps or identity infrastructures).
In the meantime, schedule a demo with our authentication expert to learn more about how you can achieve less risk in less time with less effort for your own organization.