As I was walking through the event floor at RSA last week, I was struck by the number of authentication solution vendors claiming to have found the silver bullet for the replacement of passwords.
So many different product claims ringing through the halls — passwordless, frictionless, zero trust — all pointing toward a world without passwords. I even came across a booth claiming to have “killed the evil password.”
Why so much hype? Well, this year’s RSA theme explains it to a certain degree.
The whole industry is coming together to keep the digital world safe so everyone can get on with making the real world a better place. But as we do this it is important to keep in mind: 1) there is no silver bullet; and 2) one-size-fits all security solutions don’t exist in today’s complex digital world.
No Silver Bullet
This may date me a bit, but I learned these valuable lessons 15 years ago, while at ActivIdentity. I was managing an enterprise security project for a large railway company. We had the silver bullet of the time: the common access smart card (CAC) solution that emulated the US DoD CAC card. This card was meant to replace a mix of RSA tokens and passwords in addition to a building access badge. An exciting innovation for the early 2000s!
Early phases of the roll-out went well. My team conducted a successful pilot, including a large number of PKI applications and the use of a mainframe backend for authentication. This said — despite great successes — it wasn’t long before unexpected use cases began popping up. Things like:
• the unique security requirements of manufacturing floors; and
• workers connecting remotely from home from their personal computers.
After 18 months of trying to make every single use case conform to our single silver bullet approach we failed and the project was scrapped in its entirety.
The reality is most organizations — even medium- and small-sized businesses — are composed of a mix of user populations requiring a variety of authentication methods. No one form factor can fit all users, personas, and contexts.
For instance, having employees use a smartphone for authentication will work for a large population, but not all. Not every organization can provide every employee with a corporate smartphone and some employees don’t want a corporate app loaded to their personal phone. Further complicating matters, in some manufacturing and highly restricted areas, phones aren’t even allowed. And overall, the security of smartphones is still a work in progress.
So what does security look like for most organizations today? My company, Axiad IDS, provides a great example. Internally we use Yubico’s YubiKey and our Axiad ID Wallet App on a smartphone. Depending on the user population, an employee may have the choice of using one, or both, of these authentication methods. By providing employees with an option, we were able to secure 100 percent buy-in across the organization while maintaining the right level of security. Of course, our user environment is an order of magnitude simpler than of our Fortune 1000 customers. The more complex the environment the more options and flexibility required to ensure maximum security.
Biggest Takeaway from RSA
I think we all agree a passwordless future is the goal. As you explore the many security options available today — especially in the area of authentication — make sure you partner with an expert who will take a thorough inventory of your organization’s user population. If they tell you they’ve got a solution that can cover the entire enterprise, you might want to get a second opinion. There are a lot of amazing security options but no silver bullet.
Find a trusted partner who understands the unique demands of today’s digital world in an era where cyberthreats pop up weekly, if not daily. Enterprises need to take a holistic approach to managing who has access to their critical resources and will be best served by a single supplier of integrated security solutions.
Jerome Becquart is the Chief Operating Officer at Axiad IDS. Axiad IDS provides trusted identity and access solutions allowing customers to: safely interact online; the freedom to access information from anywhere; and the confidence to fully benefit from today’s digital world.
To consult with an Axiad IDS security expert, feel free to reach out to me at email@example.com.
Join the Axiad IDS community of subscribers and get an email update with the latest news including our monthly blog posts.
Jerome Becquart in a Chief Operating Officer at Axiad IDS. Axiad IDS provides trusted identity and access solutions allowing customers to: safely interact online; the freedom to access information from anywhere; and the confidence to fully benefit from today’s digital world.
To consult with an Axiad IDS security expert, feel free to reach out to me at Jerome@axiadids.com