passwordless authentication: bridging the gap between high ......the management and use of identity...

IT & DATA MANAGEMENT RESEARCH,INDUSTRY ANALYSIS & CONSULTING

Passwordless Authentication: Bridging the Gap Between High-Security and Low-Friction Identity ManagementBy Steve Brasen An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) Research ReportJune 2019

Sponsored by:

Table of Contents

©2019 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

Passwordless Authentication: Bridging the Gap Between High-Security and Low-Friction Identity Management

Executive Summary ................................................................................................ 1Introduction: Evolving Requirements for Authentication ....................................... 3Research and Methodology ..................................................................................... 4Perceptions on the Scope of “Passwordless” Authentication .................................... 5Adoption of Identity Technologies .......................................................................... 8The Consequences of Password Overreliance ........................................................ 12Simplifying the Management of User Access ........................................................ 16Meeting Security Requirements ............................................................................ 21User Requirements and Experiences ..................................................................... 23Establishing Low-Friction Access with High Security ........................................... 25EMA Perspective ................................................................................................... 30

http://www.enterprisemanagement.com



Executive SummaryToday’s enterprise IT services continue to be broadly reliant on antiquated, ineffective, and unsecure password-based authentication controls. High-friction authentication processes reduce workforce productivity, create negative user experiences, damage business reputations, and are time-consuming and costly to manage. While passwordless approaches to authentication are increasingly recognized as powerful alternatives to traditional passwords, many organizations are unsure of the level of security passwordless solutions offer, what types of solutions will optimally address their organization’s needs, and how to responsibly transition to low-friction identity management solutions. To assist organizations with making actional decisions, Enterprise Management Associates (EMA) has conducted primary, survey-based research with the goal of identifying the requirements, challenges, value, and optimal approaches to introducing passwordless authentication solutions. Key findings from the research include:

• Biometric-based authentication solutions and hardware tokens are most frequently recognized as passwordless authentication technologies.

• Passwords and personal identification numbers (PINs) continue to be the most popularly employed methods of authentication; however, this dependency has declined substantially over the last year.

• More than 90% of respondents indicated their organization experienced a significant password policy violation in the last year.

• Incidents of passwords being used for multiple accounts and users physically writing down passwords were each noted by more than one-third of respondents.

• 71% of respondents were able to correlate access security violations to severe business consequences, most notably employee terminations, security breaches, and an inability to meet regulatory compliance.

• The deployment of authentication resources ranks as the most difficult and time-consuming identity management task.

• Mobile device authentication solutions were determined to be the easiest of all identity management technologies to deploy, while one-time passwords were indicated to be the most challenging.

• On average, administrators spend roughly 27 hours each year resolving user access problems for every 100 users. That is the equivalent of having to employ one full-time administrator dedicated to solving just access problems for every 7,500 users.

• The greatest concern organizations have with transitioning to low-friction authentication solutions is integrating the technologies with third-party security management platforms.

• The adoption of standards—including Security Token Service (STS), Security Assertion Markup Language (SAML), and the Fast Identity Online (FIDO) Alliance—are considered to be very or critically important to a large majority of responders for their ability to significantly reduce integration efforts.

• Half of respondents reported they believed passwordless approaches to authentication were more secure than passwords. By comparison, only 30% believed passwords were more secure.

• 92% of respondents indicated they did not believe their currently-adopted identity management solutions will prevent all security breaches.




• Biometrics and hardware tokens offer the most secure methods of authentication, according to the majority of survey respondents.

• Biometrics and hardware tokens were also determined to be the authentication approaches that provide the biggest boost to user productivity.

• Enabling mobile device authentication with biometric-based access creates a “best of both worlds” scenario that ensures easy deployment, high security, and improved user productivity.

• There is a direct correlation between the number of times a user authenticates and the number of user access problems that need to be addressed.

• Low-friction identity management approaches improve user experiences while simultaneously enhancing security and reducing management efforts.




Introduction: Evolving Requirements for AuthenticationIt seems like just about everyone hates passwords. IT managers dislike passwords because they are difficult to manage, security managers distrust passwords because they are not particularly secure, and end users especially despise passwords because they are endlessly getting in the way of completing essential activities. The latter is undoubtedly relatable to anyone who has ever used any type of personal computing device. Few technology annoyances are as reviled as being prompted to enter a password that you no longer remember. The experience ranks right up there with systems crashing on an unsaved document, malware infections, and receiving the dreaded “bluescreen of death.” To most users, passwords represent barriers that slow down their productivity and inhibit their ability to rapidly perform job tasks or achieve personal goals. To businesses, an overreliance on password controls means sacrificing organizational agility, workforce productivity, and user satisfaction—all for the perception of meeting security requirements.

While passwords continue to be the most commonly adopted form of user authentication, mounting evidence suggests it is actually the weakest link in enterprise security. Perceptions of the value of passwords as a security tool are most frequently founded on the precept that “this is the way it’s always been done.” Indeed, password-based controls have been around since the early days of computing, dating back to the MIT CTSS operating system in the early 1960s. However, the early pioneers of computing had no way of predicting that future generations would have to memorize dozens of unique and complex text strings and be required to change them all at regular intervals. Human brains, it seems, have not evolved to the point of reliably retaining variable cryptographic information. There is a certain irony in the fact that one of the key values humans receive from computing technology is the ability to store and rapidly recall complex information that

brains are unable to retain, but to do so, people must memorize and recall complex password strings.

The fundamental purpose of a password is to positively identify the user requesting access to technology resources, including application, data, servers, devices, or IT services. However, passwords make no true determination on the validity of the user, instead granting access to anyone who happens to know the text string (whether they are authorized or not). This discrepancy between purpose and function exposes a whole host of opportunities for exploitation by nefarious actors. Brute force attacks can be used to systematically identify password strings, keystroke logging can capture when users enter their passwords, and phishing schemes can trick users into sharing their passwords. With an increasing number of attacks and a continued reliance on weak authentication tools, it is no wonder that one out of every four American citizens was a victim of a cybercrime in 2018 (as noted in a recent Gallop report1). While security-focused password management tools continue to be developed and improved, none—to date—have proven to be foolproof in preventing all breach events.

In developing identity and access approaches and policies, most organizations are principally focused on meeting requirements for security assurance, rather than on facilitating user access. This is unfortunate because without user access requirements, there is no need for security. If all organizations 1 https://news.gallup.com/poll/245336/one-four-americans-experienced-cybercrime.aspx


https://news.gallup.com/poll/245336/one-four-americans-experienced-cybercrime.aspx



truly cares about is security, they can simply shut down their IT systems and they are done. Enabling user access is what drives business performance and workforce productivity, but authentication processes commonly inhibit user effectiveness. At the heart of the problem is the number of tasks users must perform in order to gain access to their needed resources. This is commonly referred to as the level of “friction” applied to achieve confidence in a user’s identity. High-friction solutions require the frequent input of passwords, personal identification numbers (PINs), or other interactive forms of authentication. By comparison, a low-friction approach to authentication will involve little or no user interactions.

Clearly, the broad and continued reliance on passwords and other high-friction authentication processes is unsustainable. To ensure businesses maintain agility and efficiency, organizations must transition to authentication solutions that simultaneously accelerate security assurance while streamlining user access experiences. While that may sound like a “have your cake and eat it too” scenario, numerous authentication technologies are available that offer the potential to satisfy critical enterprise requirements. Alternative solutions to traditional password-based authentications

can fundamentally transform IT service delivery, simplify administrative processes, and accelerate user productivity.

Research and MethodologyDespite broad recognition of the value of passwordless approaches and general disapproval of traditional password-based controls, many IT and security managers are challenged to identify which authentication approaches will most effectively address their organizational requirements. Additionally, organizations are often not clear on which authentication technologies they can trust and are confused about the processes they should introduce to transition to a low-friction access management solution. To assist with the identification of current challenges and requirements, as well as key considerations when adopting a solution, Enterprise Management Associates (EMA) conducted primary research on the adoption, uses, and outcomes organizations have experienced with various authentication approaches.

For the research, EMA surveyed 200 IT professionals knowledgeable about the management and use of identity and access management services in their organization. Respondents were distributed across a wide range of industry types and sizes to enable visibility into requirements and experiences by market segment. Nearly all respondents (96.5%) were physically located in North America. All respondents were carefully vetted to ensure they were knowledgeable about the topic and use of authentication solutions in their organization. More than half of respondents (56.4%) hold executive-level positions in their companies, including CTO, CIO, CISO, IT director, or IT manager. Detailed demographics of survey respondents can be found in the full edition of this report.

To ensure businesses maintain agility and efficiency, organizations must transition to authentication solutions that simultaneously accelerate security assurance while streamlining user access experiences.




Perceptions on the Scope of “Passwordless” AuthenticationTypically, the basic definition of the primary subject of a research project would be appropriately relegated to the introduction of a report such as this. However, as has been made clear by the survey results, IT professionals have very different opinions about what constitutes “passwordless” authentication. This is not helped by the reality that the term “passwordless,” is not actually a real word (a fact that irritates our copy editors to no end). While the definition of passwordless authentication may seem intuitive—any authentication solution that is enabled without the need for users to enter a password string—there is a surprising number of technologies that may or may not qualify, depending on how the solution is applied. Principally, the vagaries of the term involve solutions that reduce the number of passwords a user needs to enter, but may not eliminate them entirely.

Technologies that most frequently fall into the gray area of passwordless authentication are single sign-on (SSO), password vaulting, and one-time passwords (OTP). All three incorporate traditional password processes but seek to limit the frequency of password challenges. For instance, SSO allows a single password to be used to access multiple accounts, while password vaulting stores encrypted password strings in a centralized repository and then automatically enters the password the next time it is requested on the user’s device. OTP solutions, however, are often used as part of a two-factor or multifactor authentication process, issuing a temporary passcode to users only if elevated security authentication is required. The OTP code may be

issued via text message, email, or an automated voice call. A common use case for OTP is to enable password resets if a user forgets their credentials or for initial account setups. It is not uncommon for organizations to adopt one or all three of these authentication solutions in order to minimize the number of password challenges.

Respondents to EMA’s survey broadly recognized biometric-based authentications as passwordless approaches (Figure 1). Biometric authentication methods determine the identity of the user based on the user’s physical attributes, such as fingerprints, facial features, eye retinal patterns, and voice prints. It is important to note that most biometric approaches are not completely friction-free. Users are still required to perform some minor task—such as to place their thumb on their device or center their face in the camera—but most individuals recognize these tasks as very low-friction. The chief value in biometrics is simply that they replace the need to memorize complex password strings. Overall, 82% of respondents identified at least one of the four basic biometric approaches as a passwordless solution.

Respondents to EMA’s survey broadly recognized biometric-based authentications as passwordless approaches.




Figure 1: Percentage of respondents identifying types of authentication technology as “passwordless”

10.0%

11.0%

14.5%

18.0%

19.5%

23.0%

25.0%

33.0%

38.5%

49.0%

57.0%

65.0%

68.5%

Password vaulting (auto-fill)

One-time password (OTP)

Personal identification numbers (PINs)

Single sign-on (SSO)

Software tokens

PC device authentication

Mobile device authentication

Behavioral biometrics

Hardware tokens

Voice print

Retinal scan

Thumbprint

Facial recognition

Behavioral biometrics were only recognized as a passwordless technology by one-third of respondents, even though it is a clear candidate for that designation. As the name implies, behavioral biometric approaches to authentication identify users based on their uniquely applied actions and mannerisms, rather than on physical attributes. For instance, a behavioral biometric solution may utilize the sensors in a smartphone to identify the user’s gait, or the unique motions people make as they walk and move. Other approaches may identify users by the speed and pattern in which they enter keystrokes, mouse use characteristics, signature analysis, or the way in which they perform tasks in a daily routine. Behavioral biometrics

as a class of authentication solutions certainly includes the newest and most cutting-edge approaches on the market, so it seems likely that the majority of respondents simply were not familiar with the term or how the technology functions.

Interestingly, almost twice as many respondents recognized hardware tokens as a passwordless approach than those identifying software tokens. Hardware tokens (also known as security keys) are more familiar to responders because related solutions have been in use for decades. Types of hardware tokens include key fobs, USB keys, or smartcards. The basic function of all hardware




token approaches is to provide an encrypted key that substitutes the need for a password. Early hardware token solutions required users to manually enter PINs or other codes generated by the physical token. Today’s more effective solutions deliver the encrypted strings wirelessly (such as over Bluetooth connections) or when the token is directly connected to a user device (such as when inserted into a USB port) without requiring any user interactions. Software tokens similarly generate encrypted access keys, but do so from an application directly installed on user devices, rather than from a physical device.

Both mobile device authentication and PC device authentication were acknowledged as passwordless solutions by roughly one-quarter of respondents. Both approaches operate on the philosophy that if one user knows the device requesting access belongs to another user and the device

has already authenticated that user, it is not necessary to re-authenticate the user. This approach is particularly advantageous for adopters of mobile device authentication, since users today typically carry smartphones carried everywhere that may be used as a common point of authentication for a variety of different types of personal and business-related access requests. Naturally, though, to qualify as a passwordless solution, the initial authentication of the user onto their device must not involve the input of a password, and the most effective approaches incorporate a variety of biometric or token-based solutions. Therefor, responders to EMA’s survey would likely only recognize device authentication as a passwordless approach if they are familiar with solutions that are designed to integrate with or utilize non-password-based identity technologies.




Adoption of Identity TechnologiesToday’s organizations rely on a very diverse range of authentication approaches. This is partly due to an increase in usage of two-factor and multifactor authentication approaches, but mostly it is a result of the simple fact that different devices, applications, and user preferences introduce requirements for alternative methods of authentication. This is actually very

good, since there is no “magic bullet” identity approach—no single form of authentication will be appropriate and completely secure in every scenario. Overall, the diversity of adopted authentication technologies is aligned with the size of the organization (Figure 2). This is a logical correlation, since the number of authentication approaches increases with the number of supported users and the proportional increase in the variety of use cases.

0.00%

16.00%

13.33%

8.00%

9.33%

12.00%

14.67%

18.67%

25.33%

26.67%

28.00%

37.33%

40.00%

73.33%


Voice print

Retinal scan

Voice one-time password (OTP)

Facial recognition

Software tokens

SMS one-time password (OTP)

Email one-time password (OTP)

Hardware tokens/security keys

Thumbprint



Personal identification numbers (PINs)

Username/password

Small businessesLess than 1,000 employees

10.26%

5.13%

10.26%

12.82%

16.67%

17.95%

29.49%

33.33%

33.33%

41.03%

38.46%

42.31%

46.15%

67.95%

1

2

3

4

5

6

7

8

9

10

11

12

13

14

Medium businesses Between 1,000 and 7,500 employees

4.55%

6.82%

9.09%

15.91%

15.91%

34.09%

31.82%

36.36%

40.91%

34.09%

38.64%

34.09%

38.64%

45.45%

1

2

3

4

5

6

7

8

9

10

11

12

13

14

Large businesses Greater than 7,500 employees

Figure 2: Percentage of respondents indicating types of authentication currently in use in their organization




Passwords and PINs continue to dominate as the most frequently used forms of authentication (64% and 42% of respondents, respectively). This is no surprise because they are commonly the basic default identity control for most devices, applications, and IT services. However, EMA research from just one year ago2 indicated a much broader reliance on password-based authentication,

indicating a clear move toward more low-friction approaches. Technologies that enable mobile or PC devices to act as a central user identifier were also indicated to be broadly adopted, particularly among midsized businesses. However, it is important to note that these approaches rely on other forms of authentication, which may or may not rely on passwords or PINs, in order to authorize access to the device.

Among fully passwordless approaches to authentication, thumbprints stand out as the most popularly adopted solution, as indicated by one-third of survey respondents. Most smartphones and many laptops today include

thumbprint readers, making it an easy option to deploy. Additionally, end users are increasingly becoming familiar with utilizing thumbprint 2 https://www.enterprisemanagement.com/research/asset.php/3576/Pragmatic-Identity-and-Access-Management

authentication as opposed to other passwordless approaches. Across all biometric-based authentications (thumbprint, facial recognition, retinal scan, voice print, and behavioral biometrics), 43% of respondents indicated they were in use in their organization.

Hardware token adoption was indicated to have increased from 23% to 32% over last year. Interest in this class of solutions is likely boosted by improvements in the technology, enabling proximity-based options (e.g., with Bluetooth-connected key fobs) that create very low-friction experiences coupled with support for standards (such as FIDO) that enable the devices to be used for a broad range of use cases. Larger organizations more frequently reported adopting hardware token solutions, principally because large businesses are in a better financial position to purchase and distribute devices. By comparison, software tokens were indicated to be on a decline, dropping from 37% of reported users last year to just 19% this year. Non-adopters of software tokens noted they believed the technology to be less secure and harder to integrate than other approaches. However, it should be noted that while there are a number of “free” software token solutions available for which these concerns may indeed be valid, a number of vendors have developed solutions with more hardened security and integrated management capabilities.

While authentication solutions provide the principle method for determining users’ identities, the processes for governing the use of authentications are relegated to identity management technologies. However, the different types of identity management solutions support very different sets of requirements and are frequently used in conjunction with each other. With that in mind, it is important to understand the function of the most essential identity management technologies before discussing their current adoption rates.

Among fully passwordless approaches to authentication, thumbprints stand out as the most popularly adopted solution, as indicated by one-third of survey respondents.


https://www.enterprisemanagement.com/research/asset.php/3576/Pragmatic-Identity-and-Access-Management

https://www.enterprisemanagement.com/research/asset.php/3576/Pragmatic-Identity-and-Access-Management



• Two-Factor Authentication (2FA) – Provides elevated security to identity management by requiring two separate forms of authentication. Typically, an authentication solution will be adopted from two of the following three categories: something the user knows (such as a password or PIN), something the users have (such as a hardware token), or something the users are (such as a biometric authentication).

• Multifactor Authentication (MFA) – Provides elevated security to identity management by requiring two or more forms of authentication. While technically 2FA is considered a subset of MFA, solutions supporting MFA typically provide more advanced functionality than just adding a second authentication factor. For instance, an MFA solution may randomly select from a variety of available authentication methods to make it difficult for an unauthorized individual to predict the method they will need to defeat at any given time. Additionally, “step-up” MFA solutions may increase or decrease the number and/or severity of authentications based on the perceived level of risk associated with allowing the access.

• Single Sign-On (SSO) – Enables access to multiple accounts by entering a single ID and password (or other form of authentication). Once identified, the user may access any account managed by the SSO system.

• Password Vaulting – Stores passwords in a centralized and encrypted repository and autofills the password anytime a user is challenged to authenticate with a cached credential. Password vaults may store encrypted passwords locally on user devices, but are more commonly hosted either on enterprise servers or public cloud environments. Password vaulting solutions are also sometimes referred to as “password managers.”

• Identity Risk Analysis – Employs intelligence technologies (such as cognitive computing, analytics, or language processing) to dynamically

determine the level of risk associated with authorizing an access request. Solutions in this category leverage detailed information to establish a risk score with the access request. If the risk score falls below a predetermined threshold, access may be denied, additional authentication factors may be required, an alert may be sent to the business, and/or other appropriate responses may be automatically initiated. Identity risk analysis is often used to support step-up MFA implementations.

• Contextually-Aware Access – Determines the type and strength of authentication approaches based on the context of the access request. Contextually, considerations may include the business role of the user, the physical location of the user/device, the processes currently running on the device, the network segments over which the device is communicating, and the sensitivity of the IT resources (data, apps, and services) being accessed. While contextually-aware access policies are typically threshold-based, the collected states may be used to feed an identity risk analysis solution to more intelligently determine levels of risk with the access request.

• Adaptive Authentication – Applies access policies to authentication processes based on learned behaviors of user activities. Solutions in this category monitor, over time, user behaviors—such as which applications start at a particularly time of day, the order in which they perform tasks, the physical manner in which they touch and use their devices, or the locations they most frequently perform tasks. When conditions are different from expected baselines, stronger or more frequent authentications may be required. Adaptive Authentication solutions are often used to provide additional contextual information to access requests and may feed status data to identity risk analysis solutions that support MFA deployments.




In total, 99% of EMA survey respondents reported adopting at least one of the noted identity management technologies (Figure 5). Most frequently mentioned (by 62% of respondents) were 2FA solutions. 2FA provides the most basic improvement to native password-based authentication tools by simply layering on a second authentication factor in addition to what is already being used. Organizations are typically attracted to this approach

because it allows them to provide some security improvements without incurring the deployment efforts and related costs often required for more comprehensive identity management deployments. By comparison, MFA was only noted as being adopted by 45% of responder’s organizations. Both 2FA and MFA were more broadly adopted by midsized to large businesses in comparison to small businesses.

Figure 3: Percentage of respondents indicating types of identity management technologies currently in use in their organization

1.0%

8.5%

17.0%

29.0%

32.0%

45.0%

52.0%

62.0%

None of the above

Contextually-aware access

Adaptive or risk-based authentication

Password vaulting

Identity risk analysis

Multifactor authentication (MFA)

Single sign-on (SSO)

Two-factor authentication (2FA)




The Consequences of Password OverreliancePerhaps the greatest danger to enterprise security is the continued belief that passwords are an effective method of determining user identities. This naïve presumption is, in fact, the leading cause of security breach events and the primary reason people can no longer pick up a newspaper without reading about some large company exposing sensitive information to hackers. EMA survey respondents from organizations still reliant on password-based authentication controls consistently noted unacceptably high rates of policy violations (Figure 6). Overall, more than 90% of respondents noted significant password policy violations in just the last year. The most frequently reported was that identical passwords are being used to support multiple

accounts. This is symptomatic of an accelerating problem in which hackers use brute force attacks to break into low-security systems, steal password tables, and apply those passwords to break into high-security systems. The suggestion in the survey results is that such an attack would yield a roughly 39% success rate in breaching highly-sensitive business IT resources. This is a particularly serious challenge because it is difficult to prevent. Even stringent password management systems can only enforce (at best) unique passwords on the IT services and systems they are specifically instructed to monitor. For example, they will broadly not protect non-business-related assets, such as a user’s private email or social media account. When these public resources are breached, captured passwords are sold and distributed across the dark web, which can then be used to attack business resources that support common users.

Figure 4: Average percentage of employees that have violated enterprise password policies in the last year, according to survey respondents

25.62%

26.23%

28.52%

29.95%

30.53%

34.70%

39.06%

Passwords must not be distributed in open communications

Accounts and passwords must not be shared between multiple users

Passwords must be reset periodically

Password must meet strength requirements

Previous passwords cannot be used during password resets

Passwords must not be physically written down

The same password cannot be used for multiple accounts




Also frequently noted by survey respondents is the violation of policies restricting users from writing down passwords. More than one-third of users, on average, are responsible for engaging in this transgression. This challenge is emblematic of the error of depending on human memory to determine user identity. As much as people would like to believe otherwise, human memory has proven not to be very accurate, particularly when required to retain complex strings of information. The average person can reliably remember only about three unique password strings. After that, they will have to either reuse passwords for multiple accounts or physically store them somewhere. While a password vault would indeed be a preferred location for storing passwords, it is not uncommon for users to simply write them on a sticky note strategically placed on their work monitor for all the world to see. Clearly, this inappropriate practice completely negates the value of requiring a secret password in the first place.

Even more egregious than writing down passwords are users who share accounts with other users, as noted as occurring in 70% of respondents’ organizations. While the average percentage of users who violate this policy is lower than other transgressions, they were still recognized as applying to a full quarter of users. This leads to a lack of accountability in user security practices and increases risks that the shared account will be breached. Organizations that reported high percentages of users sharing passwords also noted excessive incidents of distributing unencrypted passwords over open communications, such as public email systems. It seems many users continue to be unaware (or unconcerned) about the fact that emails are completely unprotected and easily intercepted. Emails travel along the internet by moving from server to server, copying themselves in an open text format at each step along the way. Additionally, network packets can be

easily “sniffed” to reveal unencrypted content. Similarly, sharing passwords over social media or text messaging is tantamount to broadcasting them to the world.

It is also discouraging to see roughly 70% of respondents report a lack of control over strong password setting processes. These include ensuring users do not reuse old passwords, meet strength requirements on passwords (e.g., include a mix of uppercase and lowercase letters, numbers, and special characters), and periodically perform password resets. What makes these challenges particularly egregious is that they are eminently preventable. Even the most basic password management solutions available in the marketplace, as well as tools built into operating systems, are able to enforce password restrictions or alert when they are not being followed. Looking a little closer at the frequency of password changes reveals some key trends in delinquency (Figure 7). On average, survey responders indicated users are required to change passwords 4.74 times per year in their organizations. However, they also reported users actually only change their password 4.4 times per year, on average. The discrepancy between the two numbers can be attributed to the roughly 29% of users who fail to meet minimum enterprise requirements for password resets.




Among industry verticals, professional services and retail businesses noted excessively high levels of non-compliant password resets. Conversely, high technology companies reported the best results in ensuring users meet requirements, undoubtedly boosted by the increased level of automated management solutions commonly employed in high technology businesses that enforce password policies. Financial institutions indicated the most stringent password reset policies, requiring users to reset passwords roughly seven times each year. However, financial companies are, in most cases,

successfully meeting their objectives, which is likely due to an elevated focus on the requirements in order to achieve regulatory compliance. Similarly, highly regulated government and healthcare businesses appear to be mostly successful with meeting password reset goals.

The high frequency of password-related policy violations is resulting in significant, real-world consequences for business and users. In total, 71% of responders were able to correlate policy violations to specific penalties. Employee terminations were noted by about one-third of respondents,

2.11

4.00

2.86

4.44

4.36

7.62

4.60

7.33

2.22

3.55

4.00

4.33

4.67

5.07

7.03

7.17

Education

Healthcare

Retail

Government

Manufacturing

High Technology

Professional Services

Finance

Required frequency of password changes Actual frequency of password changes

Figure 5: Comparing the average number of times per year users are required to change passwords against the actual number of times per year they change passwords (by key industry verticals)




indicating users are, in fact, also key stakeholders in ensuring security in many organizations. Also commonly reported were malware infections, including by viruses, ransomware, keyloggers, spyware, rootkits, and other nefarious tools. An inability to meet regulatory compliance noted by 22%

of respondents correlates to 19% of respondents indicating their company’s data was compromised, suggesting the latter principally resulted in the former.

10.0%

18.0%

5.0%

11.0%

11.5%

11.5%

11.5%

12.5%

13.0%

17.0%

18.5%

21.5%

26.0%

32.0%

None—no policy violations

None—violations occurred, but no consequences

Lawsuits

Loss of customers

Unexpected remediation costs

Damage to company reputation

Loss of revenue

Enterprise server failures/downtime

Fines

Unexpected endpoint device failures

Security breach—company data compromised

Failure to meet regulatory compliance

Security breach—malware infection

Employee termination

Figure 6: Percentage of respondents indicating consequences that occurred in their organization due to a violation of password management policies




While direct impacts to businesses resulting from policy violations—such as fines, lawsuits, loss of revenue, damage to company reputation, and loss of customers—were each proportionally smaller than other consequences, they were collectively reported by one-third of respondents and indicate some very severe impacts. All five of these categories represent a financial loss for the businesses, and any one of them could potentially result in the complete dissolution of a company. Clearly, none of these consequences are acceptable to any business-focused enterprise, yet they continue to be tolerated in order to resist transitioning away from antiquated and unreliable password-based access controls. While a general reluctance to change undoubtedly plays a role in inhibiting organizations to evolve their identity management approaches, there are also understandable concerns preventing the adoption of more security-focused solutions, even in the face of accelerating policy breaches and quantifiable business consequences.

Simplifying the Management of User AccessThe manageability of identity management solutions plays an important role in determining their overall value to the business. People often think of high-friction authentication solutions in terms of their impact to end-user

productivity, but similar considerations should also be made in respect to the amount of effort administrators must invest to ensure continuous security assurance. According to EMA survey respondents, the deployment of authentication resources ranks as the most difficult and time-consuming identity management task (Figure 9). Deployment processes include the distribution of physical components (such as hardware keys) and/or the installation of software elements on the endpoint (including applications, agents, and/or software keys). One-time password (OTP) solutions were indicated to be the most difficult authentication method to deploy, primarily because they involve direct interactions with end users. Apparently, administrators frequently must perform manual approval steps to compensate for systemic technical issues with OTP attempts. OTP solutions that send temporary credentials over SMS text messages were reported to be the most problematic. This is a significant issue for many organizations because OTP are the most commonly adopted second factor utilized for 2FA solutions. Ironically, they are frequently chosen because of the perception that they easily integrate with existing password-based controls. However, actual experiences suggest a great deal of disappointment in efforts required to deploy OTPs.

49.0%

40.7%

19.2%

18.5%

23.1%

18.0%

23.5%

23.6%

35.9%

32.5%

27.1%

25.5%

17.0%

21.6%

30.8%

31.0%

28.6%

37.0%

8.0%

8.5%

11.1%

11.5%

15.1%

13.5%

2.5%

5.5%

3.0%

6.5%

6.0%

6.0%

Add user accounts

Reset user credentials

Onboard endpoint devices

Configure access policies

Configure permissions policies

Deploy authentication resources

Not at all difficult Somewhat difficult Moderately difficult Very difficult Extremely difficult

Figure 7: Percentage of respondents indicating the level of difficulty in performing identity management tasks in their organization




In contrast to the challenges reported with OTP solutions, mobile device authentication solutions were indicated to be the overall easiest identity tools to deploy. This is principally because solutions typically utilize authentication resources already built in to mobile devices. Deployment processes for mobile device authentication solutions typically involve centrally setting up policies on cloud-hosted services and enterprise servers, rather than distributing resources to every supported endpoint. Similarly, biometric authentications collectively ranked as the second-easiest to deploy, because many of them (including facial recognition and thumbprint readers) are already built into end-user devices. However, this is not always the case. Sometimes, peripheral devices and custom software need to be installed to support specific biometric technologies. The suggestion in these results is that mobile device authentication solutions, which leverage biometric technologies, create a “best of both worlds” scenario that enables centralized control and the easy deployment of solutions across supported smartphones and tablets.

Day-to-day management of identity systems can often be exceedingly time-consuming for administrators. Responders to EMA’s survey report that administrators in their organizations spend, on average, 6.6 hours each week diagnosing and resolving user access problems. The total amount of reported time spent on access problem management was directly proportional to organization sizes. Large businesses averaged 9.47 hours per week, while medium businesses averaged 5.37 hours per week, and small businesses averaged only 4.21 hours per week. This is a logical correlation because it simply confirms that the more users are supported, the more problems occur. However, viewing average results across industry verticals (Figure 10) reveals much more interesting data. Highly regulated industries (healthcare, finance, and government) spend more time resolving user issues, presumably because they are performing more stringent authentication tasks. For instance, as already noted, these industries indicated stronger controls over password resets than other verticals.

Figure 8: Average number of hours per week administrators spend collectively resolving user access problems, according to survey respondents (segmented by key industry verticals)

3.87

5.90

6.68

7.00

7.06

7.33

7.94

8.19

Education

Professional Services

Manufacturing

High Technology

Retail

Government

Finance

Healthcare




A direct correlation was also identified between the frequency in which users perform authentication tasks and the frequency of problems they encounter. Again, this is a logical relationship since users who perform more authentications are statistically more likely to encounter issues. However, the reverse can equally be concluded—reducing the number of times a user needs to authenticate will proportionally reduce the number of support requests that require the attention of administrators. This has impacts to both administrator productivity and related costs.

By applying some basic math, it is possible to divide the reported weekly average number of hours necessary to support users by the number of supported users in the responder’s organization in order to determine the ratio of the frequency of problems to users. Calculations from EMA’s survey responses yielded a result indicating that, on average, administrators spend roughly 27 hours each year resolving user access problems for every 100 users. Viewing this another way, that is the equivalent of having to employ one full-time administrator dedicated to solving access problems for every 7500 users. Further, this number only addresses user issues with access technologies and does not include time

spent on requirements for deployment, policy management, compliance attainment, and ongoing security assurance. By adopting low-friction authentication solutions that minimize or eliminate user access challenges, organizations can save hundreds of thousands of dollars in support costs and/or will be able to refocus administrators to perform more business-

focused process improvements and new service introductions.

Integrations with third-party platforms can be greatly simplified with the adoption of standards, so it is not surprising that the majority of respondents indicated this to be very or critically important to their organization (Figure 12). The Security Assertion Markup Language (SAML) ranked second on the list of most important identity standards, with three-quarters of respondents indicating it to be very or critically important to their organization. SAML provides a common XML-based markup language that simplifies communications between an identity provider and IT services. Rounding out the top three identity standards is one developed and promoted by the Fast Identity Online (FIDO) Alliance. FIDO is a standard specifically designed to enhance security with passwordless approaches to authentication.

Calculations from EMA’s survey responses yielded a result indicating that, on average, administrators spend roughly 27 hours each year resolving user access problems for every 100 users.




Passwordless technologies that support FIDO protocols register the user’s device with hosted IT services using a public key. After users are properly authenticated using the passwordless approach the cryptographic key is unlocked, allowing authorized access to the IT service. The adoption of the

FIDO standard is crucial to the successful implementation of passwordless approaches to authentication, especially if they are to be used in conjunction with 2FA or MFA, because they establish consistent and centralized controls between a wide variety of authentication mechanisms and hosted IT services.

Figure 9: Percentage of respondents indicating the importance of identity standards to their organizations

12.94%

13.95%

8.38%

7.45%

5.91%

7.78%

6.49%

4.92%

27.06%

25.00%

27.37%

23.94%

22.58%

23.89%

17.30%

16.94%

41.76%

41.28%

41.90%

43.62%

43.01%

35.56%

43.24%

43.17%

18.24%

19.77%

22.35%

25.00%

28.49%

32.78%

32.97%

34.97%

PicketLink Framework

Keycloak Upstream

Extensible Access Control Markup Language (XACML)

OAuth

Open ID Connect

Fast Identity Online (FIDO)

Security Assertion Markup Language (SAML)

Security Token Service (STS)

Not at all important Somewhat important Very important Critically important




The support for standards in identity management technologies is crucial to the reduction of deployment efforts and ongoing maintenance of the platforms, regardless of the types of authentication in use. Without standards, organizations become reliant on cumbersome scripts and cobbled-together integrations built from APIs and SDKs in order to enable communications between disparate technologies. These custom integrations are not officially supported by any individual vendor and are difficult to maintain (particularly if the administrator who created them leaves the organization). In an age

when management complexity is accelerating due to increasing layers of security technologies, standards act as a voice of sanity, ensuring independent hardware and software elements are all speaking the same language. For organizations seeking to achieve the reduced management efforts and operations cost benefits of a passwordless approach to authentication, FIDO and SAML standards are key enablers. Both are critical to easing deployment challenges and enabling fast and effective return on investment.




Meeting Security RequirementsThe need to achieve security assurance far and away tops the list of drivers for the adoption of authentication solutions, according to 69% of survey respondents. Concerns about achieving security requirements derive from a fear of the severe consequences that occur following a breach event and the need to meet regulatory compliance commitments. Today, many service-level agreements (SLAs) incorporate security requirements in order to measure operational success based on the ability of the organization to prevent breach events. Unfortunately, the pressure placed on attaining security assurance can sometimes paralyze organizations into resisting positive changes out of fear that they might inadvertently reduce security effectiveness. While many IT and security managers will tout this philosophy along the lines of “if it isn’t broken, don’t fix it,” they are naïvely dismissing the likelihood that their security processes are, in fact, broken. Weak security is most frequently not recognized until an actual breach event occurs.

In regard to identity management, EMA’s survey respondents indicated the perception that their chosen solutions are very secure, but not completely secure (Figure 13). Roughly 92% of respondents indicated they did not believe their currently adopted identity management platform would prevent all security breaches; however, 77% indicated they would prevent the majority of breach events. Interestingly, large businesses displayed a somewhat greater confidence in their chosen solution than smaller businesses. This is likely due to the broader adoption of more advanced identity management technologies (identity risk analysis, adaptive authentication, contextually-aware access, and step-up multifactor authentication) among larger businesses. Biometrics-based authentication technologies were broadly indicated to garner the greatest confidence in security, while software tokens and OTPs provided the least.

Figure 10: Percentage of respondents indicating their confidence in the level of security provided by their adopted identity management solution

6.5%

16.5%

37.0%

32.5%

7.5%

0% 10% 20% 30% 40%

My organization’s identity management solutions will prevent LITTLE OR NO security breaches

My organization’s identity management solutions will prevent SOME security breaches

My organization’s identity management solutions will prevent the MAJORITY of security breaches

My organization’s identity management solutions will prevent NEARLY ALL security breaches

My organization’s identity management solutions will prevent ALL security breaches




While no single factor of authentication is foolproof 100% of the time, biometric approaches offer many unique barriers to would-be attackers. For one thing, most approaches require physical access to authorized end-user devices. Additionally, while it is not impossible to acquire or simulate a user’s physical characteristics (e.g., fingerprint, face or retinal scan, voice print, etc.), doing so requires espionage-level investigation of the targeted user, and typical hackers are more likely to move on to easier targets, such as those relying on password controls. Many behavioral biometrics solutions further advance this security value because they typically do not rely on a single user characteristic, so attackers would need to emulate multiple user features simultaneously to gain access. Similarly, multifactor authentication solutions

that randomly challenge users with different authentication mechanisms are extremely difficult to breach because attackers can never predict which access controls they will need to defeat at any given time.

Overall, survey respondents generally indicated their recognition that passwordless approaches to authentication are more secure than traditional password controls. In fact, when directly asked, exactly half of survey respondents believed passwordless solutions were somewhat more or far more secure (Figure 15). Small and medium-sized businesses reported a higher level of confidence in the security of passwordless approaches than large businesses.

Figure 11: Percentage of respondents indicating their perceptions of the level of security offered by passwordless approaches to authentication

0.50%

0.50%

1.01%

1.52%

2.56%

1.01%

3.09%

6.38%

1.52%

3.09%

2.04%

0.50%

12.56%

10.50%

7.04%

9.09%

6.60%

2.05%

2.00%

5.05%

5.15%

2.66%

4.57%

2.58%

2.04%

3.52%

33.67%

24.00%

22.11%

31.31%

24.37%

19.49%

19.50%

16.67%

18.04%

18.09%

10.15%

12.89%

5.10%

4.52%

28.64%

41.50%

40.70%

28.28%

32.49%

39.49%

40.50%

40.91%

33.51%

31.91%

14.72%

35.05%

18.37%

21.61%

16.58%

18.00%

22.11%

23.23%

27.41%

28.21%

28.50%

28.79%

29.90%

32.45%

36.04%

36.60%

37.76%

42.71%

Not at all secure Somewhat secure Moderately secure Very secure Completely secure

Thumbprint

Retinal scan


Facial recognition


Voice print



Software tokens

Voice one-time password

Personal identification numbers

SMS one-time password

Email one-time password

Username/password

0.0%

0.0%




User Requirements and ExperiencesThe fundamental purpose of authentication solutions is to responsibly enable access to IT resources so that users may be productive in completing intended tasks. Unfortunately, high-friction approaches to authentication, such as traditional passwords, often sabotage that purpose by inhibiting user productivity. It is important, therefor, to gauge the value of an authentication approach not only by its security merits, but also by its impact to user experiences. However, since user access requirements can vary from use case to use case in any single organization, the most effective authentication methods may differ for each instance. According to survey

respondents, biometric-based authentications offer the greatest boost to end-user productivity (Figure 18). This is not surprising, since there is a direct correlation between the level of friction imposed by an authentication solution and the impacts on user productivity. It follows, then, that behavioral biometrics would be most favored, since solutions in this category typically require little or no user interaction. Face, finger, and eye readers may take a moment to scan user attributes, but are rarely regarded as an impediment to user activities. Beyond biometrics, hardware tokens were also ranked high on the list of solutions that improve user productivity because of their low-friction approach.

Figure 12: Average impression of the impact of adopted authentication technologies on end-user productivity in respondents’ organizations

1.23

1.50

1.53

1.53

1.53

1.54

1.57

1.62

1.65

1.73

1.86

1.90

2.04

2.20

Username/password

Email one-time password

Voice print

Software tokens


Personal identification numbers

Voice one-time password


SMS one-time password


Retinal scan

Thumbprint

Facial recognition


No increase to user productivity

(1)

Greatly increases user productivity

(3)

Somewhat increases user productivity

(2)




The one exception to biometric-based authentications providing the most user productivity benefits is with voice print identification solutions, which ranked much lower on the list than other biometric approaches. The implication is that many voice print technologies lack sufficient accuracy, resulting in an excessive number of non-positive identifications that require subsequent authentications. These will most likely occur if there is poor

audio quality, such as if the user was speaking in a noisy room or if there was interference over a telephone connection. It is also possible that organizations would indicate somewhat higher friction with voice prints if their solution required the user to recall and speak a known password or PIN, which would be subject to similar challenges faced with typed passwords.




Establishing Low-Friction Access with High SecurityThe brass ring of identity management is the introduction of authentication services that meet security obligations while enhancing user experiences. Unfortunately, many organizations feel that they must choose one of these two requirements over the other, and most frequently they err to the side of caution by focusing on security. This unbalanced approach often leads to a number of significant challenges that can reduce business effectiveness and ultimately impede security efforts by creating conditions in which users actively subvert security controls in order to meet their job requirements. It is only when identity management solutions achieve requirements for both low-friction user access and security assurance simultaneously that business interests are fully served.

The lack of balance between security and low-friction access in authentication technologies is strongly evident in business perceptions of the barriers to

success in their adopted solutions. When asked to identify the greatest authentication-related challenges faced by their organization, responders to EMA’s survey broadly blamed the supported users (Figure 19). It has become almost an involuntary reaction among security professionals to declare that security issues would all but disappear if only users were smarter (or perhaps less gullible) and that proper training on the topic is the key to success. While offering better education on security practices is always advised, it is naïve to presume that all users will effectively employ all security best practices in all cases. Further, it should not be incumbent on the end users to maintain security for the organization. The user’s job is to perform assigned tasks as quickly and efficiently as possible. Tasks for maintaining enterprise security are relegated to IT and security operations. Authentication solutions most effectively accomplish both when users can operate them intuitively, without having to receive extensive training on the technology use or complex lists of enterprise best practices.

Figure 13: Percentage of respondents indicating the greatest challenges to utilizing the authentication solutions currently employed in their organization

0.5%

6.5%

9.0%

10.0%

12.0%

13.5%

13.5%

15.5%

16.5%

17.0%

18.0%

20.0%

21.0%

22.5%

43.5%

No challenges

Does not work with web applications

Unable to meet regulatory compliance

Meeting rapidly-changing business policies

Not integrated with other management tools/processes

Scalability (there are/will be more users to support than are permitted by current solution

Inhibits end-user productivity

Costs exceed available budgets

Educating/training administrators

Management complexity (too many tools/processes)

End users are unhappy with the solution

Supporting different types of devices/operating systems

Too many credential reset requests

Insufficient security

Educating/training users




It is no surprise that organizations employing high-friction password and PIN authentication processes were most likely to suggest they need better end-user education than adopters of lower-friction approaches. Interestingly, only 6% of respondents that have adopted identity management technologies that incorporate contextual awareness noted a need for better end-user training. The key value proposition to a contextually-aware solution is that it adapts the authentication requirements to the unique conditions of the access request. For instance, with contextual awareness, it would not be necessary to train employees to initiate extra security processes if they are connecting from a location physically outside the office—these practices would automatically be performed by the solution. This exemplifies the more effective approach of adapting authentication solutions to meet the needs of the users, rather than the other way around.

A more direct method of determining the effectiveness of authentication approaches is to compare how well they meet security requirements against the level of productivity improvement they provide supported users. From EMA’s survey results, a clear pattern emerges that organizes types of authentication technologies into distinct groups (Figure 20). The leading cluster of technologies includes face, finger, eye, and behavioral biometrics, which were indicated to provide the best overall balance between high security and productivity improvements. What empowers success in both categories is the low-friction nature of biometric approaches. By comparison, high-friction traditional password approaches were indicated to offer the least security and little or no improvement to user productivity. All other authentication approaches fall into a cluster in the center, with hardware keys leading the pack as the most effective authentication approach beyond biometrics.


Email OTP

Facial recognition




PINs

Retinal scan

SMS OTP

Software tokens

Thumbprint

Username/password

Voice OTP

Voice printAv

erag

e Pr

oduc

tivity

Impr

ovem

ent

Percieved Level of Security

High

Low

Low High

Figure 14: Comparing average productivity improvement for types of authentication to their perceived level of security




It is important to note that PC and mobile device authentication solutions, which both fall into the central pack, are entirely dependent on the types of solutions they use to pre-authenticate the device. A device authentication platform that leverages biometrics will have a much higher security and user-favorability rating than one that employs traditional passwords. With this in mind, it is not surprising that these technologies appear as a statistical mean average when rating the value of authentication solutions. It is also an indication that when implementing a device authentication solution, it is essential to carefully adopt a platform that supports low-friction user experiences, like those provided from biometrics and hardware tokens. This approach is particularly advantageous for mobile device authentication solutions, since these were determined to be very easy to deploy. By marrying mobile device authentication with low-friction authentication solutions, organizations achieve eminent support for security, user performance, and deployment all in one unified platform.

By adopting low-friction authentication solutions, organizations not only accelerate security and user productivity, but also reduce management efforts and related costs. This can be quantified by correlating the average frequency users must authenticate (an indication of level of friction) against the amount of time administrators spend resolving user problems (an indication of management effort). Plotting the average results from EMA’s survey reveals a clear relationship between the two (Figure 21). While there are some variances attributable to unique organizational requirements among responders of different sizes and types, the averaged tread line moves decidedly up. In other words, the more authentication tasks users perform, the more problems the organization must address. This is a crucial concept to recognize because it signifies a key step for enabling effective low-friction access—adopting solutions that reduce the number of authentication steps.

2.00

4.504.11 4.05

4.77

6.43

7.70

6.337.05

0

1

2

3

4

5

6

7

8

9

1 t imeevery 3 months

1 t imeevery 2 days

1 t imeper day

2 t imesper day

3 t imesper day

4 t imesper day

5 t imesper day

10 t imesper day

More frequent ly than 20 t imes

per day

Hou

rs/W

eek

Spen

t Res

ovin

g U

ser P

robl

ems

Frequency of User Authentications

TREND LINE

Figure 15: Correlating the frequency of user authentications to the frequency of reported user access problems




2.68

2.69

2.88

2.89

2.97

3.06

3.18

Single Sign-On

Password Vaulting

Two-Factor Authentication

Multifactor Authentication

Adaptive or Risk-Based Authentication

Identity Risk Analysis

Contextually-Aware Access

Somewhat Effective

(1)

Moderately Effective

(2)

Very Effective

(3)

Extremetly Effective

(4)

Employing passwordless approaches to authentication, such as biometrics and hardware keys, is an important stepping stone for enabling low-friction access that also ensures high security. However, to achieve success with providing a solution that dynamically adjusts to address changing user requirements, an access condition requires the integration with more comprehensive identity management technologies. Respondents to EMA’s survey ideally ordered popular identity management technologies when they were asked to rate the effectiveness of solutions at reducing end-user authentication efforts (Figure 22). The direct relationship between user efforts and security assurance denotes this order and is also representative of

the effectiveness of the various approaches to meet security and management requirements essential to the business.

When considering which identity management approaches and solutions will provide the best value to a business, it’s helpful to think of improving authentication effectiveness as a journey, rather than a destination. By introducing technology improvements, organizations can systematically reduce user access friction which will, in turn, improve security effectiveness and reduce management efforts. Based on EMA’s survey, authentication process improvement tasks can be ranked as follows:

Figure 16: Effectiveness of identity management technologies at reducing end-user authentication efforts, according to average responses from solution adopters




• Reduce the number of required authentications – Solutions like SSO and password vaulting can substantially reduce the number of times users are prompted to present credentials. This is particularly advantageous to organizations still reliant on high-friction, password-based controls.

• Ensure all access controls are supported by at least two different authentication factors – User identities are more effectively verified when confirmed by 2FA or MFA platforms. These may be incorporated into SSO and password vaulting solutions to strengthen reauthentication steps or to assist with credential resets.

• Introduce low-friction authentication options – Face, finger, eye, and behavioral biometrics, along with hardware keys, offer the most effective methods for reducing impacts on user productivity and improving overall access experiences.

• Ensure all authentication processes support all accessed resources – Users are most productive if they are able to access all IT applications, data, and services using consistent authentication methods. The use of standards, most notably FIDO and SAML, are instrumental for enabling unified access to on-premises and cloud-hosted resources.

• Adopt a device authentication platform – PC and/or mobile device authentication platforms can leverage low-friction authentication approaches to authorize devices to act as a user’s primary authentication resource, greatly reducing the number of credential challenges. Additionally, device authentications enable the creation of centralized policies that can govern all access processes.

• Introduce advanced identity management technologies – By leveraging intelligent technologies (analytics, cognitive computing, language processing, etc.), identity management platforms can dynamically determine the context of access requests and potential levels of risk in allowing the connection. Based on this information the strength, number, and frequency of authentication factors can be appropriately determined and automatically presented for each access event.

It is important to note that organizations do not need to adopt all of the listed technologies, nor do they need to be implemented in the order presented. However, the ranking above provides an indication of how effective different types of solutions will be at meeting business goals for identity management. Additionally, many of the mentioned technologies work best when operating together through direct integration. A low-friction, multifaceted approach to authentication that is centrally managed will provide the adaptability necessary to ensure identity management investments serve the business, empower users, and meet security expectations in an eminently responsible and pragmatic manner.

Bes

t B

ette

r G

ood

Aut

hent

icat

ion

Effe

ctiv

enes

s

A low-friction, multifaceted approach to authentication that is centrally managed will provide the adaptability necessary to ensure identity management investments serve the business, empower users, and meet security expectations in an eminently responsible and pragmatic manner.




EMA PerspectiveBased on the evidence offered by survey respondents, it seems clear that traditional password-based approaches to authentication are unsecure, difficult to manage, costly to the business, and negatively impactful to user productivity. Yet, password controls continue to dominate as the most common method of access authentication. The most likely reason for this is simply that passwords continue to be the default, as built-in tools offered by system and application solution providers. People have been using passwords for so long they are almost conditioned to expect to see one whenever access to business IT resources is required. In fact, one of the interesting short-term effects of introducing passwordless authentication solutions is that users feel oddly guilty about not having access barriers thrown up in front of them. The feeling is analogous to walking through the front gates of an amusement park without showing your ticket. However, when low-friction authentication options are made available to users, it does not take long for them to adjust to a world in which their productivity is no longer fettered.

Even with a broader awareness of the value and availability of passwordless authentication solutions, it seems unlikely that passwords are anywhere close to extinction. High-friction passwords do have their uses, as long as they are accompanied by strong password management processes. Ideally, though, passwords should be relegated to the position of being the authentication solution of last resort. That is, should all low-friction options in a step-up multifactor authentication fail to positively identify a user, a path can be provided using high-friction passwords to reset credentials. Passwords are also a key component for enabling privileged access to critical systems, but must be stringently monitored and controlled for authorized users.

For the foreseeable future, the goal of identity management should be to minimize dependencies on passwords rather than to eliminate them entirely. SSO and password vaulting solutions are already in general use and have

provided an important initial step toward reducing excessive authentication efforts. However, the broader availability of low-friction identity management technologies is providing opportunities for organizations to take authentication processes to the next level. User devices (most notably, smartphones) are more frequently being offered with built-in biometric and other passwordless authentication solutions. Also, the broad adoption of standards (such as FIDO and SAML) are making it possible to unify disparate authentication technologies to support access to resources across the entire enterprise IT ecosystem. There is no longer any reasonable argument as to why low-friction authentication processes should not be the standard approach when access is required, while passwords are relegated to just being presented as a rare exception.

The wonderful irony of passwordless approaches to authentication is that the less interaction users have with access processes, the more secure and reliable those processes are to the business. Recall that training and educating users was most frequently identified as the primary challenge to utilizing currently adopted authentication solutions. This is a clear indication of how much more effective authentication solutions will be when users no longer require training and identity management processes occur without any user interaction at all. Full control over access security then falls into the hands of IT and security operations, where it belongs.

The wonderful irony of passwordless approaches to authentication is that the less interaction users have with access processes, the more secure and reliable those processes are to the business.




EMA’s research results indicate that a particular opportunity exists for the adoption of mobile device authentication. If platforms are adopted that utilize low-friction access technologies (such as biometrics), organizations will be able to implement a solution that leverages existing resources without incurring substantial deployment efforts or related costs. Once authenticated, the mobile device (most likely a smartphone) becomes the primary user identifier for the vast majority of access transactions. Should a reauthentication be required—for instance, as part of a step-up multifactor authentication processes—biometric authentication technologies will require little, if any, effort on the part of the users. Additionally, the management of access policies governing mobile device authentication solutions will be centrally controlled by the organizations. Thus, businesses maintain control over access processes without burdening users with high-friction authentication requirements.

Many of today’s organizations struggle with increasing demands to meet security requirements, as well as keep up with pressures from line of business managers to improve user experiences. They often see these as two diametrically opposed forces, and believe it is not possible to enhance one without damaging the other. This perspective is often visualized as an unbridgeable gap between users and business objectives. However, in fact, the gap is just an illusion—it does not actually exist. Improving user experiences by offering low-friction authentication options is the most effective approach to increasing the reliability of access security. Passwordless authentication solutions used in conjunction with identity management technologies (including device authentication, contextual awareness, risk analysis, and step-up multifactor authentication) minimize impacts on user productivity while providing the most effective barriers to unauthorized access.


About Enterprise Management Associates, Inc.Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help EMA’s clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise line of business users, IT professionals and IT vendors at www.enterprisemanagement.com or blogs.enterprisemanagement.com. You can also follow EMA on Twitter, Facebook or LinkedIn.

This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and “Enterprise Management Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries.

©2019 Enterprise Management Associates, Inc. All Rights Reserved. EMA™, ENTERPRISE MANAGEMENT ASSOCIATES®, and the mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc.

Corporate Headquarters: 1995 North 57th Court, Suite 120 Boulder, CO 80301 Phone: +1 303.543.9500 Fax: +1 303.543.7687 www.enterprisemanagement.com3852.062119


http://blogs.enterprisemanagement.com/

http://twitter.com/ema_research

https://www.facebook.com/enterprisemanagementassociates

http://www.linkedin.com/company/25620


passwordless authentication: bridging the gap between high ......the management and use of identity...

Documents