Keeping Authentication in Check

The future of authentication is passwordless. And the future of transportation is driverless. Yet here we are at the beginning of 2020 with one foot stepping forward and the other firmly rooted in the present. Numerous security vendors and major enterprise security teams have turned their focus toward developing passwordless authentication, using a combination of biometrics and behavior. While this may be eventually how we all authenticate to our systems and tools, for now, a high percentage of our experiences require authentication via the dreaded password.

For as long as passwords have been used in the digital realm, cyber security experts have been calling for their end. Because that hasn't been feasible, early advice was, “change your password every 60 days and never reuse passwords[1].” Then it became, “never use easy-to-guess passwords like your birthday or pet’s name.” Next came, “create long passwords.” Then, “create long, complex passwords.” And now, per NIST 800-63, the recommendation is back to, “sufficiently long passwords with no complexity requirements.” This is an abbreviated history, but for the sake of brevity...

Along the way, two-factor (2FA) and multi-factor authentication (MFA) were layered on—forced security questions, hardware-based tokens, SMS- or phone-based passcodes, authenticator apps. These mechanisms upped the level of security, but they all introduced a layer of unwelcome friction, and SMS, the method most widely adopted, was found to be easily exploitable. In the meantime, password managers became readily available for both personal and enterprise use. Password managers make it easy to assign long, complex, unique passwords for every site, system, and app; don’t require the user to memorize anything; and allow for 2FA/MFA through a variety of methods (including biometrics).

Slow adoption despite big benefits

Still, password manager adoption remains low. Surveys show that adoption hovers between 12-15%.[2] Given the gains that can be achieved by implementing a system that removes much of the risk inherent in manual password use, it’s curious that password managers haven’t achieved ubiquity. Perhaps part of the problem lies in the perception of password management. Because so many cyber security pros want passwords to just go away, maybe the desire to introduce another password-focused mechanism is anemic. Or maybe the idea of suggesting another tool that requires behavior change—even if that change will prove positive for users—makes security teams bristle. Why ask for the deployment of a new password tool when (surely) passwordless is coming?

Except that the likelihood of wholesale password replacement in the near term is low, thus, enterprises must consider how to make password-based authentication stronger and easier. One such way is by using the aforementioned password managers, including enterprise offerings from companies like Keeper Security.

Simplifying access management

Before officially launching in 2011, the founders of Keeper Security offered their password manager for mobile on the AppStore in 2009. They understood that, at the time, mobile devices were lacking native security and decided to help consumers protect their data while ensuring businesses weren’t feeling the downstream effects of an employee’s vulnerable phone. By 2016, Keeper expanded its reach to the commercial market with an enterprise product that included capabilities for desktop/laptop, browsers, browser extensions, role-based access control, provisioning users via SCIM, Azure AD, SAML 2.0 single sign-on (SSO) providers, Active Directory/LDAP sync, and more. They built APIs so their technology could integrate with 3rd party SIEMs, and started looking at how to improve and simplify privileged account management for cloud infrastructure.

Today, Keeper’s primary commercial offerings are for businesses, enterprises, and MSPs. Craig Lurey, CTO & Co-founder, recently told us, “Passwords, as far as anyone can see, are not going away. Passwordless serves its purpose, but the reality is that there is a problem with mass adoption. Still, no one wants to have to type in passwords multiple times per day. Our platforms are designed to eliminate that, and also increase protection against account takeover, stolen passwords, unauthorized privilege escalation, and employee impersonation.”

In addition to more-traditional password management, Keeper provides secure file storage to help teams encrypt and store private keys, API keys, digital certificates, IT documentation, and other secrets. The company’s BreachWatch® technology provides dark web monitoring which is built into the Keeper vault; without ever seeing or storing user data or vault information, the tool alerts both the user and administrator of any potential account takeover attempts. Further, for ease of use, the Keeper Commander SDK allows IT and security teams to easily integrate the platform into deployed technologies and across environments, allowing admins to forward alerts to their preferred management or triage tool.

Future outlook

Lurey said that the company is currently in heavy development on advanced administrative and end user vault capabilities, enhancing features for shared accounts, and creating deep integration with SSO identity providers.

In a fairly crowded space, Keeper Security provides competitive capability for enterprise password management. The key for Keeper, and others in the space, will be evolving their platforms as passwordless features take hold little by little. Lurey said his company is actively focusing on privileged account management for the future of their products—in other words, they want businesses to think of them for more than password management. Passwords may currently be the mechanism by which users access systems, accounts, and apps, but the true goal is preventing unauthorized access and allowing machine-to-machine, workload-to-workload verified communication without increased risk.


[1] Assume “never reuse passwords” applies to every following recommendation.