Considerations when evaluating a passwordless authentication solution
By now, there is a growing number of passwordless authentication solutions in the market. New and established authentication vendors are offering solutions, each highlighting different use-cases and strengths. Some authentication solutions are built to authenticate customers, for example authenticating bank account owners to their bank. Others are focused on authenticating employees to business systems and applications. And within employee authentication there are niche solutions that focus on specific use-cases, for example authenticating medical staff to shared workstations.
Passwordless authentication vendors are also framing the problem and coining terms that only add to the confusion.
So what should an enterprise be looking at when searching for the right workforce authentication solution for its business? There are many considerations, but the three most important ones are:
1. Does the solution support the full breadth of my authentication use-cases?
The most fundamental consideration is whether an authentication solution supports the full breadth authentication use-cases encountered by users over the course of their workday. When specific use-cases are not supported, then one of two options are available: (i) leave in place the existing authentication solution – typically a username and password – or (ii) bring in a second authentication solution.
Reverting to usernames and passwords defeats the purpose of investing in a better, more secure authentication solution because it means vulnerable passwords can still be exploited by attackers, leaving the business exposed. It is likened to building a fortified wall around your house and leaving in place a backdoor entry with a padlock.
Acquiring a second authentication solution that can handle the unsupported use-cases means deploying another solution, and more importantly, requiring users to carry around another credential/authenticator. This is an expensive proposition that also delivers an experience that will likely frustrate users.
Supporting the full breadth of user authentication use-cases can add up to quite a few scenarios for a typical enterprise. Common enterprise use-cases include:
- Workstation logon, including Windows and Mac hosts, and in some companies also Linux. This is often the most challenging use-case for many authentication solutions as it requires delicate integrations with operating systems and network domain management solutions.
- Remote access VPN has been a staple technology that enables mobile and remote employees to stay connected to their work. There are several technologies in use and a plethora of vendors offering solutions. Fortunately, over the years a set of standards has emerged to enable straightforward integration with authentication systems.
- Access to cloud apps has become mainstream even for the most traditional enterprises. While some standards are in place to facilitate interoperability between enterprise authentication systems and cloud services, they are not all fully baked. Competing standards and frequent revisions to existing standards means that supporting access to cloud services has been a moving target.
- Offline authentication has been the achilles heel for many authentication systems in general and multifactor authentication (MFA) in particular. It presents a difficult challenge because most authentication solutions were designed for a connected world. So when the network connection is down or unavailable, and the authenticating server not accessible, then elaborate workarounds are required to ensure that users can continue to authenticate to their computer and locally hosted resources.
- Lost authenticator creates a huge headache, especially when it is a hardware authenticator. Physically shipping a replacement token to a remote employee is costly and time consuming. So to prevent prolonged downtime, software-based recovery solutions were developed for some of the hardware-based MFA solutions.
Generally speaking, a modern enterprise authentication solution has to be an all around player that can handle a wide variety of authentication use-cases. Going for a point solution that addresses specific use-cases well will likely result in the need to deploy multiple authentication solutions, which is expensive and hard on users.
2. Does the solution work with what I have or do I need to rip-and-replace systems?
Reality for most enterprises is that they’ve acquired a varied mix of systems and applications over years of investment in IT. Those systems are a reality that needs to be acknowledged and any new authentication solution needs to be able to work with everything that is already in place. A rip-and-replace approach is simply too painful and expensive.
It should therefore be expected that modern authentication solutions be designed to support legacy systems and applications and easily integrate with existing IT investments. Supporting existing user directories (e.g. Active Directory), working with legacy systems, working alongside existing authentication solutions, etc. should all be built into the solution and not something that requires expensive customization and integration projects.
Working with existing authentication solutions such as USB-tokens, OTP-tokens, FIDO authenticators, mobile authenticators, etc. should also be required. Over the years many enterprises have invested in strong authentication solutions, which means there are hardly any greenfield opportunities where nothing else is deployed. Therefore working in harmony with existing authentication solutions, simplifying the operations of a heterogeneous authentication environment and providing a means to gradually retire older solutions and migrate to more modern ones has become an important consideration in and of itself.
3. Does the solution address requirements from auditors and regulators?
Most enterprises these days operate in regulated industries and are subject to strict demands on data protection and user authentication. Compliance with regulations and industry standards like PCI DSS, DFARS, HIPAA, SOX/GLBA, PSD2, GDPR, etc. is therefore a significant consideration and often a key driver for investing in a new user authentication solution.
Common questions and misconceptions about passwordless
Common questions and misconceptions about passwordless
Multifactor Authentication In The Passwordless Age