As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—John Callahan, the Chief Technology Officer with Veridium, shares some expert insights on authentication journeys and their importance to digital transformation initiatives.
Digital transformation initiatives, particularly those supporting work-from-home or remote transactions, have accelerated sharply, giving more meaning to the cybersecurity maxim: identity is the new perimeter. This growth was fueled by the 2020 pandemic and high-profile cyber events like SolarWinds, which served as a potent reminder that sixty-three percent of all data breaches exploit weak credentials. Incidents such as SolarWinds, in particular, underscore the crucial importance of Identity and Access Management (IAM) systems.
In parallel, the pandemic brought new focus to specific digital transformation requirements, including:
- Bring-Your-Own-Device (BYOD): Employees (new and existing), contractors, and freelancers require flexibility regarding the types of devices used and their capabilities to ensure proper identity verification, authentication, and credential storage.
- Passwordless Authentication: Modern devices can securely store credentials that can be used for proof of possession by an individual, eliminating all passwords. This provides a productivity boost and reduces cybersecurity risks.
- Biometrics: To facilitate easy and friction-free identity binding to device-based credentials, biometrics can be combined with proof-of-possession for remote identity verification, passwordless authentication, and account recovery.
- Software-Defined Perimeters: In addition to or instead of virtual private networks (VPNs), multiple authentication flows can be combined to secure authorized access to specific resources within a perimeter. This ensures that employees working from home aren’t inadvertently allowing unintended, unapproved access to others on their shared home network, which is an essential consideration in preventing data breaches, even in cases of VPN compromise.
These new challenges can make digital transformation an uphill climb for many organizations and put new pressures on many CISOs and IT managers who are already under pressure to maintain their status quo password-centric IAM systems.
Rethinking Authentication: A Continuous Process, Not a Logon Event
Whenever requirements evolve and expand, the tools and best practices needed to meet those mandates typically must also evolve. This is where the concept of “authentication journeys” comes in. Authentication journeys combine both authentication (authn) and authorization (authz) into processes defined at the user experience (UX) level, rather than through low-level auth protocols like OAuth, OpenID Connect (OIDC), and Security Assertion Markup Language (SAML). Authentication journeys help organizations move beyond the limitations and complexities of existing AD and LDAP-based approaches while providing the user with a better and more secure experience.
Think of authentication journeys as workflows made up of multiple authentication steps and authorization processes available within the enterprise. Such measures include multi-factor authentication (MFA), biometrics, geolocation, PIN, credential checks, and even traditional methods (e.g., username & password). “Step-ups” or series of challenges are served to those users whose requests fall outside their routines or the enterprise’s norms.
Most IAM systems are never entirely replaced, but rather, are augmented with newer identity assurance technologies and processes. In this way, user assurances become more immediately reliable without introducing friction that might delay or discourage an authentic user.
Migration to Authentication Journeys: Processes and Paybacks
As enterprises adopt authentication journeys, they essentially define complete lifecycle processes that include onboarding, offboarding and internal steps like Active Directory conditional access checks. IT departments can start by defining minimal journeys for all users and specific roles and then let users choose their own devices and options for MFA via a self-service portal, which allows convenience for users, and a higher adoption rate.
Frictionless and trusted user and customer identities can have immediate line-of-business benefits that directly drive or support an organization’s most strategic goals. Prominent industry analysts are examining how usability affects revenues and the ROI of CX transformation issues. The migration also benefits the organization in other, more subtle ways, such as:
Keeping up with global compliance & auditing regulations
KYC/AML (Know Your Customer / Anti Money Laundering) laws vary globally and continue to evolve. Because authentication journeys can be dynamic, they help enable and demonstrate continuous compliance. For example, onboarding processes can be assessed at various identity assurance levels (IALs), and resulting credentials can be tied to authentication processes to directly link both the IALs and authenticator assurance levels (AALs). With logging as part of the journey (as an internal step), end-to-end auditing can connect both onboarding and authentication processes.
Reducing costs & complexity
Powerful, effective, yet burdensome authentication (authn) and authorization (authz) technologies are already available in the market, but most are complex to manage from a system-level perspective. The security context is lost when dealing with sessions, roles, tokens, and other protocol-specific mechanisms at a low level of process programming. By managing journeys as high-level definitions of authn and authz processes, CISOs can elevate the management of risks related to unintended access to associated resources above the machine-level programming of OIDC and JSON Web Tokens (JWT tokens) used to implement such processes.
Improved vulnerability management
Detailed auditing, vulnerability analysis, threat modeling, and accessibility enablement improves security and reduces help desk password-reset costs. As in the cyber world, IAM vulnerabilities should be managed, shared, and fixed at the journey level, not at the level of a specific protocol that incorrectly implements a security policy.
Easier onboarding and authorization
New verifiable credentials permit on-demand provisioning for new employees, contract, and temporary freelancers who can present such trusted credentials upon signup. The last two years’ events have underscored how important this can be, versus requiring out-of-band, a priori enrollment in AD/LDAP data stores. Such credentials, which have expirations and explicit privileges, can also encapsulate the capabilities used in authorization flows.
FIDO authentication allows the storage of encrypted credentials across many devices and modalities, including security keys, biometrics, mobile phones, tablets, laptops, and desktops with a password. FIDO allows developers to focus on high-level journeys in the IAM perimeter while providing device and security policy options.
Privacy, accessibility, inclusion, and diversity
Migrating to authentication journeys can enable the organization to offer each user choices about their devices, preferred biometric modalities, and credentials for access to specific resources within their enterprises. This flexibility further strengthens the individual’s trusted identity and enables new paths that help protect user privacy, encourage accessibility, and promote inclusion and diversity.
Authentication journeys let users define their authentication methods that comply with GRC requirements and provide managers with a more straightforward path with defined choices and lower operational burdens. The IAM landscape may seem to be getting more complex, but that’s mainly due to assimilating some of the newer concepts.
It’s time to move beyond old methods tied strictly to AD and LDAP directories with groups and their associated roles and recognize that we are moving to a broader IAM-delivered future. These systems will continue to exist in many enterprises and will take on new life as a component of the many journeys available to users within the new IAM landscape.