Interview: Why Passwords Are Dead And How Frictionless Authentication Is Replacing Them
Paul Trulove, CEO at SecureAuth, discusses the death of passwords, the age of frictionless authentication, and the importance of user experience versus security when it comes to modern authentication solutions.
Paul Trulove is the CEO at SecureAuth, an identity and access management (IAM) provider that focuses on securing user access to critical resources, without negatively impacting the end user login experience. Trulove has over 15 years of leadership experience in the IAM space and is currently using that experience to lead SecureAuth through its next stages of growth and innovation—which begin with the introduction of the provider’s new frictionless authentication solution, Arculix.
At RSAC 2022, we spoke to Trulove to discuss the death of passwords, the new age of frictionless and passwordless authentication, and the importance of user experience versus security when it comes to modern authentication solutions.
SecureAuth is an established IAM provider, but you’ve recently released a new product for next-gen passwordless authentication and identity orchestration. Could you give us an introduction to Arculix, and what differentiates it from other passwordless solutions?
Arculix is the pre-announcement of a product that we will be releasing later this summer. As you said, the first major use case that we’re going to target is passwordless, frictionless authentication. And part of our differentiation is that a lot of people claim passwordless—in fact, in many ways the current SecureAuth product can be implemented to provide passwordless authentication—but, from a next-generation vision perspective, we are doing passwordless, while also increasing the overall level of security of that authentication transaction.
I sometimes describe it a little bit like casino security. People want to know that things are secure, but they don’t necessarily need to have it in their face all the time.
We want to offer the user as little friction as possible when they are trying to gain access to applications and data. But we also want to offer the organization or the person whose data is being accessed maximum security, and the only way you can do that is by understanding more about the authentication event, and to understand that on a continuous basis, not as a point in time.
Passwordless is part of the equation, but I like to think of it as offering a frictionless experience, until we determine from a risk perspective that something doesn’t look right. And then we start to bring the level of friction up to match the risks that we’re seeing, so that we can validate that login.
SecureAuth provides that passwordless experience, and it’s a very low friction authentication transaction. But then if they suddenly start trying to access something they shouldn’t be accessing, we can bring that friction back in and re-authenticate them, or authenticate them through additional mechanisms.
A lot of businesses struggle to get their users on board with the idea of IAM because they find that user authentication adds too much friction to the login process. How does Arculix’s continuous authentication technology help boost productivity as well as security by delivering a positive user experience?
One of the key areas around which we’re trying to help the end user experience is. If you think about the traditional username and password, and then moving that into a second- or multi-factor authentication, all you’re doing is asking the user to do more authentication on every individual transaction.
When a user requests access to something, there’s data that we can gather about them before and during the transaction, which can be used as authentication factors that never have to be prompted to the end user. It might be that you’re coming in on a known IP address, from a known location at a typical time for you as a user. In this case, I don’t even ask to authenticate you, because it all happens behind the scenes.
That’s a great example of a more risk-based system that is taking in authentication factors that are not necessarily just things the user knows, or the ability to interact with a device such as by entering a one-time code. We’re taking other information and, if everything looks good, we’re granting that access without creating friction for the user. We can make it invisible.
Let’s go back to that casino security example: when you walk into a casino, the casino wants security to be invisible. They don’t want to overwhelm you with the presence of security, because you wouldn’t come in and gamble, and that’s the mindset that we want to get into in terms of authentication. We don’t want to overwhelm the user with all these hoops that they have to jump through.
If we know enough to understand the risk of letting them have access without prompting them for all those additional authentication factors—great! If we’re unsure or the risk is still high, then we can go into more of a traditional multi-factor. And even then, we may eliminate passwords in that process and use other things to make sure that the user is who they really are.
Despite the risks associated with password use in the workplace—such as the use and re-use of weak passwords—and the fact that many security experts are recommending switching to a more secure method of authentication, many organizations still use passwords simply because they’re familiar. Do you think that a truly passwordless future is achievable?
I really do think the future will become passwordless. Passwords have outlived their usefulness, because they are easily breached, easily reused, and easily shared. And we’re just going to have to find a better way to authenticate the fact that a person coming into a digital experience is who they say they are.
Ultimately, I think that passwords are dead. Organizations are sometimes slow to make the transition to new technologies and new approaches, but I think what we’ve learned over the course of the last several years—throughout COVID and the subtle digitalization of our lives—is that passwords are unsustainable.
Just think about how many times, as a consumer, you’ve tried to log into something and couldn’t remember the password, and you had to reset it. I’ve gotten to a point where I just reset it to whatever, knowing that I’m probably going to forget it anyway. And I’ll just go through the password reset process each time. It’s easier to do that than it is to try to remember all my passwords.
When people take that mindset, that paradigm is no longer valid, and we need to be shifting to the next paradigm. And we have devices at our disposal now in a very different way than we did just five years ago. Whether it’s through your cell phone, laptop, or other mechanisms that we can use to validate who you are, as opposed to just a simple username and password that can easily be breached in this day and age.
How can organizations get started on the road to passordless authentication? Should they implement MFA and SSO first, or can they jump straight into a passwordless solution?
Everything in identity and access management is a journey. And my team is probably tired of me saying it this way, but I tend to think of these kinds of projects as a dimmer, not a light switch. You turn light switches on and off. But I don’t think anything in identity management today is simple enough that you can just flip to a new paradigm from an old one. You have to understand what user populations you want to impact, what applications you want to impact, and you have to figure out, ultimately, how to deploy new solutions to get the most benefit for the lowest cost.
Everybody’s constrained in some way, shape, or form—usually economically—when it comes to the number of people that can participate in going through a transformation like that. I think organizations have to be smart in the way that they decide to move towards the passwordless future, and know that certain applications will be easier than others. Certain user populations will be easier than others. And sometimes, the right answer is to start with the simple applications and simple populations and show that the paradigm will work.
That’ll make it easier to get that next set of things on board. Whether it’s applications, data repositories, or different user populations, they might have a higher bar in terms of what they expect to see before they are willing to embrace what I think is going to be a major revolution for most organizations. Not an evolution.
You mention introducing a solution to a few users and building it out from there—what are some of the benefits to this implementation approach?
When you start with a small population, and you prove that something’s going to work and you refine your implementation, it makes it easier to take that success and build upon it. One of the dangers that I’ve seen in my time working with large organizations rolling out complex IAM programs is, the longer that you have to invest and plan before you start to see tangible benefits, the more likely people are going to dismiss the change.
Therefore, if you break it down into smaller, bite-size projects that you can scope, define the success criteria, implement and then measure the success, it’s easier to get the rest of an organization to move in that direction once they’ve seen that initial success.
The practical advice that you hear from vendors and system integration partners on anything identity is, start small and build your success. And then grow the program over time, as opposed to going dark for three years, trying to get everything implemented and then suddenly flipping the light switch on at the end and hoping that everything works.
Bring it on slowly and use that success to build your momentum, rather than trying to do it all at one time.
And how involved should the end users be in that process of choosing a solution and implementing it organization-wide?
I think users can be involved in the process to a certain degree. It’s hard to put multiple solutions in front of a broad user population and gain enough insight to really make a decision. But if you do a good job of understanding user needs, and you have a smaller team that actually does the evaluation of different vendor solutions against those needs, that’s probably sufficient.
I do think you have to take into consideration what the end user population actually wants and needs as part of that process. For too long, large IT organizations have made decisions that were somewhat independent of what users might actually do.
Recently, I had a customer tell me that one of the major reasons they were going to implement a modern, frictionless authentication platform was because they were looking at how it would impact recruiting and retention of their employees. People were frustrated with the hoops that it was making each employee jump through on a day-to-day basis to just be an employee, that they really saw this program as transforming the relationship that they had with their employees.
And that’s a radical departure from the way that we tended to talk about identity and access management programs and the value that people were trying to get, even in the last couple of years.
What is your final piece of advice to organizations that want to implement an identity and access management solution that’s both secure and user-friendly?
Don’t accept the status quo. At a high level, people have to be willing to embrace the change that’s required. The amount of access we have, combined with the complexity, the impact of digitalization on a workforce, and even customer relationships, is so different in 2022 than it was just a couple of years ago. Whatever you’re doing and have been doing over the course of the past half a decade or longer, isn’t sufficient for today’s needs or what’s going to happen over the next several years.
Breaking out of that status quo mindset, and embracing the paradigm shift to the modern authentication and access management strategy, will give you tangible business benefits. Whether that means improving revenue on the customer side, improving employee satisfaction, or improving security—and security should be the mindset that you go into it with.
That’ll be a very empowering reality for people that are brave enough to jump in, understand what the technology looks like, and how significantly you can improve user experience and security by beginning to break out of that status quo.
Thank you to Paul Trulove for taking part in this interview. You can find out more about SecureAuth’s continuous, risk-based, and frictionless authentication solutions via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.