How to Deploy Passwordless Authentication Across a Diverse IT Environment

In this vlog, 1Kosmos CMO, Michael Cichon, is joined by 1Kosmos Director of Solutions Engineering, Jay Baskar, to discuss how to deploy passwordless authentication across a diverse IT environment. If you are interested in learning more about this topic, please join us at our webinar where we will be diving deeper into this topic.

Michael Cichon:
Hello everybody. This is Michael Cichon, Chief Marketing Officer at 1Kosmos. I’m here today with Jay Baskar. Jay is a director of our solutions engineering. I’ve invited Jay to talk about deploying Passwordless authentication across the diverse IT environment. Jay, you’re joining us from Pune, India this morning, so thank you very much for taking time.

Jayaram Baskar:
Thank you. Thanks for having me. Yeah.

Michael Cichon:
Yeah. So can you talk a little bit about the enterprise environment today and some of the challenges in deploying Passwordless solutions? Are there gaps in this approach?

Jayaram Baskar:
Absolutely. So when you take large organizations, these mega organizations. So there are a lot of solutions that are in play. So you have solutions that take care of how the identity starts. So you have the provisioning platforms that create identities or it takes the identity through its lifecycle. And you have governance platforms, you have authentication platforms, authorization platforms. So there are many, many solutions that are in play. And we need to make sure that any point a user tries to access something, the user is authenticated.

So there needs to be a way a user can securely authenticate, be it just a Windows authentication, opening up your laptop or your Mac, and from there you are firing up your VPN. There you are authenticating again, and then you are going onto a browser to access a cloud application. Again, the user’s identity needs to be verified there as well. So there needs to be a way to identify the user security, and authenticate the user, and all needs to be done in a manner that is more secure. And to reduce the user passwords, we need to have a platform that can address all of these different endpoints. So anything the user touches, the solution needs to have a way to accommodate a passwordless authentication for the user without compromising on the security.

Michael Cichon:
Okay. So passwordless, it sounds fairly easy, but you’re talking about accessing the endpoint, accessing the VPN, accessing apps, browser-based access. How do we get to this? I mean, we talk about the latest federated apps that seems fairly straightforward, passwordless access to those, but we’re talking about environments that have been over decades. So what are some of the thorny issues that you have to deal with?

Jayaram Baskar:
Absolutely. That’s a great question. So if you are a small organization that started in 2014, security’s easy for you to build it. So you take a particular identity as a service vendor, you create your identities there, and then you get single sent onto all the apps. Every apps that you use are probably cloud apps that do modern SSO, modern ways of doing governance. But if you’re an organization that has been there for decades, you still probably have mainframes, you still have legacy applications that does form based authentication.

A developer probably developed the code in 1997 and then left and nobody touches the code. It just works, don’t touch it. So these kind of applications are easy targets, so you’re only as strong as your weakest link. So that’s the big problem for these large organizations. So you need to have a solution that can cover all of those as well. So legacy applications, how can you authenticate into that right now? Typically, you use your network ID and password, and that once you’re exposed, it’s easy to hack. So the solution needs to have a way to provide a password is authentication for these systems as well. So security, it’s only better if the weakest applications are also accommodated.

Michael Cichon:
So I did a search on my mobile handset earlier today, and four different authenticators came up. How does a passwordless solution deal with the two-factor authentication that’s already existing within the enterprise?

Jayaram Baskar:
That’s a great question. So then, we speak to a lot of organizations that are like Fortune 100. And a lot of these organizations have an existing two factor solution already. And we have seen the scenarios where they want to, that there is a big push or an appetite for using a modern passwordless authentication platform, but they still have some legacy 2FA platform. So what we are seeing is some organizations have gone through this process of acquiring a modern solution, but they ended up seeing is that this modern application, the modern passwordless platform was not supporting all endpoints. It supports some cloud apps. It supports some OS authentications, but it doesn’t do some thick lines, for example, or legacy applications.

So what the organizations are forced to do is to have two separate sort of authentications. One is using the legacy 2FA, one is using modern MFA. So the risks there are twofold. One is you have split scenarios. So you have one set of applications using a less secure legacy 2FA and one set of applications that use a more secure way of authentication. But attackers go for the least resistance. So they will always choose the easiest way to get in, and then once they’re in, they can do some lack of movement.

Michael Cichon:
Got it. Got it. So biometric authentication is now getting quite a bit of airplay. Does biometric authentication also have security gaps?

Jayaram Baskar:
Biometrics. Yeah, you can… As a security professional, I would never say anything is the most secure and can never be hacked. So if you look at the password list, where it came from. So the passwords have been in use for since 1960s, and then the OTPs came about in the late ’90s and they were mainstreamed by early two thousands. So those two factors are something you know and something you have. But if you look at the most secure way to do authentication, which is biometrics, and we knew it all along. It’s not that we didn’t do it, so we humans knew it all along that something you are using biometrics is the most secure one. But back then the biometric authentication was only possible in some Tom Cruise movies. But now we have all these smartphones that have the capability to do biometric authentication and also your laptops have the capability. So biometric authentications using the capabilities that we already have, your smartphones, your laptops are becoming the center stage of authentication now, and rightly so.

Michael Cichon:
The reality is that some of these systems, you mentioned mainframes, these systems are not going passwordless, not anytime in probably our future. So, what does biometric authentication or any of this passwordless authentication have to do with these systems that cannot go passwordless?

Jayaram Baskar:
Good question. So you are still going to be stuck with some applications that will force you to use passwords to authenticate, and they can never be compatible with any kind of passwordless way to authenticate. But what you can do is, and we are seeing organizations do this, right? So time and again, I’ve been seeing our organizations move from eight character passwords to 12 character passwords, and then increasing the complexity of the passwords.

And then now we are seeing organizations trying to push for a 16 character passwords. I mean, I would argue that it’s humanely impossible for me to remember a password, 16 characters with special characters. But that’s where the organizations are heading because these mainframe applications, for example, they cannot do passwords. So the only way to increase security is make the passwords more complex. But when you do that, what you inherently do is you reduce the user experience, so the users hate it and they are going to forget their passwords more and more. So the password reset becomes a bigger pain. They have already been a big pain.

Now, we are going to make it a bigger and bigger pain as you increase the password complexity. So you need to have a solution that also allows you to reset your password, let’s say for example, in a very easier way, like say from your smartphone, just using biometrics. So don’t ask them for their old password because that’s a pain. And then don’t ask them to pick up a phone and then contact help desk. That’s an even bigger pain. So users should be able to have everything on the tips of their fingers, on their mobile phone, use biometrics, authenticate yourself, change your password to something very secure, use it with these applications that cannot do password. And then for the rest of the applications, you just use your biometrics. You don’t need to touch anything.

Michael Cichon:
Great. Well, that’s really good insight. Appreciate you sharing that. Listen, we have a webinar coming up on January 26th. It’s at 10:00 AM Pacific time, 1:00 PM Eastern. If you’re seeing this after the 26th, they’ll be available for replay on the webinar. But this is going to cover how to deploy passwordless in these complicated environments that you’ve described. I really appreciate you walking through this, Jay. Passwordless sounds easy, but when you start to deploy it, some of the devil’s in the details or God is-

Jayaram Baskar:
Absolutely. Yeah.

Michael Cichon:
So thank you very much. Appreciate your time today.

Jayaram Baskar:
Thanks for having me on. Thank you.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Michael Cichon

CMO of 1Kosmos

Michael is a Silicon Valley veteran with over two decades of experience marketing B2B SaaS solutions for startups and publicly traded companies. Prior to joining 1Kosmos, Michael held VP of Digital and Content Marketing roles at both Agari and ThreatMetrix.