Historically passwords have been the go-to method to secure information systems. However, as time has passed, they’ve become harder to memorize, create a lot of pain for IT to maintain, and are a significant source of daily frustration for billions of people. Remember this: Colonial Pipeline Cyber Attack: Hackers Used Compromised Password, or even CVS Health Faces Data Breach, 1B Search Records Exposed? If you want to break free from the persistent organizational issues related to passwords, keep reading to learn how Easy Dynamics is transitioning away from passwords to improve its cybersecurity posture.
How did we get here?
Passwords have been around with us for about half a century, and they’ve been an essential aspect of accessing information systems. Over the years, the concept of a “password” has evolved from being just a “pass”.. “word” to more complex things, like PINs, patterns, codes, phrases, client secrets. While they’ve come in many different shapes and sizes, the end goal has always been modest and straightforward: a means to authenticate a request. In other words, when systems want to verify an identity, they may do so by validating the password. Without getting into the gory details of entropy, encryption, and risk/compliance, that statement encompasses the purpose behind an entire facet of the cybersecurity industry; and the bane of every IT shop in existence.
Password constraints started out having very few requirements. However, as time went on and computing power increased, the ability to crack passwords also became easier, leading to password complexity requirements. With ever-increasing complexity, people began to use simple leetspeak passwords and concatenations to bypass complexity constraints, like “p@ssw0rd,” “passw0rd123,” or C@p5L0cK.” Furthermore, due to password fatigue, people started repeatedly using insignificant transformations of their passwords across all their accounts. While the complexity requirements were intended to improve security, the one element that was overlooked throughout the process was the human element. To overcome this, the industry has made progress in using advanced risk mitigation techniques like multi-factor authentication and risk-based access control. However, all of these only serve as overlays, with passwords still deeply rooted in the entire method of authentication and identifying users and devices.
Is this our story? No, but it is the industry’s story as a whole so far, and it’s also where our passwordless journey begins.
Where it all began for us
Our organization has been using Microsoft Office 365 almost since its inception. At the time, we were generally committed to employing a hybrid deployment of AD and Azure AD for the long term. At the beginning of 2021, we started with 100% of our Windows devices configured as domain-joined devices; and users were authenticating using their passwords and Azure AD MFA. Fast forward ten months, and we have since transitioned all our employees’ devices to being Azure AD joined, and we are currently using Windows Hello for Business (WHfB). The journey so far has been liberating, and the results have been very promising.
Milestones we’ve reached
We started by looking at what it would take to deploy WHfB using a hybrid setup. After assessing our mission-critical applications and realizing that they were all SaaS or cloud-based, we had a watershed moment and realized that we should be issuing Azure AD joined devices to employees and enabling WHfB on those devices. Surprisingly, the nail in the coffin for me came from a video regarding Azure AD DS. So over the last ten months, we have accomplished the following:
- Ensured that all our mission-critical applications were SSO enabled
- Ran tests to ensure that no additional configuration was needed for Azure AD joined devices.
- Developed a tactical plan for rolling out/reconfiguring Azure AD joined devices based on the guidelines specified in How to plan your Azure Active Directory join implementation
- Converted all the employees’ devices to Azure AD joined either by scheduling time with the primary user or decommissioning and issuing new devices
- Rolled out WHfB for the entire organization
Key considerations for your passwordless journey
After having gone through the process of enabling WHfB, I can tell you what the secret sauce is:
- Agile methods
- Strong communication
You must be wondering why none of these considerations are technical. It’s because the true technical changes are relatively minor. What matters is the impact that the changes have and that you can adapt to the situation that manifests. We hit brick walls trying to roll out local admin access policies, user profile settings, and PIN configurations. It wasn’t always smooth sailing. While there was a vast amount of documentation out in the wild, sometimes we just needed the courage to take that first step into the unknown.
We tested our changes, re-tested and validated them, ran small pilots with the desired state, and then rolled them out to the entire organization. We documented our changes in decision logs/records and deliberated every small detail – all of this took time. Sometimes configuration changes wouldn’t take effect until a day later, and through all of this, we had to be patient and roll our changes out with as much precision as we could afford.
Finally, the last piece of the puzzle was strong communication. We’re still in the process of entirely using SharePoint’s modern features, but we used news posts to our advantage to communicate changes and their impact on our team. This was a great enabler in conjunction with hosting small meetings and webinars via Teams.
What we’ve been able to accomplish
The end result of all of the minor configuration changes, along with the overarching change to our Windows deployment and rollout of WfHB, was:
- A positive and seamless end-user experience,
- Increased adoption of modern authentication mechanisms,
- And most of all, improved security.
We provided a replacement offering for passwords and started deconditioning users from using their passwords by enabling these features. As an added bonus, it has played well into a broader strategy of implementing a zero-trust solution at our organization and inching us forward to full-featured Windows Autopilot capability.
These positive outcomes have given us an immense amount of perspective and the momentum to entirely push towards the adoption of passwordless.
The road ahead
With everything said and done, a few stragglers still have the passwordless offering available to them but will wait until a driver forces them to use it (our late adopters). Again, patience and minimizing disruption is the key to success. Once we’ve reached critical mass with adoption, we’ll cut the cord and stop using passwords entirely. As mentioned earlier in the same article, we will continually develop new scenarios and reassess existing ones to understand whether the use of passwords has been mitigated. For now, our roadmap is fairly straightforward, and it’s just a matter of timing and doing the work at hand.
If you would like us to help you on your passwordless journey, implement zero-trust solutions, or align with standards such as NIST SP 800-53/63, feel free to reach out to us. We have a fantastic team of digital identity and cloud subject matter experts that can help you meet your needs and help realize a long-term vision of an improved cybersecurity posture.