Modernizing Passwordless Authentication: What Enterprises Can Learn From the U.S. Government
Passwordless authentication is a hot topic. Did you know that the U.S. federal government went passwordless more than 15 years ago? Well, kind of, as I’ll explain shortly. From 2010 to 2015, I worked for the Department of Homeland Security, and was part of driving this effort. We achieved a great deal and learned many valuable lessons along the way. These lessons can benefit any digital identity effort – especially one that includes passwordless authentication.
The federal government efforts to eliminate passwords began in the late 1990s, and, by 2015, almost everyone’s computer login passwords had been replaced with a smart card that supported up to three factors of passwordless authentication. The problem? Behind each computer login lived thousands of password-protected applications that had no way to process smart cards.
Since those early days, Uncle Sam has modernized and released an updated policy covering identity, credential, and access management. In a recent podcast with Scoop News Group, I spoke with FedScoop Senior Vice President Wyatt Kash about the policy’s impacts. Our discussion got me thinking about the similarities between the challenges the U.S. government has faced over the years and the challenges faced in the broader identity world today.
I’ve summarized my observations into three lessons that will benefit any digital identity effort.
Lesson 1: Usability Is a Must
Passwordless authenticators are more complicated to implement. A separate enrollment process is typically required to associate an identity to a credential, whether the credential is a token or a biometric. The credential must also be linked to each application account. And don’t forget about alternate and recovery methods for times when the preferred authenticator can’t be used or fails. This will happen. The federal government had to solve all of these issues along the way.
A modern identity platform abstracts the additional complexities of passwordless authentication from the user experience.
Lesson 2: Secure Accordingly
Not every resource requires “super-max” security. In the early days of government smart cards, the policy was to fully use this passwordless credential for access to all federal systems and facilities. But application integration was slow because the blanket policy approach proved ineffective and the ocean wouldn’t boil.
A modern identity system adapts intelligently based on a broad spectrum of frequently changing data points. Depending on the application and real-time user data, the system can determine what type of credential is required and route the user journey accordingly. The same system also continuously evaluates risk and requires a stronger authentication when necessary. The federal government plans to leverage this capability to modernize its passwordless smart cards and not require a smart card for every authentication.
Lesson 3: No Legacy Left Behind
Every organization has legacy systems – or will have them at some point. And legacy systems can’t deal with advanced authenticators. Some federal government agencies implemented single sign-on (SSO) by creating a secure chain of trust between the workstation smart card login and the target application. In the Scoop News podcast, I shared a fun story about a highly complex SSO integration we implemented while I worked in government – with all complexities abstracted from the user, of course.
Because rip and replace is rarely a viable option, modern identity systems must be able to provide integration that allows legacy applications to coexist with modern applications during migration and sunset activities. With this strategy in place, users will never be aware of the difference between legacy and modern systems – at least not from an identity experience perspective.
Whether your organization is part of the U.S. government, a large enterprise, or somewhere in between, security, privacy, and legacy app integration are now foundational digital transformation elements on top of which we must provide highly usable, efficient, and differentiated digital experiences.
Visit us here to learn more about how ForgeRock can accelerate your digital transformation.