While completely ditching passwords is the goal, right now we have to accept that that’ll take some time yet. Recently we talked about the idea of going passwordless when the user authenticates to an identity provider. (We looked at Okta’s offerings and Microsoft’s four-step roadmap.)
However, this passwordless experience only works well if your apps support modern authentication standards like SAML and OAuth, but, sadly, not all apps do. Clearly, we don’t want users to have to need passwords for all these old apps as that would be a step backwards. So, how do we get these apps connected to the identity provider to deliver a passwordless experience in these instances?
This is where password vaulting comes into play. Instead of having users deal with passwords for all these apps, all they have to do is authenticate to the identity provider. The identity provider has the password vault and stuffs the credentials into the necessary apps. The user doesn’t have to care what the password being stuffed into the app is as it’s already saved in the vault, they just had to know how to authenticate to the IdP.
You may have gone passwordless with your users authenticating to the IdP via fancy ways like fingerprint or face recognition, but the old apps need password vaulting.
Many of us already use password vaults, so we should all be able to easily understand how this works at an enterprise-scale. In case you’re not familiar, one consumer example is the Apple iCloud Keychain. This feature saves your credentials for each site and mobile app, and includes the ability to create “strong,” unique passwords. Password vaults often include biometric authentication, creating a passwordless experience.
Vendors that offer enterprise password vaulting
Luckily for organizations, many large identity providers offer password vaulting alongside the normal single sign-on options for modern apps. Here’s a few options you can consider—if you don’t use them in some capacity already.
One recent vendor to jump on board is Google. They announced in October that organizations that use G Suite Enterprise, G Suite Enterprise for Education, and Google Cloud Identity Premium can add password vaulting for apps unable to support modern authentication.
Admins add the desired apps to Google’s password vaulted apps service, add login credentials, and then grant users/groups access to the apps. If the app uses 2FA, the user will still be prompted for their second factor when trying to access that specific app. On the user side, they install the Cloud Identity Account manager browser extension on either Chrome or Firefox.
Okta offers a similar product that allows organizations to authenticate with any Okta-managed app through their Secure Web Authentication (SWA) that don’t natively support federated SSO.
Admins enable SWA and either admins or users add their credentials for the various apps into Okta for password vaulting. One additional feature is setting the credentials to match what is already used to log in to Okta to reduce the need for additional signing in.
Users download the Okta Browser Plugin (it’s an extension, but that’s the product name), and with just a single click are logged into SWA apps. On the backend, Okta sends the user credentials to the app over SSL. To ensure everything is working correctly, users will receive a pop-up notification asking them to confirm that they were able to sign in the first time to an SWA app without issues.
Google Cloud and Okta are two big examples of vendors that offer the ability to add SSO and password vaulting features to older apps lacking SAML, but are by no means the only ones. Ping Identity is another such example, with the ability to add SSO to older apps through their Global Authentication Authority [PDF] product, PingFederate.
Passwordless is the future, don’t let old apps prevent that
The above vendors are just a few options that organizations can consider when looking to offer the passwordless experience. It’s nice to see that older apps not built with forward-facing solutions don’t totally hold us back.
With password vaulting as another option, I say it’s time to get on the passwordless train, if feasible for your organization, as more vendors make it a possibility, no matter the age of your applications.