Overview – Less Method, More System

This blog will take a contrarian view to many security-focused articles. As much as I’m a fan of technology-centric security discussions, I believe the key to improved authentication today and Zero Trust authentication tomorrow is less about method and more about system. As many a CISO has told me, the best security fails when end users can’t tolerate it and IT doesn’t have the cycles to make it work.

Why Credential (including Authenticator) Management is Critical

So, let’s explore authenticator and credential impacts on the end user and IT. There are several major and documented impacts:

• An oft-quoted Gartner statistic is that around 40% of a help desk’s time is spent just resetting passwords.
• The impact on the end user, however, is profoundly greater. Research performed by Yubico indicates that end users spend over 12 minutes per week just finding and resetting passwords – with a total cost per organization of over $5.2 million per year.[1]
• Research performed by Censuswide reveals that consumers are on average spending 12 full days of their lives searching for and resetting usernames and passwords.[2]

Adding strong Authenticators such as USB Keys or Smart Cards to the mix could add even more burden to the already-overworked help desk and, just as importantly, the end users.

So, authenticator and credential management are not only critical but are a key barrier to improved security. In fact, when Microsoft launched their Certificate-Based Authentication infrastructure for Azure AD, they confirmed that creation and management of the certificates was “out of scope”.[3] In conclusion, the industry arguably has reached a tipping point where credential management is required to enable the next round of innovations.

Best Practices for Credential (and Authenticator) Management

At times, best practices are a compilation of current processes. However, there are a hodgepodge of siloed and fragmented practices in place. So, I’d like to articulate the best practices from my perspective as a former security practitioner and as a current member of the Axiad team.

Actionable Visibility

Visibility is one of my least-favorite buzzwords in security because it doesn’t help by itself, particularly with tens to hundreds of thousands of end users and administrators. While it is better than nothing, just being able to view a single data point at a time does not markedly help IT teams.

Instead, the term “actionable visibility” is better since it implies that the visibility guides the right actions. In the case of authentication, a view that reveals the authentication method utilized by each group of end users across platforms is critical. While we have not compiled any statistics, qualitatively Axiad’s customers have been surprised by the number of userid / password (non-MFA) credentials in use across their respective organizations.

Actions that can be taken to minimize the security exposure surface include making the authentication more rigorous for executives and key groups such as finance, making authentication consistent within each group, and balancing authentication options with training and monitoring needs. All these actions are outcomes of actionable visibility.

Automated Workflows

An Okta report calculates that each end user provisioning request takes approximately 30 minutes to complete.[4] The request backlog grows as applications are added, as employee population grows, and as partners are added. Automation is a two-sided sword since it can create a lot of mistakes rapidly. However, automated workflows are a necessity for IT to efficiently manage large and complex environments.

Automated workflows help IT customize and execute tasks across the entire or a subset of end users, authenticators, and credentials. And, built-in intelligence can put guard rails on the workflows. In short, the need for intelligent automated workflows grows over time – and are already a must for dynamic environments.

Self-Service

As the definition of end users expands to partners and suppliers and the location moves from the office to everywhere, IT’s management needs grow geometrically. As a result, self-service across the entire lifecycle of authenticators and credentials is a must. However, legacy self-service account recovery typically relies on pushing a One Time Password (OTP) or code that can be intercepted by variants of man-in-the-middle attacks.[5] As a result, legacy self-service adds to the security exposure surface of the organization.

As a result, the self-service mechanism and process must be resistant to phishing and hacker-led attacks. Further, end users must be able to safely self-service the entire authentication lifecycle from authenticator enrollment to credential issuance, renewal, and expiration. By doing so, the goals that are frequently a tradeoff – increasing end user satisfaction and decreasing IT workload – are instead both met.

Group-based Management

Putting the previous sections together, authentication operations are usually specific to given groups of end users, authenticators (such as USB Keys), or Credentials (such as Windows Hello for Business). For efficiency as well as security, IT and end users must be able to manage based on groups – whether that is a replacement of an authenticator or a mass credential reset due to a potential security issue or bug.

Lifecycle Management

Rather than being an issue of one-time provisioning and deprovisioning, End Users, applications, Authenticators, and Credentials are in flux. End Users join, are authorized for an evolving set of applications, move departments, get additional responsibilities, and leave the organization. Authenticators are replaced by new versions. Credentials are updated to reflect the latest organizational, security, and data structures.

For an organization’s IT team to survive, the entire process must be analyzed and managed as a lifecycle. Management of all these entities must be addressed by workflows for each step in the lifecycle.

Summary: Less about method and more about system

Returning to the theme of this blog, authentication security indeed is reliant on the management across the entire lifecycle of end users, authenticators, and credentials. To be successful, the system must at least balance the requirements for rigorous security with IT efficiency needs while imposing minimum to no end user friction. The ideal system would in fact attain both goals simultaneously. And, this system will enable the next round of innovations in authentication.

Learn More

For additional information on how we support both FIDO and CBA in a single platform, please view our Axiad Cloud Platform page.

[1] Musaddique, Shafi, “Up to 11 hours spent every year resetting passwords”, The National News, https://www.thenationalnews.com/business/up-to-11-hours-spent-every-year-resetting-passwords-1.819620, 1/29/2019.

[2] ENEA, “Research Shows we are Wasting 16 Billion Hours a Year Hunting for Passwords”, https://www.enea.com/news/legacy-press-releases/research-shows-we-are-wasting-16-billion-hours-a-year-hunting-for-passwords/#:~:text=Americans%20are%20spending%20on%20average,16.3%20billion%20hours%20a%20year!, 9/12/2007.

[3] Microsoft, “Overview of Azure AD certificate-based authentication”, https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-authentication, 10/18/22.

[4] Okta, “Top 5 Reasons to Automate Identity Lifecycle”, https://www.okta.com/resources/whitepaper/top-5-reasons-to-automate-identity-lifecycle/.

[5] Kinza, Yasar, “man-in-the-middle attack (MitM)”, TechTarget, https://www.techtarget.com/iotagenda/definition/man-in-the-middle-attack-MitM.