The outcome for passwordless authentication should be a passwordless workplace. Users should no longer have to use passwords for anything – not rarely, not as a fallback, not with some apps. They should be able to get everything done, from anywhere, using their passwordless authentication solution.
Authentication use-cases for a typical enterprise
Supporting the full breadth of user authentication use-cases for a typical enterprise can add up to quite a few scenarios. Common enterprise use-cases include:
- Workstation logon, including Windows and Mac hosts, and in some companies Linux is also an important consideration. This is often the most challenging use-case for many authentication solutions as it requires delicate integrations with operating systems and network domain management solutions.
- Remote access VPN has been a staple technology that enables mobile and remote employees to stay connected to their work. There are several technologies in use and a plethora of vendors offering solutions. Fortunately, over the years a set of standards has emerged to enable straightforward integration with authentication systems.
- Access to cloud apps has become mainstream even for the most traditional enterprises. While some standards are in place to facilitate interoperability between enterprise authentication systems and cloud services, they are not all fully baked. Competing standards and frequent revisions to existing standards means that supporting access to cloud services has been a moving target.
- Offline authentication has been the achilles heel for many authentication systems in general and multifactor authentication (MFA) in particular. It presents a difficult challenge because most authentication solutions were designed for a connected world. So when the network connection is down or unavailable, and the authenticating server not accessible, then elaborate workarounds are required to ensure that users can continue to authenticate to their computer and locally hosted resources.
- Lost authenticator creates a huge headache, especially when it is a hardware authenticator. Physically shipping a replacement token to a remote employee is costly and time consuming. So to prevent prolonged downtime, software-based recovery solutions were developed for some of the hardware-based MFA solutions.
Generally speaking, a modern enterprise authentication solution has to be an all around player that can handle a wide variety of authentication use-cases. Going for a point solution that addresses specific use-cases well but neglects others will likely result in the need to deploy multiple authentication solutions, which is expensive and hard on users.
Why should passwordless authentication be an all-or-nothing effort?
Reality for most enterprises is that they’ve acquired a varied mix of systems and applications over years of investment in IT. Those systems are a reality that needs to be acknowledged and any new authentication solution needs to be able to work with everything that is already in place. A rip-and-replace approach is simply too painful and expensive.
It should therefore be expected that modern authentication solutions be designed to support legacy systems and applications and easily integrate with existing IT investments. Supporting existing user directories (e.g. Active Directory), working with legacy systems, working alongside existing authentication solutions, etc. should all be built into the solution and not something that requires expensive customization and integration projects.
Working with existing authentication solutions such as USB-tokens, OTP-tokens, FIDO authenticators, mobile authenticators, etc. should also be required. Over the years many enterprises have invested in strong authentication solutions, which means there are hardly any greenfield opportunities where nothing else is deployed. Therefore working in harmony with existing authentication solutions, simplifying the operations of a heterogeneous authentication environment and providing a means to gradually retire older solutions and migrate to more modern ones has become an important consideration in and of itself.
Migrating from password-based to passwordless workplace
The number one challenge for businesses that decide to deploy passwordless authentication is usually their legacy systems and applications that were not designed for passwordless authentication. While it is easy to buy into the vision of a passwordless workplace, getting there can be daunting when dealing with a heterogeneous IT environment that combines new and dated systems. One approach is to deploy passwordless authentication only for systems and apps that support it. This generally translates into deployment of passwordless authentication for cloud apps and sometimes also on newer operating systems (i.e. latest versions of Windows 10). But going passwordless is really an all or nothing effort – you either get rid of passwords or you don’t.
So to successfully deploy passwordless authentication for users, it is usually not enough to decide that passwordless is a better, cheaper, more secure option. It is important to choose the technology that will help you deploy passwordless across an existing and heterogeneous IT environment, and address all your authentication use-cases.