Password-based authentication is now well over 60 years old, and its age is beginning to show. The wide range of cloud apps used by employees in modern enterprises means that there are simply too many passwords to remember, causing inefficiency and major security issues.
Being able to access all applications without the need for passwords solves both the efficiency and security challenges that exist in many organisations today due to users managing credentials, but how does an enterprise practically transition from current-state to future-state? How do they move from being a password-based organisation to a passwordless organisation?
The journey to passwordless
No matter how dedicated an organisation is to making the switch, the transition from password-based to passwordless cannot be achieved overnight. The disparate application types in use and their compatibility with passwordless technology is at the heart of the challenge, as are the end-users who are typically opposed to changing working practices and can even be resistant to positive initiatives.
Making the journey from the current password-based state to the passwordless future-state requires a technology-led transition which accounts for the need to not change user behaviour and the availability of passwordless-ready applications. Older legacy Windows desktop applications also need to be considered as the organisation transforms to the cloud.
Organisations who wish to embrace passwordless though can do so today and begin the journey from their current password-based state to the passwordless future state.
Making the most of SAML and OIDC
The authentication switch from passwords to passwordless can be made right now for many cloud apps thanks to the use of Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). These two protocols enable Identity Providers (IdPs), such as My1Login, and Service Providers (SPs) to communicate with one another, allowing user authentication data to be transmitted much more securely than with a password-based system.
Many of the most popular cloud apps used by enterprises, such as Salesforce and Hubspot, are compatible with these protocols, and are easily integrated. Moving from password-based to passwordless for compatible applications can be achieved by My1Login, acting as the Identity Provider and using an organisation’s existing corporate directory as the source of truth for user permission and creating the trusted connection to the third party application using the passwordless standards of SAML and OIDC.
What happens when apps aren't compatible with passwordless protocols?
While SAML and OIDC allow for an easy switch from password-based solutions, not all applications support these token-based passwordless standards yet. Virtualised apps running as thin-clients (i.e. Citrix) and legacy apps such as Windows executable apps, often lack the functionality for SSO protocols, as do less popular, or even bespoke custom intranet or cloud applications. These applications may support passwordless in the future, but what can be done in the meantime?
For these apps, instead of token-based authentication, My1Login can verify users through secure web authentication. Credentials are still used to authenticate into these applications, but because My1Login automates this, the end user experience becomes essentially passwordless with the user no longer having to create, manage, know or enter passwords. My1Login can also generate strong, high-entropy passwords that can be hidden from the end-user on the My1Login system, making it orders of magnitude more secure than leaving users to manage their own corporate passwords. This means that the solution remains secure against phishing and credential-stuffing attacks, unlike traditional password-based processes. This enables organisations to benefit from a passwordless authentication experience now, even while some applications do not support the passwordless protocols. As these applications roll out support for passwordless protocols, the authentication type can be switched from secure web authentication to passwordless without any change to, or impact on, user experience.
Shadow IT
While IT departments may find it easy to identify the IT-approved apps used by employees and integrate them into the Passwordless solution, they may be unaware of additional apps used by other departments. The number of apps actually used can be many times higher than those that are specifically approved by IT, which can be a challenge when recognising which applications need to be included in the transition to passwordless.
To overcome this, My1Login can automatically detect applications accessed by employees, inform IT, and enable the inclusion of these apps into the SSO solution with one click. This ensures all apps are included and that the organisational transition to passwordless is not compromised by Shadow IT.
Ensuring user adoption
Some solutions which involve complex setup, deep integration, change in user behaviour or do not actually integrate with all application types will suffer from a low rate of adoption, rendering them ineffective. User adoption is key in the rollout of any solution, and passwordless authentication, notwithstanding its overt benefits to users, is no exception.
To ensure maximum user adoption, My1Login can be configured to run in the background, removing any need for users to change their behaviour – employees can simply access the app they wish to use in the way they normally access it and they will be quickly authenticated. This user experience works seamlessly in the current password-based state, with My1Login using secure web authentication to authenticate users. As applications are switched to passwordless, this technological change is invisible to the user, who continues to have the same user experience at the front end i.e. no authentication required, making the whole transition to passwordless seamless for the user, and painless for IT.
My1Login integrates with the existing corporate directory, which remains the single source of truth, meaning users do not need to log into My1Login. This also means when new users are added to the corporate directory, they can be automatically provisioned with application access, and more importantly, users who leave the business can have their access quickly revoked, even if they are working remotely.
The move to passwordless solves efficiency and security challenges at the same time and with My1Login this transition to passwordless protocols can be made seamless without changing user behaviour. Using My1Login to transition from passwords to passwordless means that for all intents and purposes to the end-user, nothing changes in their user experience, but for the business, passwords are being removed and token-based authentication put in its place, improving the organisation’s cyber security posture and mitigating the risk of phishing and data breaches.
Find out more about how to move to passwordless authentication.
