In February, Idaptive announced the latest update to Next-Gen Access was generally available, bringing with it new options for remote employee device onboarding, device password management and passwordless authentication. (Next-Gen Access is the name for its IDaaS, which launched a year ago.)
I got on a call with Idaptive’s Archit Lohokare, chief product officer, to dig into how each of the new features work in release 19.6.
Idaptive remote employee onboarding
One part of the update to Next-Gen Access was around helping to make it easier on IT when it comes to onboarding remote employees as more organizations start using cloud directory services. Organizations can have Windows or macOS laptops shipped directly to their remote employees and bypass the need for IT to handle initial setup themselves. Also, with Idaptive, remote employees don’t have to use a VPN to connect to the organization’s directory.
For brand-new devices that are being provisioned for the first time, the Idaptive agent gets pushed to the device and handles the enrollment process after the user logs in. For new employees, they’ll log into the agent with temporary credentials provided by their IT department. For devices that are already in use, employees can log into the Idaptive portal to download the agent to their device.
On Windows devices, the Idaptive Windows Cloud Agent can be used for device login with Idaptive handling authentication and deploying the agent through GPO, SCCM and other organizational options. For the macOS Idaptive agent, once startup is initialized, the Idaptive package is pushed to the device through the Apple DEP Automatic Device Enrollment workflow.
To authenticate devices, the Idaptive agent can connect to Active Directory using a brokered connection where Idaptive Cloud is contacted first and, then through a proprietary connector, it talks to AD. The agent can also connect to any cloud directory through LDAP.
With the Idaptive agent, employees use their AD or Idaptive Cloud Directory credentials to log into their devices. Should they not have internet access or the directory password has changed since the device last connected to the internet, employees will need the Idaptive mobile app. The app can generate a one-time password to log into the Idaptive agent alongside the normal username/password; if the directory password has changed, they’ll also need to reset the directory password temporarily until internet connection is restored.
To close out this section, we also asked what else the agents can do on Windows and macOS. Archit told me that on Windows, it’s really authentication and less management focused. For macOS, you get more of both functions, with the ability to implement granular policies (e.g., what Wi-Fi the laptop can connect to, etc.) and have SSO integration with Keychain.
Passwordless support and Adaptive MFA
Alongside working to improve the onboarding experience for remote employees, Next-Gen Access now features passwordless authentication and Adaptive Multi-Factor Authentication (MFA).
Like many EUC vendors, Idaptive now supports FIDO2 and WebAuthn for passwordless authentication. Idaptive serves as a FIDO server and can authenticate any FIDO2 key to bypass using a password every time. Archit told me that Windows Hello and security keys (especially Yubico’s Yubikey) are especially popular with customers currently piloting passwordless authentication.
Adaptive MFA is a new product that builds upon existing Idaptive technology. Admins can create policies that require users to use additional factors when logging into accounts. Policies can be triggered by additional data Idaptive already collects from the device, such as what the device is, the user’s location and other behavioral context. It’s just using their previous capabilities further to ensure corporate data isn’t stolen without adding too much friction to the user experience.
Roadmap plans: Continuous authentication
Archit says the next step is continuous authentication. This will start by developing what he calls a behavioral fingerprint. Essentially, Idaptive will learn how the user behaves on a device in order to ferret out anomalous behavior indicating it’s not actually the right user logged into an account.
Once that system is in place, it’s about stopping that attacker from continuing to have access to an account after it’s been determined they’re not the account holder. Right now, Idaptive can develop a user risk score, so the next step is layering in that behavioral fingerprint. Archit says they hope to have the behavioral fingerprint aspect ready for Q3, with stopping attackers and kicking them out of hacked accounts planned for either Q4 or early next year.
Next-Gen Access continues to mature: Adaptive MFA uses previous tech to improve security, while Idaptive moves to provide additional remote onboarding options to IT. Additionally, they’ve brought the passwordless experience to their customers -- I love seeing more vendors providing passwordless experiences; before long it’ll hopefully become the norm!
Still, on that last point, nobody sees businesses escaping from passwords any time soon. For enterprises, passwords will continue to exist in the background through corporate directories like AD. Meanwhile, we’re already seeing it on the consumer side as some apps have eliminated passwords thanks to FIDO authentication (PayPal is one such example).