Are you prioritizing passwordless access right now? If so, what are the main reasons behind the initiative, and what's the biggest challenge you've faced?

Security & GRCIdentity & Access Management (IAM)
2k views2 Upvotes11 Comments
Director of IT in Transportation, 5,001 - 10,000 employees
users must change their passwords regularly using a reset program and if they forget they are given a reminder to change and update passwords.
1
Chief Techical Officer in Software, 11 - 50 employees
Anything to encourage good password management is a boon. Provide users with password managers, encourage OTP MFA, discourage password re-use or password rotation.
2 2 Replies
Chief Techical Officer in Software, 11 - 50 employees

We haven't gone to completely passwordless authentication, however for some systems we use it as an extra MFA verification. That is, you have something that you had before and still have and have the ability to access it because you know the unlock pin / faceID / fingerprint for that device. This is easier to use than a MFA OTP but doesn't completely replace the need for a password. Without them, its a single point of failure. When the security of our infrastructure and customers data is at stake, we need more, not less. For non-privileged accounts where the damage is minimal then yes. Long term we can move to it, but we are still going to insist on multiple authentication, even if each one is passwordless for many situations.

1
GVP in Software, 10,001+ employees

Thanks Yorick, this question came up as a few CIOs we're working with were wondering about the benefits of doing so relative to the traditional approach.  can share more.

CISO in Software, 51 - 200 employees
Myself and others within my network are searching for a 'no password' solution that will work across the enterprise (SaaS/AD/device). We are exploring vendors such as BeyondIdentity, Secret Double Octopus, and others. It also looks like Okta and OnePassword already have this available through their SSO/MFA solution and Microsoft is talking a lot about this as well. The challenge is making one of these solutions work across all enterprise applications both SaaS, on-prem and device logins. It looks like these companies are getting closer to a complete solution so I am hopeful.
1 1 Reply
Sr. Director, IT Infrastructure in Telecommunication, 1,001 - 5,000 employees

If your apps support SAML, SSO with Azure + Microsoft Authenticator will deliver Passwordless authentication natively. We use it already, works fine.

1
Vice President & Chief Information Security Officer (CISO) in Software, 10,001+ employees
On the list
1
Sr. Director, IT Infrastructure in Telecommunication, 1,001 - 5,000 employees
We offer Passwordless already, but the gaining user trust is the biggest challenge to overcome. From post-it notes covering cameras, to unwillingness to use some/any apps, to 'cringing' at the idea of the "computer knowing my fingerprint"; the user feedback isn't all positive. Its difficult to garner deep adoption across a large/diverse userbase before trust [in HR, IT, Technology in general) is established. Espcially since we encourage (and train) moderate skepticism & security awareness.
3
CDO in Software, 1,001 - 5,000 employees
This isn't something we are prioritizing right now as we don't think it is ready for prime time.    Scaling it out over thousands of users across multiple geographies and worrying about what happens when the biometric reader breaks or someone's email or phone gets hacked isn't something we have the time to focus on right now.   However we are moving forward with things that would make this possible in the future.  Eg. single sign on across the majority of our apps, allowing people to use biometric for local access on their phones and laptops, etc...
2 2 Replies
Director of IT in Healthcare and Biotech, 1,001 - 5,000 employees

Interesting point about not prioritizing based on where we're at now. Do you have a time-frame in mind for when passwordless might be ready for prime time adoption? 2021 or longer term?

CDO in Software, 1,001 - 5,000 employees

Not really.   Given the priorities of the business and all the things that we have to do to enable those, I can't imagine us even really thinking about this until 2nd half of 2021, and then it would be more checking in to see what is the state of technology then and the ease of integrating it with our existing solutions.

1

Content you might like

If you use an air-gapped backup solution, would you say there are drawbacks?

CloudGovernance, Risk & ComplianceSecurity & GRC+13 more

Slow recovery response times35%

Data availability is limited48%

Too expensive to scale effectively52%

Difficult to manage for widespread use38%

Prone to misconfiguration12%

No - There are no drawbacks7%


524 PARTICIPANTS
1.3k views3 Upvotes

What is most important when you implement secure inbound communications to your organization?

End-User Services & CollaborationSecurity & GRC

Messages or documents must be encrypted/secure as they travel over the Internet51%

Messages or documents must be encrypted internally (at-rest) when stored in my organization28%

Both are equally important22%


282 PARTICIPANTS
1.1k views2 Upvotes

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
142 19 Replies
Read More Comments
39.8k views130 Upvotes318 Comments

How do you go about convincing your leadership/board to increase investment in security specifically for web apps? What's been effective, in your experience, for communicating why web application security is important?

Security & GRCSecurity Strategy & RoadmapThreat & Vulnerability Management+1 more
Read More Comments
1.2k views2 Comments

What services matter most (or are your favorite) in alignment with your cloud provider? i.e. Database/warehouse (like Redshift), analytics, AI/ML…

Strategy & ArchitectureCloudEnd-User Services & Collaboration+24 more
1.5k views3 Upvotes1 Comment