In May 2023, Wavestone joined hundreds of leading Identity and Access Management (IAM) practitioners and vendors in Las Vegas, Nevada for Identiverse 2023. Among the key trending topics in the identity space, 3 topics stood out as potentially the most influential over the coming years: Passwordless Authentication, the Impact of AI on Identity, and Decentralized Identity (Verifiable Credentials).
Passwordless Authentication & Passkeys
Passwordless authentication as a concept has gained traction over the past few years, and with advancements in industry standards and alliances (7 years of expert input into FIDO’s specifications according to Andrew Shikiar), as well as more user-friendly passwordless solutions becoming available (from the likes of Google, Apple and Microsoft), organizations have started to adopt passwordless as a preferred option for authentication. In fact, in their presentation, “Bringing Verified Identity and Passwordless to the Masses,” Mike Engle and Kevin Shanley pointed to a Gartner estimate that “by 2025, more than 50% of the workforce and more than 20% of customer authentication transactions will be passwordless.”
In this article, we will discuss what passwordless authentication is, why organizations are considering implementing passwordless, important considerations to take as you explore passwordless, and challenges you may face on your journey.
What is Passwordless?
As the name indicates, passwordless is a method of authentication that allows a user to access a system without entering a password (knowledge-based secret). Secure forms of passwordless inherently involve using two factors of authentication (usually something you have, such as a phone or hardware token, and something you are, such as a biometric).
Historically speaking, solutions have only been able to augment passwords rather than fully replace them because single-device FIDO credentials were unable to be backed up, and as a result they were “locked” to the device they were created on. Multi-device FIDO passkeys are a recent addition to the FIDO specification and allow users to go “fully passwordless” by backing up credential secrets to a cloud service provider, allowing them to use them across multiple devices and platforms. This has led to the increased adoption of passwordless.
“Improved security” and “ease of use” are two of the main driving forces behind passwordless:
Going passwordless is not as easy as simply upgrading a system or platform. There are several points to take into consideration to avoid pitfalls, ranging from compliance needs to change management:
It’s important that enterprises consider the most appropriate passwordless solution for their organization. For example, to comply with regulatory requirements it may not be feasible or make sense to rely on third party providers such as Google or Microsoft to backup an organization’s keys.
In his presentation, “Leveraging Multi-Device Passkeys in Regulated Markets,” Rolf Lindemann (Nok Nok) described another 2 challenges associated with regulated entities: they are often “responsible for handling device additions” and “need to enforce security when adding new devices.” To comply with these requirements, Rolf recommends ensuring new devices are verified and requiring that new devices are “handled by the passkey provider, not the relying party.”
Upskilling and resources to support deployment
IT resources will need to be trained to support passwordless implementation and assisting new users with the transition.
Inform and prioritize requirements
When considering passwordless, organizations should clearly define the scope of the implementation (customer authentication, internal authentication) and their specific requirements (roaming or platform authenticator, choice of authenticator, certification levels, compatibility with identity providers, verification methods).
Legacy apps and technical debt
Some legacy applications and systems may not support passwordless. Organizations need to carefully weigh the risks and benefits of moving to passwordless as they continue to support these applications and systems.
It’s a journey, not a sprint
An organization’s ability to successfully deploy passwordless will vary depending on their identity and access maturity. Implementing SSO across applications/systems and deploying basic multi-factor authentication are two examples of basic first steps.
When ready to implement passwordless, organizations should do so using a phased approach, first by centralizing authentication, then by starting to phase out passwords, and eventually phasing passwords out entirely.
Balancing user experience and security requirements
Passwordless deployments should seek a balance between a good user experience and security. User experience should be simple and consistent, while retaining the high security requirements that are standard with passwordless. For example, organizations should ensure that two factors are achieved in all instances and follow industry standards such as FIDO2 when implementing passwordless.
End users have been logging in with passwords for decades, and for some users (especially those that are not technology-savvy) it will take a considerable amount of effort to explain to users what passkeys are and how to use them. Some users may also not be ready for passkeys for a variety of reasons. For example, they may not have the required technology, or they might find them too complex.
When implementing passwordless, organizations must consider all user populations and ensure there is appropriate training/documentation available. FIDO has published UX guidelines that can also help make the passkey experience consistent and accessible to all users regardless of device or if they are using a screen reader.
Account recovery and enrolment
Internal operating procedures need to be adjusted and communicated to support both end users and help desk staff when it comes to enrolling in passwordless and recovering accounts.
The past 6 months alone have seen tremendous advancements in AI and machine learning. In this article, we will look at how experts expect AI to impact the identity space, both in terms of potential risks and benefits, and we will discuss the growing interest in decentralized identity.
Increased Risk of Identity-Based Attacks
Organizations have improved their ability to prevent identity-based attacks over the past several years by implementing controls such as MFA and cybersecurity awareness programs. However, with advancements in AI-based tools and machine learning models, social engineering attacks now pose even more of a risk to businesses because we can no longer verify identity like we are used to.
AI tools have been shown to be able to imitate human voices with a striking level of clarity and accuracy. Over the coming years, tools will become more capable of faking life-like video as well. Threat actors will take advantage of these advancements to conduct increasingly complex vishing campaigns. Organizations must continue to remain vigilant to these types of threats.
Like vishing, phishing (typical email based social engineering attacks), will also be impacted by AI and machine learning tools. People are often taught that one way to recognize a potential phishing attempt is to look for spelling or grammatical errors in an email. However, AI can now be used by threat actors to easily create targeted messages with little to no errors that stand out. Organizations should consider using passwordless authentication and passkeys, as they are resistant to phishing.
Improving IAM Governance & Operations with AI
Although the market for AI based security tools is relatively new, organizations can expect platforms to support the use cases below in the coming years.
Detection of identity-based attacks
With cyber-attacks, every moment counts. AI can help detect the identity-based attacks described below faster than existing detection tools alone, helping security teams to more effectively contain incidents:
Recognize brute-force attacks by detecting behavior anomalies
Typically, brute-force attacks are detected by identifying multiple failed login attempts or sudden spikes in network traffic. Intrusion detection systems (IDS) are also used to look out for known attack patterns and alert security teams when a potential incident is found.
Malicious activity sometimes goes unnoticed due to weak signals and noise in security logs. AI can supplement existing systems to detect anomalies in user behavior in real time and apply risk-based controls as needed.
Recognize password spray attacks via pattern recognition
Similar to brute force attacks, AI can supplement existing threat detection systems and detect password spray attacks by recognizing suspicious behavior.
Efficiently provision and deprovision identities
AI can help when it comes to provisioning and deprovisioning identities. For instance, if a user is joining a specific team, AI can help managers and IT teams recognize what applications it would make sense for an individual with their role to be provisioned to. Similarly, when a user leaves an organization or changes roles, applications where the user might have an identity can be recognized, and necessary actions initiated. Historically, this has been difficult to do in large organizations that may have used inconsistent identity naming conventions over the years, or different naming conventions across different systems.
Assist with access approvals
AI will help management when it comes to reviewing new requests for access by allowing them to make more informed decisions. Do others in the same role have existing access? Would this access pose any segregation of duties concerns? These are both questions that AI-based tools can help answer.
Make better entitlement review decisions
Similarly, AI can assist when it comes to making more informed entitlement review decisions. For some individuals, entitlement reviews have become a “check the box” exercise where they do not always have the right level of information to make a well-informed choice. AI can help management understand whether or not users are actively using the access provisioned to them and if the access is still relevant to their role/job function.
Although AI tools may be tempting due to the aforementioned benefits, organizations should clearly define policies around AI use to protect IP. In addition, any AI tool used should be carefully risk assessed.
Historically, identities have been centralized, meaning that they are completely managed by a single authority. Each identity is controlled by a different authority, and as a result individuals have limited ownership over their own data. With this approach, identifying information (data used to prove you are who you say you are) needs to be separately verified by each identity provider.
Decentralized Identity (DID) on the other hand, does not rely on a single authority. Instead, users can manage their identities using a distributed approach. This allows individuals to gain a greater amount of control over their data, while also avoiding the need to separately verify themselves across multiple platforms and systems.
What are the use cases of Decentralized Identity for organizations?
One of the most appealing use cases of Decentralized Identity is the ability for organizations to verify information about employees and contractors without having to do the verification themselves. This not only improves processing times when it comes to hiring and verification of credentials but makes organizations less of a target for cyber-attacks since – in most cases – the organization would not have to host sensitive data themselves.
Another related use case for Decentralized Identity is the ability to transition from physical credentials to digital credentials. This is especially relevant for organizations where a large portion of their workforce does not have access to laptops and desktops, and where credentials are stored on paper. For example, companies can streamline the process to verify an employee has a specific training course completed, and keep track of when credentials need to be renewed. The employee would continue to own that data when they leave or re-join the organization.
Looking ahead to the future, we can expect Decentralized Identity to become more commonplace as the Decentralized Identity Foundation (DIF) and W3C Credentials Community Group work to develop DID implementation standards.
Identiverse’s commitment to high quality talks and content allowed experts in the industry to share their hands-on experience implementing the latest trends in their organizations such as passwordless and decentralized identity. We were able to discuss what worked, what didn’t work, and why. Participants also looked ahead to the future by discussing what organizations should look forward to and what they should be aware of (increasing the use of AI and its impacts).
Do you have any thoughts on these IAM trends? Are you interested in learning more about how topics such as passwordless and AI may impact your organization? Feel free to reach out to one of our IAM experts.
Contact a Wavestone expert for comprehensive advisory on all things IAM.CONTACT US
Have a Question? Just Ask
Whether you're looking for practical advice or just plain curious, our experienced principals are here to help. Check back weekly as we publish the most interesting questions and answers right here.