Overcoming the Challenges of Adding Passwordless to Legacy Apps

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Steve Lay of Strata Identity bridges the gap between legacy apps and modern protocols for a true passwordless authentication experience.

Passwords have been a fact of life for 60 years now, ever since MIT came up with the idea of letting multiple people share a computer by verifying a user’s identity first. But as the password nears retirement age, organizations are struggling to make passwordless authentication a reality.

Eliminating passwords is being driven by the need to reduce friction, but more importantly, to implement stronger security controls such as biometrics like fingerprints, facial recognition, and passkeys that are linked to a user’s device. However, one of the challenges standing in the way of the migration away from passwords is supporting these new authentication methods on both legacy and modern platforms. In fact, almost half the IT decision-makers in a recent poll said their organizations have yet to adopt passwordless authentication because their applications are not designed to support it.

Passwordless: Overcoming the Challenges of Legacy Apps

Legacy Apps; Modern Protocols

So why can’t legacy apps support passwordless authentication? The short answer is: Because they cannot understand modern authentication protocols. Most legacy apps were created before OpenID Connect (OIDC) and Fast Identity Online (FIDO), standards that are required to integrate with passwordless technology directly.

These protocols are vital for passwordless systems in two ways. First, they mediate the exchange of information between identity systems and the passwordless authentication provider. Second, they are required to manage the user experience, in this case prompting the user to scan their face or thumbprint, or another factor used to replace those combinations of pet’s names and kids’ birthdays that have proved less effective as authentication.

When legacy apps can’t integrate with these protocols, enabling a passwordless user experience requires development work to modify the code of each application so that it can integrate with the identity system and/or the passwordless provider’s system.

This leaves enterprises with the following choices:

• Do nothing and accept the risk (we’re all familiar with the Verizon annual survey’s dismal news on credential theft and abuse).
• Rely on an identity provider’s passwordless authentication, which layers multifactor authentication (MFA) over legacy apps. This is not an ideal choice because MFA is not truly passwordless—it still requires a password upfront.

For example, if an organization uses a cloud identity provider, the legacy application hands off the login to the Cloud IDP, which uses OIDC to authenticate the user and call back to the app. However, that first handoff to the authentication provider still requires a traditional username and password, which is not true passwordless authentication. The other alternative is to use providers that require deep integration at the Active Directory domain controller.

Abstraction is the Key to Passwordless Adoption

Any application that’s a candidate for passwordless authentication is so for a reason: it performs a sensitive function worthy of protection. Access is usually controlled by some legacy web access management platform, not left open to all comers. So how do we overcome the challenge of adding passwordless access to these apps?

The most useful practice is to separate identity authentication from the individual applications and logins by creating an enforcement layer that decouples identity validation and access policy enforcement. This can be accomplished using an abstraction layer (i.e., identity orchestration) that can translate modern identity protocols and operate with on-premises or cloud-based apps.

The key concept in this architecture is that by decoupling applications from the passwordless provider, the app itself never has to be integrated with anything other than that abstraction layer— not even the passwordless provider itself. This also enables administrators to manage access policies within that abstraction layer. The application doesn’t know the difference, and neither do end-users.

One huge benefit of this approach is that developers never have to touch a line of code in the application. The work to integrate with the application itself becomes very lightweight and typically will only require discovery. This architecture essentially creates a walled garden around the application with only one gate. It is straightforward to configure and enforce—and results in a true passwordless experience for legacy apps.

Final Thoughts

Consider this example: An organization running on-premises applications that use Microsoft Active Directory that wants to transition to cloud-based Azure for identity management and passwordless access. Using an orchestration layer to decouple both identity and passwordless systems from the applications, simple configuration changes in the orchestrator can enforce new user flows and access policies across every single application without modifying any code in the applications themselves.

The use of identity orchestration makes it possible to completely avoid the kind of development work that turns passwordless authentication into a time-consuming, costly effort, and is blocking its adoption at so many organizations. It can bridge the gap between modern identity protocols, legacy applications, and the passwordless future.