Overview - Less Method, More System
This analysis challenges conventional approaches to security-focused authentication strategies. While technology-centric security discussions provide valuable insights, I believe the key to improved authentication today and Zero Trust authentication tomorrow is less about method and more about system. Industry research consistently demonstrates that the best security fails when end users can’t tolerate it, and IT doesn’t have the cycles to make it work.
Why Credential Management (including Authenticator) is Critical
Authenticator and credential management create significant impacts on the end user and IT. Here are several major and documented impacts:
- An oft-quoted Gartner statistic is that around 40% of a help desk’s time is spent just resetting passwords.
- The impact on the end user, however, is profoundly greater. Research performed by Yubico indicates that end users spend over 12 minutes per week just finding and resetting passwords – with a total cost per organization of over $5.2 million per year.[1]
- Research performed by Censuswide reveals that consumers are on average spending 12 full days of their lives searching for and resetting usernames and passwords.[2]
Adding strong Authenticators such as USB Keys or Smart Cards to the mix could add even more burden to the already-overworked help desk and, just as importantly, the end users.So, authenticator and credential management are not only critical but are a key barrier to improved security. In fact, when Microsoft launched their Certificate-Based Authentication infrastructure for Azure AD, they confirmed that creation and management of the certificates was “out of scope”.[3] In conclusion, the industry arguably has reached a tipping point where credential management is required to enable the next round of innovations.
Best Practices for Credential (and Authenticator) Management
The following best practices reflect proven approaches developed through extensive security implementation experience and in combination with Axiad Conductor's comprehensive capabilities.
Actionable Visibility
Traditional visibility approaches in security often provide limited operational value particularly with tens to hundreds of thousands of end users and administrators. While it is better than nothing, just being able to view a single data point at a time does not markedly help IT teams. Instead, the term “actionable visibility” is better since it implies that the visibility guides the right actions. In the case of authentication, a view that reveals the authentication method utilized by each group of end users across platforms is critical. Axiad customer implementations consistently reveal significantly higher numbers of userid/password (non-MFA) credentials than initially anticipated. Actions can be taken to minimize the security exposure surface. These actions include:
- Making the authentication more rigorous for executives and key groups such as finance
- Creating consistent authentication policies within each group
- Balancing authentication options with training and monitoring needs
All these actions are outcomes of actionable visibility.
Automated Workflows
An Okta report calculates that each end user provisioning request takes approximately 30 minutes to complete.[4] The request backlog grows as applications are added, as employee population grows, and as partners are added. Automated workflows are a necessity for IT to efficiently manage large and complex environments. Automation requires careful implementation as improperly configured workflows can propagate errors across large user populations. With properly implemented custom workflows, IT can execute tasks across the entire or a subset of end users, authenticators, and credentials. And, built-in intelligence can put guard rails on the workflows. In short, the need for intelligent automated workflows grows over time – and are already a must for dynamic environments.
Self-Service
As the definition of end users expands to partners and suppliers and the location moves from the office to everywhere, IT’s management needs grow geometrically. As a result, self-service across the entire lifecycle of authenticators and credentials is a must. However, legacy self-service account recovery typically relies on pushing a One Time Password (OTP) or code that can be intercepted by variants of man-in-the-middle attacks.[5] As a result, legacy self-service adds to the security exposure surface of the organization.As a result, the self-service mechanism and process must be resistant to phishing and hacker-led attacks. Further, end users must be able to safely self-service the entire authentication lifecycle from authenticator enrollment to credential issuance, renewal, and expiration. By doing so, the goals that are frequently a tradeoff – increasing end user satisfaction and decreasing IT workload – are instead both met.
Group-based Management
Putting the previous sections together, authentication operations are usually specific to given groups of end users, authenticators (such as USB Keys), or Credentials (such as Windows Hello for Business). For efficiency as well as security, IT and end users must be able to manage based on groups – whether that is a replacement of an authenticator or a mass credential reset due to a potential security issue or bug.
Lifecycle Management
Rather than being an issue of one-time provisioning and deprovisioning, End Users, applications, Authenticators, and Credentials are in flux. End Users join, are authorized for an evolving set of applications, move departments, get additional responsibilities, and leave the organization. Authenticators are replaced by new versions. Credentials are updated to reflect the latest organizational, security, and data structures. For organizations to maintain operational efficiency, the entire process requires comprehensive lifecycle analysis and management. Management of all these entities must be addressed by workflows for each step in the lifecycle.
Summary: Less about method and more about system
Returning to the main analysis theme, authentication security indeed is reliant on the management across the entire lifecycle of end users, authenticators, and credentials. To be successful, the system must at least balance the requirements for rigorous security with IT efficiency needs while imposing minimum to no end user friction. The ideal system would in fact attain both goals simultaneously. And, this system will enable the next round of innovations in authentication.
Learn More
For additional information on how we support both FIDO and CBA in a single platform, please view our Axiad Cloud Platform page.[1] Musaddique, Shafi, “Up to 11 hours spent every year resetting passwords”, The National News, https://www.thenationalnews.com/business/up-to-11-hours-spent-every-year-resetting-passwords-1.819620, 1/29/2019.[2] ENEA, “Research Shows we are Wasting 16 Billion Hours a Year Hunting for Passwords”, https://www.enea.com/news/legacy-press-releases/research-shows-we-are-wasting-16-billion-hours-a-year-hunting-for-passwords/#:~:text=Americans%20are%20spending%20on%20average,16.3%20billion%20hours%20a%20year!, 9/12/2007.[3] Microsoft, “Overview of Azure AD certificate-based authentication”, https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-authentication, 10/18/22.[4] Okta, “Top 5 Reasons to Automate Identity Lifecycle”, https://www.okta.com/resources/whitepaper/top-5-reasons-to-automate-identity-lifecycle/.[5] Kinza, Yasar, “man-in-the-middle attack (MitM)”, TechTarget, https://www.techtarget.com/iotagenda/definition/man-in-the-middle-attack-MitM.