Access Management is Having a Big Moment and Organizations are Reaping the Rewards
Learn about three AM initiatives topping IT project lists
Access management is the front door to your organization, network, and applications and services. "Must have" initiatives that rely on access management (AM) are now on nearly every organization's IT priority list. But to get the most from these initiatives, it is essential to have the right AM solution and components in place. (Read how KuppingerCole rated ForgeRock Access Management in its 2023 Leadership Compass report.)
In this post, we'll cover the three areas where access management is set to transform and grow in influence for users both inside and outside your organization.
1. Passwordless Authentication is Making the Password History
For years — for generations! — the user-selected password has held sway over the login experience. Alternative solutions have come along, like multi-factor authentication (MFA) hardware tokens and biometrics, but they often proved clunky, expensive, and less-than user-friendly. Market acceptance of these purpose-built devices never reached more than 30% of internal users, and consumers were often left with only weak two-factor authentication using passcodes sent via SMS (text messages).
Passwordless authentication — the act of logging in without a password — is based on industry standards, including FIDO2, WebAuthn, and SAML, so you're not staking your career on an unproven protocol. From a high-level perspective, passwordless moves us away from a world where it's necessary to store and protect a huge centralized password database, a magnet for malicious actors. In the passwordless world, an individual generates asymmetric cryptography key pairs and stores the private keys on a mobile device or browser. The attack surface is reduced and user satisfaction skyrockets as people can use familiar devices and the convenience of biometrics to log in to their applications.
Why AM is Key:
Here's where it is essential to get access management right. There are two audiences for passwordless authentication: your consumers and your internal users. For consumers, replicating the experience they have with their mobile devices or browsers is a no-brainer — you can just use FIDO2. Where things get challenging is doing the same thing for your internal users on desktops, workstations, VPNs, mainframes, VDIs…and so on. Your access management solution needs to be able to handle all of it. Approaching your passwordless project with consumer and workforce users in mind will help ensure that you've got it right.
2. Orchestration, Maestro!
Identity orchestration is the creation of dynamic login journeys for users — those that minimize friction while maintaining high security. In other words, journeys get people where they need to go, quickly and securely. In the past, all users had essentially the same login experience. These login pathways were hard-coded by developers over weeks and months and were rarely changed.
But times have changed and now a single login pathway no longer works for everyone. Users need different enrollment options, anti-fraud checks, identity-proofing for new users, MFA enrollment, and more. Scenarios vary by whether it is an end-user customer logging in or an internal employee. Some large enterprises have hundreds of journeys designed to support their various applications and use cases they run.
Why AM is Key:
A strong AM solution includes a graphical orchestration engine that has a drag-and-drop interface so the components listed above — the identity-proofing, anti-fraud, MFA, etc. — can be dropped in, moved around, and adjusted as needed.
One user journey can be copied, tweaked, and set up as another journey to support a different set of users. Risk assessment can be made dynamically and in real time as signals from a user's device or location are shared with the orchestration engine, enabling access decisions that allow/block the request or require supplemental authentication. When the threat environment changes, even non-technical, non-IT people, like application owners, can be authorized to make changes to their user journeys, taking the burden off IT.
3. Decentralized Identity and the Digital Wallet
While they are two technically separate concepts, decentralized identity and the digital wallet (DI/DW) are inextricably joined in both usage and technology (the mobile phone), where they reside.
The concept of decentralized identity is this: since the beginning of time, if you wanted to gain access to a website or application, you had to provide information about who you are, usually in a cumbersome form-fill, to the identity provider (IdP). The IdP represents the organization (bank, corporation, healthcare entity, government entity) that owns the digital asset you want to access. This identity information usually includes your email, mobile phone number, name, address, password, but can also include myriad other items such as preferences and personalizations. The IdP acts as the central repository for this information, abiding by applicable regional privacy laws — some do this better than others.
With decentralized identity, individual users take back control and can decide how much or how little identity-related information to share from the safety of their mobile phone's secure vault. The digital wallet concept follows the same contours with the user being able to authorize payment directly from their mobile device.
Why AM is Key:
Organizations are looking for ways to accommodate digital users with DI/DW to help them facilitate lightning-fast transactions and reduce abandoned shopping carts that result from burdensome account signups. At first glance, it would appear that DI/DW solutions would have less need for access management than traditional "centralized" identity approaches, but that's not so.
The traditional functions of access (who gets in) and authorization (what they get to do) are every bit in play with DI/DW, and may be more important than ever. They help ensure that enough identity information is received to be able to enact a transaction, that enough know-you-customer (KYC) data is shared, that the user is still logging in with appropriate passwordless MFA, and that authentication is still logged for audit purposes. AM even plays a role in ensuring that user access and authorizations are revoked in a timely manner.
The ForgeRock Access Management solution — part of the ForgeRock Identity Platform — helps organizations achieve passwordless authentication, create and drive seamless user journeys through orchestration, and supports organizations accommodating decentralized identity and digital wallet users.
ForgeRock Identified as a Leader in Access Management
KuppingerCole is one the leading technology analyst organizations that follows the identity and access management segment. They recently released their much-heralded Leadership Compass report assessing over two dozen access management vendors. ForgeRock is gratified to be an overall leader in this thorough report with strong positives across the board. Get your complimentary copy of the KuppingerCole 2023 Access Management Leadership Compass.