Passwordless Security Guide
Passwordless IAM for the Enterprise
Over the past decade the costs of launching a credentials-based attack on an enterprise have dropped significantly, while the cost of defending against such attacks has skyrocketed.
A big reason is that hackers are no longer trying to crack passwords. Instead, they are weaponizing millions of previously stolen passwords against users. Hackers attempt to find accounts that reuse passwords across websites — and thanks to password reuse, large-scale attacks like credential stuffing and password spraying now make up a majority of website traffic.
The worst part is — despite millions of dollars invested in multi-factor authentication (MFA) — most companies still rely on passwords: the hackers' favorite target. Legacy MFA products rely on passwords and shared secrets and over the years these products have failed to eliminate the password. As a result, Enterprises are now migrating to True Passwordless MFA powered by open standards and public-key encryption.
What Does the Passwordless Enterprise Look Like?
Thanks to True Passwordless Authentication, businesses can deploy a passwordless workforce in just days. Built-in support for 3rd party identity products and Single Sign-On (SSO) providers has allowed IAM leaders to extend this new approach to enterprise access across the organization. The use of open standards such as FIDO has made the technology interoperable with legacy system.
Today, passwords are being used across a number of significant use cases:
The familiar workstation login process for employees and users can benefit from passwordless security in several ways.
First, the technology will reduce the aggregate time spent by employees typing passwords. By some estimates, employees might waste as much as 24 hours per year typing passwords each day as part of their normal work activity.
Second, the introduction of passwordless workstation login can make the day-to-day experience of using computers more comfortable and enjoyable. This helps drive employee productivity and accelerates digital transformation.
An important aspect of enabling passwordless workstation login is to ensure that people can authenticate with any type of passwordless login method such as a mobile app, FIDO security token, or built-in authenticator (i.e. Windows Hello). This interoperability ensures that they have primary and fallback authenticators they can use anytime, and they are always able to access their workstation. The ability to use passwordless offline mode is also critical, as users may sometimes find themselves ready to work but unable to connect to the internet.
Virtual Private Networks (VPN)
A remote workforce VPN creates a virtual tunnel between the user’s endpoint device and the target enterprise. Such remote access by employees, third parties, and even customers is generally done over the Internet with all traffic encrypted end-to-end. A network access server typically terminates VPN requests and authenticates requests based on credentials and passwords. With VPN usage up nearly 54% in 2020, due in part to the pandemic, passwordless support for this process will reduce the massive costs of maintenance tasks such as password resets. See a demo of passwordless VPN login.
Single Sign-On (SSO)
As a component of the identity and access management (IAM) infrastructure, single sign-on (SSO) capabilities allow people to authenticate once to multiple resources with one set of credentials. The trust relationships required between a remote worker and a targeted resource implies the need for high levels of security, typically multi-factor authentication (MFA).
Unfortunately SSO implementations have historically relied on passwords. Since SSO is intended to reduce friction, passwordless support is a natural extension of the function. Passwordless SSO takes this channel to its logical next step by removing passwords from the initial login, binding people to their personal trusted device and allowing them to extend authentication throughout their session. Learn more about passwordless single-sign on powered by HYPR.
Remote Desktop Protocol (RDP)
Enterprise teams often use the remote desktop protocol (RDP), developed by Microsoft, to support remote users connecting to other systems via a simple graphical user interface. It requires that both ends of the connection include special RDP client software for the initiator, and RDP server software for the resource being accessed.
Unsurprisingly, RDP attacks are on the rise, reaching an all-time high in mid-2020. In all cases, RDP requires multi-factor security as much as possible, and passwordless MFA is a desirable option that supports the convenience goal of RDP, while also addressing the obvious risk posed by exposed RDP access ports. See a demo of RDP multi-factor authentication.
Virtual Desktop Infrastructure (VDI)
Companies use virtual desktop infrastructure (VDI) to create local desktop views of remote server systems, applications, and software. VDI essentially involves hosting desktop environments on a centralized server, where each desktop image runs on a virtual machine (VM). People access a virtual desktop via their PC, tablet, or other device. The adoption of VDI has been rapidly accelerating over the past 5 years, especially among high assurance environments.
An important common design consideration for VDI is scaling across a large environment, which implies heavy administrative burdens for password reset functions. The friction of password-based authentication for VDI environments poses a hurdle to its adoption. Passwordless VDI implementation is thus an important time and cost saver in such environments that can accelerate usage across the enterprise.
How do I Deploy Passwordless to my Employees?
While Identity challenges and IT environments can be complicated, your passwordless journey should be simple. Read the Password Elimination Guide for best practices, tips, and an outline of how organizations are achieving similar company-wide deployments of True Passwordless MFA.