Gartner Blog Network


Time to Kill the Password! Or Is it? OK, at the Very Least, MFA All the Way!

by David Mahdi  |  April 22, 2020  |  Submit a Comment

During the pandemic, many organizations rushed to enable an effective remote workforce.  Employees need access to their corporate network, and other cloud services (i.e. VPN, Workday, Salesforce, Microsoft Office 365) to do their jobs. All of this requires that users identify themselves before logging in. Organizations need to rely more heavily on strongly identifying users in order to grant access to all the digital services that employees need.   

If organizations don’t leverage strong and reliable methods to verify users, such as relying heavily on usernames and passwords; this can overly expose themselves to bad actors (“attackers”). Many of which have been conducting phishing attacks, aimed at compromising user accounts. All so that they can access sensitive corporate information, which can lead to data breaches.  

While there are several aspects to identity management, enabling strong authentication (I.e. MFA/2FA) is one approach that can enable organizations to increase security, without dramatically impacting productivity.  

Identity has become a critical attack surface for bad actors. Even before the pandemic, organizations started realizing that identity is critical in the age of digital business (for people and machines!). It seems to always come back to the cartoon by Peter Steiner… “On the internet nobody knows you are a dog”. Of course, it’s a little more serious than that: Are you a bad actor OR are you a legitimate user trying to do your job

The Time to Act on Improving Access Management and User Authentication is Now 

So, what should you do now? 

  • Consider how users are accessing resources: How are they doing this today? Are you using strong authentication? If not, why not? If so, is it reliable?  
    • Focus in on high risk scenarios first, then expand 
    • Start with small targeted groups of users, then expand 
  • Review what products and services you have now: Could you extend these to offer more secure access and authentication? For example, do you currently have an Access Management Suite?  
  • People like Options! Consider the variety of authentication methods, that allow you to balance security and risk, along with usability (UX for user experience) and of course, cost.  
    • There is no perfect authentication method; it’ll be up to you and your teams to determine what methods work best.  There is no “One method to rule them all” – forget Lord of the Rings!
    • Provide guidance, but where you can, allow users to have choice with their authentication methods. For example, you could default on Mobile Push, but have fall backs to tokens, such as Google Titan keys, or Yubikeys for some users.  

Now on the last point, regarding Authentication methods. Today, the big craze is “Passwordless Authentication”. Indeed, there is much truth and promise to the hype. 

Passwordless authentication methods are gaining in popularity, as we’ve pointed out in our research: 

In addition, standards such as FIDO, will continue to help software and device makers to build products that can integrate with various services. Further allowing you and your teams to roll out strong authentication.  

A couple months back, I did a number of interviews with the press talking about how Apple announced that they too are going to leverage FIDO, further illustrating that we are moving towards an industry accepted standard. 

Not only is Apple on board, but there is a good list of members such as: 

  • ARM, Facebook, Google, Intel, Lenovo, Mastercard, Microsoft and Samsung to name a few 

The promise is that devices, browsers, and software will include FIDO, making it ubiquitous. Essentially making strong authentication, more like Bluetooth ( Bluetooth which is widely accepted….imagine a world without Bluetooth!). That’s what we want with authentication; widely accepted and simple approaches that are just “baked in”.  The ongoing goal is that device makers and software providers can focus in on one standard which allows for better consistency and support. Hopefully, we will no longer have laptop-based fingerprint readers that require proprietary software in order to work. In that case, ideally, they will leverage FIDO, and work with systems like Microsoft Windows Hello 

COVID19 has disrupted many things, and here it continues to highlight the importance of digital identity, specifically, that you need to verify and validate your users before you let them access critical corporate resources. If you haven’t reviewed and/or refreshed your authentication and access management approach, now is the time.  

Of course, if you want further insight and or guidance, please do not hesitate to reach out! 

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: 

Tags: iam  mfa  passwordless  

David Mahdi
Research Director
2 years at Gartner
18 years IT Industry

David Mahdi is a Research Director in IT Leaders Systems, Security and Risk at Gartner, focusing on identity and access management, authentication, and data security. Read Full Bio




Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.