Our Roundtable Sessions are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate, dialog on current trends and topics. We hosted this Session featuring a group of CXOs and other IT executives. The group met remotely to discuss moving beyond the username & password, led by the CISO for a group of international universities. This Session was sponsored by Okta.
An estimated 300 billion passwords are in use today. 99.9% of compromised accounts don’t have any sort of multi-factor authentication configured. We are at that point in time where passwords are not only insecure, they are also inconvenient. An average person has to remember over 38 passwords. Not to mention the pain of resetting passwords every fortnight. It’s become a need of the hour for us to move beyond the username-password-based authentication.
Most participants agreed that passwords would eventually be replaced by more secure and more convenient authentication methods. One mentioned that they are already implementing Microsoft Hello in their organization; another talked about exploring attribute-based authentication.
An executive explained that one main trigger for them to go passwordless was the periodic need to reset passwords. Enforcing a password reset policy within an organization may not be a big problem, even if you have thousands of employees. But doing so for a customer base of over 750,000 people is not easy. Another trigger was the pandemic. Since people were no longer on-premises, people needed more than just passwords to verify their identities when allowing access to internal networks. This is why it’s crucial to shift towards a zero-trust model and invest in a modern identity management solution.
If you have a global customer base, it becomes challenging to enable MFA, multi-factor authentication. Different countries have different data protection regulations. The Brazilian laws are not the same as those in Mexico. What’s deemed suitable in Peru isn’t considered acceptable in Norway. This can often lead to small, distributed authentication solutions instead of one unified system, which would be much easier to manage.
An attendee said that to enable MFA for their customers in Chile, they have to buy and issue phones to all of them. The customers can only receive the secure MFA codes on these company-provided phones. They added that some compliance and regulatory frameworks like PCI and NIST still require the use of passwords. The terminology may have changed from “passwords” to “passphrases” to “general authentication,” but clauses still exist that require safe use and management of passwords.
Another problem associated with MFA implementations is the friction it usually adds to the customer login experience. People typically want to get on with their jobs and activities as soon as possible. A multi-step authentication process can be a detriment to that.
A speaker said that starting small when incorporating paradigm shifts like going password-less is the way to go. They have been rolling out small pilot projects, which have been well received by people within their IT group. Slowly but surely, they are planning to go organization-wide. Furthermore, post-pandemic is a great time to change working models, as people have become more receptive to change.
Two other participants mentioned that they are implementing a password-less authentication mechanism for their cloud applications. However, people still need to use passwords for their legacy applications, and going passwordless for them will be a much more significant challenge. One security exec suggested the use of access gateways to bridge cloud authentication into legacy systems.