On-Demand Webinar

Go Passwordless in 21 Days

Access Management is a cornerstone of Zero Trust. Organizations are looking to improve their Identity Security by implementing Passwordless authentication. We Created a short video to help your organization successfully plan and launch a passwordless initiative utilizing our proven 4-phased approach. This video provides the framework to help you develop your strategy and enable passwordless authentication in 21 days.

Request a Demo

Complete the form below to request a personalized demo of SecureAuth’s IAM solution

Transcription

0:00:05.0 Rich Gibson: Hello, and welcome, everybody to the Passwordless in 21 Days webinar. This is a quick discussion about a four-phased approach to successfully implementing passwordless workflows in your organisation. This is gonna be four sections of the webinar, we’ll talk through the initiation phase, what are key milestones within that phase, we’ll move into planning of what you need to consider when you’re thinking about a passwordless workflow, sp˙ecifically for planning them, execution, what are the things to do in the execution phase, and then we’ll round it out with performance and monitoring.

0:00:42.4 Rich Gibson: We’re gonna start in the initiation phase. This will typically take about one day, and it’s really worth thinking about as an organisation where you are on the trust journey and where you are from a passwordless perspective. So most of our customers, most of our prospects began in the early adoption phase, getting single sign-on and two-factor embedded in the organisation, making sure their assets were protected. The next phase and current initiatives, most of the market right now is working on multi-factor and adaptive, moving away from MFA always into a more adaptive capability with multi-factor. But what we’ll be talking about today is the next tranche here, which is where the market’s headed, which is passwordless into continuous, and then finally into what we’re calling dynamic identity policy, which is an orchestration piece.

 

Show More

0:01:39.2 RG: But today we’re gonna focus on that passwordless pillar. We’re giving you some pragmatic advice on how to implement passwordless in your organisation. The evolution of passwordless is multi-faceted. We began in the security space with single-factor authentication, so it was based on knowledge, something you knew, and that was password. We quickly morphed and moved into multi-factor authentication, which was pairing something you knew with something you had like a piece of hardware for OTP or TOTP, or something you are. So you can do multi-factor, again, higher level of trust and confidence.

0:02:22.0 RG: But what we’ll talk about today, and where we’re evolving to, is the first flavour is passwordless experience, and that’s in quotation marks because it is really abstracting the password from the user. And so it’s a combination of something you have and something you are. And then we’re layering in pre-authentication risk analysis to give a higher level of trust and assurance in that authentication. And the other flavour of passwordless is true passwordless authentication using a FIDO2 WebAuthn roaming or bound authenticator, pairing that with something that you are. And then all of those are layered with multi-layers of risk or pre-authentication risk analysis to give a very high level of trust and confidence in that authentication.

0:03:10.5 RG: So moving on to the planning phase, so this will typically take about three days. In the planning phase, you’ve got three planning milestones you wanna hit. Number one, first and foremost is understanding the two types of passwordless workflows that SecureAuth offers. The first one, as I mentioned, is passwordless experience, an identity platform that is the abstraction of the password away from the user, but not removing it from the transaction. And the other flavour is passwordless FIDO2 WebAuthn workflows, truly passwordless transactions in identity platform and soon to be login for Windows at the desktop.

0:03:48.9 RG: So once you understand those two types, what they offer, then number two milestone is define your passwordless strategy. Some of the key things in here are defining what passwordless means to your organisation, how do you define it, what does that mean, is it a passwordless experience, is it true passwordless, what are you trying to achieve? Identify those specific goals. Is it user experience? Is it increased security? What are the goals for the passwordless strategy? And then identify… Key here is identifying the identities, the applications and the workflows that makes sense for passwordless. Customers that we speak with, that’s a key piece of the puzzle is identifying ’cause it’s not one-size-fits-all, and it’s not for everybody or every resource. So identify those key people, applications and workflows that makes sense to put a passwordless workflow in for.

0:04:38.7 RG: And then your third milestone in the planning phase is creating a passwordless plan. So create your plan, and you need to document those goals that you define, your success criteria, how do you know that that’s successful once you roll it out, and then the expected return on investment. You need to map those passwordless methods, the workflows, the identities and application combinations, and fallbacks based on if you’re not gonna be able to achieve that passwordless authentication during the authentication. So get those all mapped out in milestone three. And then document the processes. Document the registration process, communication process and support procedures to go passwordless.

0:05:21.0 RG: And then in your execution phase, which is typically about 15 days, you wanna spend about 15 days in the execution phase, and this is going to be defining that pilot and pilot success metrics. So now you’ve got your plan, you’ve got all those questions answered, you’re gonna put your pilot together. And what the success metrics are, it’s typically a small group of users, evangelists within the organisation, you’re gonna put them against one or two non-mission-critical applications in the pilot, and then you’re gonna have measurable success metrics out of that. So customers that succeed here have those three to five evangelists, no more than 10, with one or two non-mission-critical applications. And key measurables out of that pilot, did it lower overhead for help desk calls, did it lower login times, etcetera. So you wanna capture those.

0:06:15.7 RG: And then milestone two, key in the execution phase is educate and train your end users. First and foremost on registration, so as you define the MFA methods in your passwordless workflows, how do you register for those MFA methods? What is the passwordless experience for the end user? Train them on that. We had a customer that ruled out passwordless workflows and had to pull back the workflows because the end users thought that it was less secure, so they panicked when they got into the authentication workflow, and there was no password entry. So you wanna train them on what to expect in the passwordless experience, and then you wanna train them on how to get support. Make sure that’s all fully documented, if you have an issue, here’s where you call, here’s what you do to get support in milestone two.

0:07:03.2 RG: In milestone three, communicate. This has gotta be iterated over and over again in the organisation, specifically around the help desk. Help desk, when you get a call, this is what to expect, this is what we’re doing, how it’s going to work, what we’re measuring, this is our passwordless pilot. And you wanna definitely communicate with your end users, your evangelists and your stakeholders. Make sure everybody understands what it is that you’re testing and piloting, what does success look like, what do they expect in the experience, how do they get help if they need it, and so everybody’s aligned before you go into that.

0:07:43.0 RG: And then in performance and monitoring, so this should last one day at the end of the pilot, and what you wanna do here, you have three milestones here to hit, the first one is determining that both, I say interim and final success. So we have customers that during the pilot, during that 15-day pilot, are measuring success and tweaking and determining outcomes. We also recommend that you determine the final success by sitting down with those metrics, those goals that you had at the beginning of the pilot and measuring success. You wanna look at your metrics, you also wanna look at the user experience in the adoption, query those users that were in the pilot. Did it meet your needs? Did you feel like it was a good experience? Do you feel like you would adopt this method of login without your password? How comfortable are you with that? And start to gauge that.

0:08:36.7 RG: And then you wanna look at your help desk volumes. How many calls did you get related in the pilot to that specific experience of that login experience, overall help desk volume. Then you wanna look at, milestone two is what worked and what didn’t. So you wanna analyse the user expectation versus reality, users coming into it, what did they expect versus what really happened. And then the infrastructure, MFA methods that you put in place for the pilot, was that the right mix? The MFA methods, were they conducive to a good login experience? Did you have the infrastructure ready? Did everybody get registered? Was it the right mix of evangelists and applications? Was it a good performance test of passwordless for your organisation?

0:09:18.0 RG: Milestone three is getting ready for the next step, and the next step is the next workflow, so you picked out a specific workflow with one or two applications, what’s the next workflow or workflows? Who are the next users or group of users that you want to get into a passwordless workflow, and then finally the next applications and resources that are up for passwordless. Passwordless is a journey, so this is the 21-day and beyond kind of discussion here, so as you think about your framework to roll this out in your organisation, you wanna think about understanding those passwordless workflows and options. The next step is defining your strategy, we talked through that, creating your plan, your passwordless plan, communicating that plan to shareholders.

0:10:08.0 RG: Probably the most important piece of this is that communication, executing that pilot and/or go live, and then you measure, analyse and take the next step in a passwordless journey. So you iterate around your framework, and roll passwordless out to your organisation. So hopefully this has been a helpful 10 minutes to think about passwordless and rolling that out in a 21-day framework for your organisation. Thank you very much.