Everyone in IT knows we learn—and innovate—as we go. Such was the case when a major international medical provider began exploring passwordless MFA and realized they needed a feature no known solutions could fill out of the box – a way to maintain continuous access during Internet outages. Secret Double Octopus (SDO) had already demonstrated the broadest passwordless MFA use case coverage of any solution being evaluated, so the IT team at this medical provider asked us to build this feature, and we did.
What you’ll learn
This blog we’ll describe the use case for seamless cloud/on-prem MFA failover, why many different types of organizations will need it, and why SDO’s passwordless MFA platform is uniquely able to deliver it and do it quickly.
Why does cloud/on-prem failover matter?
A better question might be: When and where does this ability matter? For this large healthcare provider, it mattered when doctors and medical staff at its clinics needed to log into their Patient Management System from exam rooms to meet with patients.
Since this Patient Management application is hosted on-prem, the provider knew an Internet outage would block the staff on site from authenticating into this vital resource, since most MFA solutions are cloud hosted. SDO worked with the provider to design an innovative hybrid solution by which, should connections to the Internet be lost for one center completely, passwordless MFA authentication would fail over – instantly and transparently to users — to an onsite authentication server running in the data center.
Onsite workers would be able to access Patient Management application without the company needing to invest heavily in building a parallel on-premises network infrastructure.
When the Internet came back up, the Octopus passwordless authentication platform would synchronize automatically and switch identity verification back over to the multi-site cloud service, also unbeknownst to users. Not only would users on-premises still be able to log into the patient management system, but remote users would still be able to log into their local computers to access applications like Office 365 and email.
This whole scenario seems highly specialized, which begs a few logical questions with surprisingly far-reaching answers:
When would the need for on-prem authentication failover arise?
Most large multi-site organizations use multiple Internet providers and services to safeguard against just this type of scenario—but—a severed cable outside the building can take down multiple ISP connections in a single unfortunate slash. Failover provides healthcare and other industries faced with stringent auditing and safety requirements with assurances of continued access to critical resources, and that data needed for auditing purposes would sync and transfer to the multi-site cloud service automatically as well.
Who else might benefit from cloud/on-prem failover?
The short answer is: Any organization with “brick and mortar” locations concerned with maintaining access to core applications. When the Internet becomes inaccessible via cable, satellite, or the cloud, a hospital or clinic, a cruise ship at sea or passenger train going through tunnels or ultra-remote locations all could benefit from seamless failover of passwordless MFA to a local data center service.
Why can’t other MFA providers do it?
Here the short answer is that most MFA and passwordless MFA solutions are 100% SaaS-based. SDO caters to the needs of large finance, healthcare, government, industrial manufacturing, and other enterprise organizations whose core business operations center around custom or legacy applications that run in on-premises environments.
Along with using FIDO technology to authenticate into cloud- and web-based applications, our approach lets IT roll out passwordless MFA quickly for all workforce use cases – on-prem, remote, or in the cloud—that require users to authenticate into something other than Windows and web-based applications. That includes Macs, Linux, air gaped environment, shared / kiosk machines and accounts in production floor environments, cruise ships, and other challenging digital and physical environments.
Our rationale: If you’re not 100% passwordless, you’re not 100% phishing-resistant which is the main reason most companies choose to get rid of passwords in the first place. So, we continue to support and work with Active Directory as well as other cutting edge and legacy identity infrastructures to remove user passwords from identity verification workflows – without requiring IT to alter applications or redesigning backend directories.
Why does MFA need to be “passwordless” anyway?
This is our all-time favorite question. We have lots of resources on our site that describe and quantify the benefits of passwordless MFA the most important ones being: The fact that it’s phishing-resistant (safer), saves users time and aggravation (which saves companies money), and, depending on how it gets implemented, proves infinitely easier than rebuilding authentication infrastructures from the ground up.
In the case of the international healthcare provider, the customer’s desire for a passwordless solution was simplicity. IT had already upheld established best practices for using passwords – making them longer and more and more complicated, rotating and changing them more often – all to workers’ profound irritation. Frustrated users translate into time-draining Help Desk calls and low satisfaction ratings for IT even as engineers work harder to make things easier for workers. Run your own calculations by using our passwordless MFA ROI calculator.
Getting rid of passwords unburdens users of having to set, remember, and constantly update tedious passwords and less likely to write them down where other people can steal them. A Passwordless MFA solution also starves what we call “the phishing menace” of the credentials it needs to thrive and, with the Octopus approach, allows companies to achieve 100% workforce coverage, and even AAL3-compliant identity assurance, very quickly.
Will SDO tailor solutions to every customer?
No solution can be everything to everybody but we welcome the chance to discuss customers’ ‘outlier’ challenges. From what we’ve seen so far, every organization deals with exceptions. Our advice is not to settle for a “one size fits some” partial coverage solution that will leave you vulnerable, liable, and frustrated.
Innovators love a challenge. Contact us today to describe your organization’s unique passwordless MFA requirements. Fill out the form below!