“SSO Everything And Add MFA Everywhere”: The Road To Passwordless Authentication
Expert Insights speaks to Aubrey Turner of Ping Identity to discover how organizations can embark on the journey to passwordless authentication and secure their user accounts against credential-related breaches.
Identity is the new perimeter. In the modern world of hybrid work, where employees may be working in different locations or on personal devices, a user’s identity may be the only constant factor in their work environment. Because of this, organizations have made identity, and in particular, strong authentication, a key priority in securing their corporate data.
Traditionally, user identities were authenticated with a password. But with the rise in sophistication of credential-related threats such as social engineering and brute force, passwords just aren’t secure enough anymore. And the consequences of a breached credential can be devastating for any business.
As a result, increasingly more organizations are implementing other methods to their identity toolkit —such as multi-factor authentication (MFA) and single sign-on (SSO)—to ensure that only legitimate users are accessing their assets. But despite the presence of these solutions on the market, many businesses are still struggling to secure access to their digital accounts.
To find out more about how organizations can protect themselves against identity-related breaches, such as credential theft and account takeover, we spoke to Aubrey Turner, Executive Advisor at Ping Identity. Turner has over 20 years of experience in the cybersecurity space and has spent the majority of that time focusing on identity and access management. Throughout his career, Turner has helped organizations around the world to reduce risk and achieve positive business outcomes in relation to access security.
Founded in 2002, Ping Identity is a market-leading identity and access management (IAM) provider that helps individuals and organizations maximize their account and application security. With an industry leading Net Promoter Score of 65, Ping’s services are highly valued by their customers, most of whom are typically in the enterprise space; 60% of Fortune 500 companies trust Ping with their identity security. However, because Ping’s technology has been designed to scale seamlessly and meet both business and consumer use cases, an increasing amount of SMBs are also leveraging their cloud platform.
Account Takeover Is A Very Real Threat…
Identity-related breaches such as social engineering and brute force are on the rise. In fact, 45% of data breaches last year involved hacking, and over 80% of hacking breaches involved the use of lost or stolen credentials. It is the easiest and fastest way for hackers to get into an organization they’re targeting.
When an attacker manages to crack a user’s credentials, they can compromise that user’s account and access all data within it. They can even change account notifications, alerts and permissions, effectively making themselves the new account owner. This is called an account takeover attack, and it can have dire consequences to a business—particularly those working with sensitive information, like financial or healthcare organizations.
First, is the issue of data loss at the hands of a cybercriminal.
“The average set of exposed credentials has a value of around 15 US dollars on the dark web,” Turner says. “When you enrich that with other data such as personally identifiable information, that can increase the value to up to 400 or 500 dollars per record. That’s why attackers are harvesting this data.”
But direct data loss isn’t the only consequence of account takeover: business disruption is another critical outcome, particularly when hackers are able to shut down systems using malware or hold data hostage until their target agrees to pay a ransom.
“We saw this play out with the ransomware attack on the Colonial Pipeline,” Turner explains. “The attack caused a tsunami of gas shortages, which propelled some of the worst human behavior and hysteria around fuel.”
Finally, a successful account takeover attack can have a huge negative impact on the trust consumers have in your business and your brand. “Customers may decide to take their business elsewhere because you were careless, mishandled their data, or were negligent in securing their data and their identity,” says Turner. This, in turn, can result in decreased revenue following a breach.
…But Account Security Can Be A Challenge
Despite the consequences that a successful account compromise attack can have on a company, some organizations still only require the use of a traditional password for employees to access corporate accounts. There are a few reasons for this. First, the prospect of implementing a layer of security across every facet of the organization may seem like an intimidating prospect for some businesses.
“Identity touches everything within an organization,” says Turner. “It has a lot of stakeholders; not just the security team, but everything from HR to IT, privacy, risk, the business itself!” This means that implementing an identity and access management solution requires very careful planning, considering the needs of every user within the organization.
Second, is the issue of technical debt. Technical debt is the increased long-term cost of choosing an easy, less powerful solution now, rather than investing in a stronger approach that would take longer and cost more up-front to implement.
“Companies may have invested in systems and applications that are much harder to integrate with because they aren’t standard or don’t follow open standards,” Turner explains. This makes it much more challenging to integrate an IAM solution with the existing infrastructure, particularly for organizations without a lot of technical resources.
Finally, says Aubrey, is the challenge of human behavior.
“An organization may have been an early adopter, dipping its toes into the early versions of some of these identity tools, which, back then, weren’t as user friendly, or may have been heavy or complex.
“So, they might have had a bad experience. And sometimes, when people have a bad experience, they’re stubborn to try those things again.”
And this is true not only for admins, but also for end users. Most security teams prioritize security over operational effectiveness when choosing an IAM solution. But this approach is a mistake, Turner tells me. For implementation to run as smoothly as possible, admins must focus on the needs of their end users.
“Sometimes, companies don’t invest in organizational change management, which is the mechanism you need to help change behaviors. They get all the technical requirements nailed down but forget about their people, and don’t spend enough time figuring out how to help them change.
“And we do need to balance security with end user experience because, if we don’t, people will find ways to circumvent the solution, or it’ll have low adoption rates. Pulling in end user experience increases productivity, supports agility, and means we will actually have better security outcomes. “So that’s why it’s hard, but it’s not insurmountable,” Turner says. “Just knowing your business well can help you overcome these challenges.”
Passwordless Authentication: Secure, Frictionless And Achievable
One of the more effective ways for security teams to ensure account security without impacting negatively on user experience, is by implementing passwordless authentication.
“Passwords are responsible for a lot of breaches,” says Turner. “There are billions of stolen credentials on the dark web, which gives attackers a lot of opportunity to compromise security. But decreasing our password footprint can help with that.”
But what exactly does that mean? Well, when organizations have fewer passwords, and users have to enter them less frequently, it reduces the risk that a hacker will be able to access an account by cracking a password.
“It doesn’t necessarily mean getting rid of passwords right off the bat,” Turner explains. “There’s a journey to passwordless. First, you reduce your use of passwords, instead using things like the touch ID on a Mac, or Windows Hello. This reduces the attack surface, so to speak, and devalues the password as an attack vector.
“Until, ultimately, we get to a place where we can remove the password entirely from the equation. So, when you create an account, you don’t create a password at all.
“This mitigates things like man-in-the-middle attacks, credential replay, credential injection and brute force attacks because, if there’s no password, there isn’t anything for the attacker to use.”
As well as increasing security, passwordless authentication can improve the login experience for end users by reducing “password fatigue”—the effect that causes users to create weak passwords and store them insecurely due to having to remember so many of them.
The thought of implementing passwordless authentication may seem like something out of a sci-fi movie, but in reality, it’s very achievable for most organizations. And implementing it doesn’t have to be a huge organizational shift; it can be iterative.
“Achieving passwordless is an iterative journey,” Turner says. “It starts with reducing your password footprint using things like MFA and SSO. In fact, the road to passwordless is paved by MFA and SSO.
“The next stage of the journey is creating password lists, defining specific use cases and rolling out passwordless across specific functions or business units. Once that gets going, you can advertise that success and begin to iterate across the rest of the enterprise.”
The Future Is Hybrid, Collaborative… And Zero Trust
At the start of 2020, when the coronavirus pandemic forced countries globally to impose national lockdowns, organizations around the world made huge shifts to their environments to enable their employees to work remotely. Now, businesses are beginning to welcome their employees back into the office; some full-time, some part-time as part of a new hybrid-remote way of working. And as before, we can expect this period of change to impact the cyberthreat landscape and the ways in which we need to secure our businesses.
“We’ve made some adaptions to support remote work and how people access systems, and some of those aren’t going to revert back,” Turner says. “But there are a number of other factors at play here, as well.
“Digital transformation, for example, has certainly been accelerated by COVID, with increased adoption of cloud services, applications, APIs and IoT devices. So now we need to start asking things like, ‘How do you authenticate IoT?’
“You’ve got all these new types of digital account access and you’ve got different types of users. And I think the way that organizations are going to handle this struggle is by using centralized authentication services. At Ping, we call that a ‘global authentication authority’. It’s adaptive, and it’s intelligent and—yes—still frictionless.”
Leveraging the services of a third-party IAM provider is something that Turner recommends strongly.
“This is going to sound like a PSA, but you don’t have to do it alone! If you’re struggling with some of these challenges, then Ping and our partners are here to help. Scalability equals partnership, so leverage a partner like Ping, and let us help you figure out how to navigate these things.”
Finally, as network boundaries continue to shift and organizations increasingly accept identity as the new perimeter, another security concept has also increased in popularity: zero trust. Zero trust security isn’t a new concept, but it’s been talked about more and more over the last year as organizations and security professionals look for the best ways to ensure access security. Zero trust is a philosophy based on the principle that you shouldn’t automatically trust anyone or anything with access to your company’s data.
“The energy and momentum around zero trust since the pandemic started has been incredible,” Turner says. “And organizations are now leveraging the zero trust framework to help them deal with this hybrid-remote working landscape.
“The centralized authentication model that I talked about earlier fits in with this framework, and I’d certainly encourage organizations to adopt that model. We like to say, ‘SSO everything and MFA everywhere’. If you’re doing those, as practically speaking as possible, you’re on the road to zero trust and you’re on the road to passwordless.”
Thank you to Aubrey Turner for taking part in this interview. You can find out more about Ping Identity and their identity and access management platform at their website and via their LinkedIn profile.