Products and Solutions

4 Tips for End-to-end Passwordless Authentication for Hybrid Deployments

Dec 10, 2020 | by Shashank Rajvanshi |
Visualization of passwordless hybrid authentication

It's clear that the pandemic has accelerated digital transformation for many organizations and that working remotely will be at the core of workforces going forward: the number of employees who permanently work from home is expected to double in 2021. It's also more apparent than ever that to be successful, organizations need to provide access to business applications and data anywhere, from any device, at any time – and that identity management is a critical part of this equation.

But the reality is that most SaaS applications are still protected only by passwords, which are prone to man-in-the-middle (MITM) and phishing attacks. Not only are credentials the weakest security link, but password management drives up operational costs, and passwords themselves create user frustration due to frequent resets and increasingly complex password requirements. Now, more than ever, organizations are looking to implement security practices that eliminate passwords. But how do you go from a password-laden infrastructure to a passwordless one?

RSA has been fortunate to work closely with VMware throughout their multi-layer, enterprise-wide passwordless implementation. Together, we've learned a few things about the process: the following tips can help organizations promote better security, cut costs, and reduce user frustration by implementing end-to-end passwordless authentication in cloud and hybrid environments.

Tip 1: Make It Easy for Users to Adopt. The first step to adopt new technologies, particularly new security technologies, is to make it easy for users to accept them. In this case, passwords have been used for decades, so removing them unceremoniously could be jarring. Instead, add modern authentication methods as an additional authentication along with users' passwords while you work on eliminating passwords completely.

One way to do this is to decide what authentication methods meet your organization's risk threshold. Having a few equivalent authentication methods and allowing users to choose their own can speed adoption while keeping your organization secure. For example, if you determine that mobile biometrics and FIDO (Fast IDentity Online) hardware tokens have the same risk level, you can let users decide if they want to use mobile devices or the hardware authenticator equivalent.

Tip 2: Make It Secure AND Convenient. Adding layers of protection makes sense from an organization's perspective, but if it hinders user productivity, it won't be as effective. To ensure that users are secure but not inconvenienced, apply conditional access or risk intelligence that is smart enough to determine how and when step-up authentication is required.

Similar to moving from passwords to passwordless, implementing risk intelligence can be a step-by-step approach that organizations adopt when ready. Organizations can move from static policies, to conditional policies (e.g., network, country of origin, geo-fencing, known device, etc.) to dynamic, real-time risk-scoring based on behavioral analysis and machine learning. For even greater protection, organizations can add external sources of risk intelligence (SIEM) to identify risky users and react in real-time. By implementing these smart protection layers in conjunction with modern authentication, you begin to eliminate the need for passwords.

Tip 3: Eliminate the Weakest Points. Enrollment, emergency access, and resets are the weakest points in the authentication lifecycle, as hackers try to exploit these junctures to gain credentials. To avoid this, make sure that these credential lifecycle scenarios only use strong authentication like OTP (one-time PIN/password), FIDO, or other methods, which do not require the user to enter a password.

Tip 4: Make it Easy and Cost-effective to Manage. Eliminating passwords at the general user authentication level is likely going to be the easiest part. But there are also many systems and applications – legacy and SaaS – that require passwords, even if only for a smaller subset of privileged users. Addressing this scale can seem daunting and unrealistic, but there are cost and management efficiencies associated with moving away from passwords.

From a cost perspective, each password reset can amount to up to US$70 (according to Forrester Research), which, depending on the size of your organization, can get expensive quickly. Couple this with the potential costs associated with breaches and you can see how costly passwords can be. From a management perspective, focusing on a few key authentication methods and using risk-engine capabilities can reduce overall administration resources, time, and costs. And, with improved coverage and compliance visibility across all applications, cloud to ground, the right solution can enhance TCO. The overall benefits of moving to passwordless can justify the initial complexities.

How RSA Can Help

RSA SecurID Access is the world's most widely deployed multi-factor authentication (MFA) solution and the hybrid identity management platform that the most security-sensitive organizations trust to empower users to do more, without compromising security or convenience. It provides the best of both worlds with cloud-to-ground identity confidence that is secure, yet adaptive; frictionless, yet reliable; and robust, yet tailored. Like VMware, RSA can help you achieve your goals with trusted advice and technology:

  • Cloud-first Organizations. For customers born in the cloud, RSA can help you quickly adopt passwordless authentication that protects thousands of web-based and SaaS applications. RSA provides the highest levels of cloud security and reliability, with online and offline protection. Complementing its broad set of modern authentication methods, RSA supports FIDO authentication that can be a great passwordless solution for SaaS and web-based applications. RSA has been a member of the FIDO Alliance for many years, and as a co-chair of the Enterprise Deployment Working Group, has driven the standards to help eliminate passwords. RSA is U2F/FIDO2 certified, supports a variety of form factors – hardware, software, embedded, wearables and more – and also works closely with FIDO authentication leaders, such as Yubico, AuthenTrend, FEITIAN, and Hypersecu Information Systems, as part of the RSA Ready program to ensure out-of-the-box interoperability. You can see how RSA supports a passwordless, cloud-based experience through this demo.
  • Hybrid Organizations. For on-prem customers undergoing digital transformation, Click-to-Cloud provides the fastest and securest path to the cloud, maximizing RSA SecurID Access on-prem investments while reducing complexity and implementation time. RSA's unrivaled hybrid model seamlessly enables new modern authentication methods and provides backward compatibility with legacy infrastructure. It eliminates the need to modify, upgrade, or reconfigure applications. It offers 24x7 cloud protection and availability with on-prem failover. For additional flexibility for complex customer environments, RSA offer REST-based APIs for integration into existing back-office systems, processes, and workflows, so you can create a passwordless experience throughout your organization.
  • Risk Scores for Everyone. For even greater assurance that users are who they say they are, RSA SecurID Access includes advanced machine learning capabilities with artificial intelligence to triangulate business context, device attributes, and behavioral characteristics to calculate the cumulative risk of an access attempt. Combined with flexible policies and optional SIEM integration, RSA SecurID Access continuously monitors behavior and drives trust elevation when required, creating a safe and passwordless experience with minimal user interaction.
  • Secure Self-Service Credential Management. To reduce stolen credential risks, RSA SecurID Access provides protected self-service options, eliminating weak points in onboarding, emergency access and credential recovery. RSA's self-service credential management portal, My Page, gives users control when they use a valid registered FIDO Token, SSO, or third-party IDP. In case of a misplaced authenticator (a lost FIDO key, for example) or mobile device that has a registered mobile authentication app, the user can tap into the emergency access method to get access. None of these workflows are dependent on passwords.
  • Authentication Choice. One of our tips for going passwordless advised organizations to make authentication easy for users to adopt, according to an organization's risk level. RSA offers a full spectrum of passwordless authentication methods to give organizations and users choice. Its modern authentication options include FIDO, push-to-approve, biometrics with fingerprint or facial recognition, "bring your own authenticator," and the gold-standard in authentication, RSA hardware tokens. RSA SecurID Access combines authenticator flexibility with always-on strong MFA and protection, including its unique "no fail-open" capability for Windows and macOS, which ensures convenient and secure access to applications even when the network is not available.

A Trusted Approach to Passwordless

Whatever approach your organization takes, look for trusted vendors with proven passwordless technologies. With RSA SecurID Access, RSA pioneered passwordless authentication and continues to protect tens of thousands of customers and more than 50 million identities. If you're interested in learning more about how RSA can help you eliminate passwords in your organization, check out the resources above or contact us. Have additional tips on implementing passwordless authentication? Share them on our RSA Link community.

Recommended for you