The Road to Passwordless is Paved with Orchestration


A new report from KuppingerCole Names ForgeRock an Overall Leader in Passwordless Authentication

If passwordless authentication is a destination, then identity orchestration is the highway to get there.

To define the term, "passwordless authentication" is the act of gaining access to digital resources without the use of traditional user-selected passwords. Given the pervasiveness of data breaches and their association with stolen or misused passwords, the momentum towards a passwordless future is undeniable. In recognition of this movement, KuppingerCole has published its very first Leadership Compass for Passwordless Authentication. But more on that in a minute.

The essential piece: orchestration

Identity orchestration, or just "orchestration," is a way for organizations to quickly build and put in place user access journeys — from beginning to end — that are both easy for users and secure for the enterprise. Within this journey flow, passwordless methods can be enrolled, used, measured, and tweaked to give the organization the assurance that the benefits they seek — making users' lives easier while elevating security — are truly being achieved.

Orchestration is a no-code no-brainer

Orchestration is both strategic and tactical. At a strategic level, orchestration is a critical capability of an identity and access management (IAM) solution, as essential as access management or identity management. It provides the capability to respond rapidly and with maximum agility to changing business conditions, using identity to create a competitive advantage for both your workforce users and for your consumer population, without breaking the budget.

At the tactical level, it is a graphical, drag-and-drop tool that IT administrators use to design different user journeys to support the business. In the past, user journeys needed to be hard-coded by developers, which was a timely and expensive process that would often take months to get even a few user journeys in place. When the business or security landscape changed, developers would need to be called back in to re-code those journeys.

Modern orchestration involves no coding. This means non-technical IT and identity administrators can design journeys by simply selecting different nodes and flows consisting of users, authentication methods, anti-fraud signals, registration events, step-up authentication, and services, and test them out in near-real time. Putting these journeys into action involves just a few mouse clicks. Post-implementation metrics can be reviewed to evaluate the success/failure rates of different user groups or authentication methods to identify potential issues. Adjustments can be made on the fly. (Picture your business owners smiling.)

How passwordless and orchestration are inextricably linked

Orchestration helps us to get to a passwordless world much quicker. This is not only because user journeys can be rapidly created using passwordless methods, such as fingerprints, facial scans, push notifications, a variety of hardware tokens, and QR codes, but also because orchestration helps support a phased approach.

We often find organizations get cold feet because they feel passwordless is an "all or nothing" approach. Either all my users get it or none of them do. But orchestration allows for testing out certain groups, experimenting with different methods and rolling out passwordless on your own schedule. You can define which passwordless methods you want to support based on your security policies. Not comfortable with QR codes? No problem, don't add that option to your passwordless orchestration flows. Need to add the latest biometric method to your user flows? Simply drag and drop it into your user access flows. Click. Done.

Don't forget the registration

Registration is often the first step in the orchestrated flow. Users need to enroll themselves or their devices, usually mobile phones and sometimes hardware tokens, in order to enact passwordless authentication. Registration is where this happens.

But interesting things are going on in this space. Users want options. They want a primary authentication method and a secondary one as a backup, just in case they are working from a different device or location. Orchestration and registration make this easy by giving users a simple, lightweight, step-by-step enrollment process.

The ultimate goal of the symbiosis of registration and orchestration is to create great user experiences that keep people from getting frustrated and dropping out of the process. For employees, such a scenario may mean they are being kept from the resources they need to do their jobs. Worse, for consumers, it can mean an abandoned shopping cart and lost revenue. These situations are all-too familiar in the traditional password world, but become rarities in the passwordless world of self-service and choice.

I got a new phone. Now what?

Passwordless authentication is the new frontier. The standard implementation of FIDO2 with its WebAuthn standard relies on asymmetric cryptography that generates and securely places the private keys on the user's mobile device or in their web browser. This is great, but what happens when the user is without that device, or loses it or gets a new one?

Here again, all roads lead back to a well-designed orchestration flow. A process can be designed wherein a user can request and be granted emergency or new device access without IT intervention. The ways to do this are myriad, but they can rely on some combination of QR code, known enrolled secondary device (see registration above), signals such as location, and a one-time code to a confirmed email.

But know this: if you've heard that passwordless seizes up in the face of users getting new devices, you should understand that well-designed, automated, and secure orchestration can keep your users happy, productive, and safe.

ForgeRock named an overall leader by KuppingerCole for passwordless authentication

ForgeRock has been named as an overall leader in the 2022 KuppingerCole Passwordless Authentication Leadership Compass. We invite you to download the free report here.

When evaluating the 24 vendors for its report, KuppingerCole defined its requirements for functionality and support for integration, as well as requirements regarding the architecture, deployment model, and interoperability with traditional applications, cloud services, and new digital services. Some of these requirements included:

  • An integrated and secure authentication approach
  • A strong level of usability (e.g., simple device onboarding; recurring authentication)
  • Authentication methods that eliminate passwords and other easily phishable factors
  • The ability for organizations to control which users and devices can access sensitive information
Figure 1: Overall Leaders in CIAM

"With its many innovative features and flexible architecture, ForgeRock Identity Platform should be on the short list for organizations considering deploying passwordless authentication solutions."

– Alejandro Leal, Analyst, KuppingerCole Analysts AG

Why ForgeRock for passwordless authentication

In an ever-changing world, one variable that has remained amazingly consistent year after year is that user-selected passwords continue to be the main source of data breaches everywhere they are used.

The ForgeRock 2022 Consumer Identity Breach Report, shows that unauthorized access has been the number-one cause of breaches for four consecutive years, and that account takeover (ATO) attacks rose more than 300% between 2020 and 2021.

The great news is that passwordless is real, and the obstacles that once prevented your ability to move to a passwordless system can be eliminated with excellent orchestration, such as ForgeRock Intelligent Access Trees.

Download your complimentary copy of the 2022 KuppingerCole Leadership Compass on Passwordless Authentication to learn more.