Optiv’s trek to becoming 100% passwordless

Things Rob Gregory hates: broccoli, unkempt grass, uncomfortable chairs, and passwords…the latter so much so that he is actively working to eliminate them from his organization.

Gregory, who is CISO at cybersecurity advisory firm Optiv, told IT Brew that the password-elimination project is the second passwordless initiative in his career, and that the shift to passwordless will be a solid solution to several cybersecurity risks, including phishing attacks and data breaches.

“Passwordless is really the building block that everyone should be building their identity and access platform around today,” he said.

Gregory isn’t the only CISO sailing in the anti-password boat: More than nine in 10 CISOs either have implemented or are planning to implement passwordless authentication within their organization, according to a Portnox survey querying 200 CISOs.

Unphased. There are a few different routes an organization can take to achieving a passwordless environment. Optiv’s passwordless environment involves multi-factor authentication (MFA), where none of the factors involve a traditional password.

“It may be something you have and something you are, combined,” Gregory said. “Maybe official ID recognition on your phone, or a fingerprint combined with you being physically in the office,” Gregory said. Because a fully passwordless environment is “incredibly difficult to take off in one bite,” he said, Optiv has been embarking on the initiative in phases. The first phase involved setting up a central authentication, which Optiv achieved by developing a single sign-on (SSO) portal where authenticated users are free to access internal applications.

The second phase, which Optiv recently wrapped up, involved a QR-based, app-verified passwordless authentication for users, a step that made sense since employees were already using a mobile authenticator on their phone.

“Instead of entering a password, they’re going to get presented a QR code,” Gregory said, adding that the authenticator app uses public key infrastructure validation to make sure it’s the correct device that Optiv registered. Users are authenticated after completing a short matching task on their device.

A few safeguards have been arranged to ensure suspicious activity is addressed appropriately: “Rob Gregory is logging in from North Korea. He’s never been there, and five minutes ago, it said he logged in from Kansas City, where I’m based. Things like that would trigger and override that MFA and essentially shut the user down right there.”

Learning the ropes. Employee education about the initiative included written and visual communications such as a user guide and a FAQ. Gregory said companies relying on similar learning content should test out the support guides before making them available to the company.

“Anytime you’re going to [send] written communication out, [or] sending out people user guides, you’ve got to make sure those user guides are correct,” Gregory said. To that end, he trialed the phases of the passwordless initiative on a group of employees with minimal guidance outside of the support guide.

“We got a little bit of feedback and tweaked our user guide so that when we were ready to go live, we had essentially prelaunched, not only the technology, but those user guides and those processes that we were about to share with the organization,” Gregory said.

“It’s really important to make sure everything around an organizational change is tested, and not just the technology,” he added.

Final lap. The next phase of Optiv’s passwordless initiative is focused on device log-on, according to Gregory.

“How do we bridge the gap to where they log on the device with the passwordless authentication, and then they go to SSO, and they’re already authenticated? …That’s more where we want to go,” he said. Optiv is currently running a few pilots and hopes to get this seamless user experience running late this year, though users have already vocalized their approval of changes thus far.

“The user experience is just substantially better than constantly having to reset passwords,” Gregory said. “So, cross user-base, resounding [positive] feedback, particularly at the executive level.”