Identity management and authentication are evolving rapidly, especially as the era of traditional passwords is slowly becoming outdated. Sebastian Sandell presented at Identity Day 2023 in Sweden, with a focus on securely authenticating sub-contractor users and the changing landscape of authentication. Watch the video of Sebastian’s presentation or have a look at the presentation highlights in the blog below.

The Passwordless Revolution

The traditional method of password authentication is widely accepted to be inconvenient and insecure. Passwordless authentication methods are on the rise and are poised to replace cumbersome password-based systems. In fact, around 99% of modern devices already support these passwordless methods.

Navigating the Transition

While passwordless authentication offers a more secure and user-friendly approach, many organisations are still dependent on passwords for authentication. This raises an important question: how can we ensure the security of these accounts, in a transitioning landscape? The answer lies in establishing strong company policies.

The Role of Company Policies

Emphasising the critical role that company policies play in securing user accounts, Sebastian covers how these policies dictate password complexity, length, and update frequency. For example, the presence of lowercase and uppercase letters, special characters, and numbers may be mandatory. For added security, some companies may require Multi-Factor Authentication (MFA). The importance of checking passwords against breach databases is highlighted.

Enforcing Policies in a Business Environment

The complexity arises when these policies must be enforced in a business environment, where subcontractors and partners need access to an organisation’s systems. Sebastian provided a scenario illustrating this challenge involving three distinct user groups:

  • Internal Users: These are employees who have well-defined accounts in the organisation. They access systems using email and passwords, with the option to enable MFA for additional security.
  • Registered Federated Users: These are users from trusted partner organisations. They have some information in the system and can use their organisation’s identity providers (IdPs) for authentication. Their need for MFA depends on their organisation’s policies.
  • Unregistered Federated Users: These users are even further removed from the organisation’s systems and policies. This group includes subcontractors and third-tier connections about whom we have limited information available.

Customised Authentication for Unregistered Federated Users

Unregistered federated users present a unique challenge since they lack a detailed profile in the organisation’s system. This emphasises the need for tailored authentication methods for these users. For instance, they might use their Google credentials if they belong to a Google IdP. Depending on the limited data available, they could employ various One-Time Password (OTP) methods, including SMS OTP and SMTP OTP.

MFA’s Continued Relevance

Sebastian underlined that, even as passwordless authentication gains traction, there are scenarios where MFA remains essential. As users move further away from trusted internal users towards unregistered federated users, the risk of unauthorised access and security breaches increases. Therefore, MFA can add an extra layer of security to protect the most critical applications.

In conclusion, Sebastian’s presentation at Identity Day 2023 sheds light on the evolving landscape of authentication. As organisations transition to passwordless authentication, maintaining security for legacy systems still reliant on passwords is crucial. Company policies, emphasising strong password requirements and MFA, are essential for a smooth transition. The challenge of managing authentication in a business environment with subcontractors necessitates tailored solutions. Security remains paramount, and MFA continues to be relevant, especially for safeguarding critical applications. Contact Ubisecure to discuss securely authenticating your unregistered federated users.