Decoupling identity to add passwordless to legacy apps

Passwordless is red hot. In a recent report, 17% of IT and identity teams have started eliminating passwords within their organization. Another 36% were testing and evaluating passwordless technologies in 2022. And a third said that passwordless was their number one IAM initiative this year.?

Financial services may have been among the earlier adopters of passwordless authentication —? the risk is high, and there’s a hard dollar cost through fraud that can be quantified very quickly for these businesses. However, in 2023, we see all organizations moving in the direction of taking passwords out of their environments.

No one is immune from cybersecurity breaches. From fintech and healthcare to higher education and retail — wherever there’s a password, there’s a use case for passwordless. Therefore, every organization across all industries needs to be working toward securing their authentication methods.

However, knowing and doing are different beasts. Starting the passwordless journey can be daunting, depending on where you are on the passwordless continuum. Let’s look at the benefits of passwordless, what makes it a challenge for many organizations, and solutions that can speed up the process — a lot!?

Challenges of passwordless

Traditional identity providers, by nature, need to be tightly coupled with user identities. Likewise, applications rely on identities and cannot be accessed without authentication.?

To complicate matters, organizations have acquired a variety of identity providers and multiple clouds over the years, requiring many registrations for an authentication event and different user interfaces that end-users interact with. It’s confusing and frustrating, causing people to abandon their cybersecurity best practices in favor of what’s easy.?

With mergers, acquisitions, and divestitures on the rise, we’re seeing increased complexity with bringing in another IDP that has a whole other set of different user interactions.?

Benefits of decoupling identity?

When identity is decoupled from the app and IDP, modern passwordless and multi-factor authentication is much more easily achieved, and many big identity crises can be averted.?

Eliminate friction from the user authentication experience?

Decoupling eliminates friction and empowers users by putting authentication control back into their hands. It also frees the business from being bound to one identity provider or another. By shifting the authentication to the user through their mobile device or through a passkey, it abstracts away how they authenticate and creates a consistent experience.?

Enforce consistent user policies across all your applications

Another benefit to decoupling through orchestration is that businesses can enforce consistent security policies across the application landscape. Consistent not only in terms of policies that are being enforced but also in how the integration actually works with those applications.?

Adoption of passwordless services can be rapid due to simple configuration right in the orchestration layer rather than a lot of work working directly with application owners, who oftentimes end up doing app development.

"And that’s what orchestration is meant to do and is, be able to completely decouple these services from the application itself. And I as a CIO, as a CISO, and as well, importantly too, as an application owner, I don’t have to modernize these (legacy) applications through code work and redevelopment. I can leave these applications as they are, and I can still secure them through an orchestration layer."

- Steve Lay, Sr. Sales Engineer, Strata Identity

If one app isn’t protected, no app is protected

Organizations are increasingly finding themselves between a rock and a hard place when adopting passwordless for legacy apps. Most organizations aren’t aware of all of their applications. What about the ones that only come up in audits? What do you do with those old, legacy line-of-business apps that the source code isn’t even available to update??

If an app is custom-built and the business depends on it, it can’t be eliminated. Yet, modernizing it would require a huge lift in the form of code rewriting to get out from under a bunch of technical debt just so this application can speak a modern authentication protocol.

If one app isn’t protected, no app is protected

Organizations are increasingly finding themselves between a rock and a hard place when adopting passwordless for their legacy apps. Most organizations aren’t aware of all of their applications. What about the other 20% that only come up in audits? What do you do with those old, legacy line-of-business apps that the source code isn’t even available to update??

If an app is custom-built and the business depends on it, it can’t be eliminated. Yet, modernizing it would require a huge lift in the form of code rewriting to get out from under a bunch of technical debt just so this application can speak a modern authentication protocol.

Leave no apps behind with Strata + HYPR?

Identity Orchestration with Strata breaks down the traditional barriers to passwordless and provides the ability to put modern authentication methods in front of any application. With orchestration, you can abstract the enforcement of a service like HYPR. Then provide context for users into an application the way the application expects.?

To learn more about how to decouple identity from applications and IDPs and start using passwordless authentication on any app, watch the webinar “I Heart Passwordless” with Strata Identity and HYPR | The Identity Assurance Company .?

Follow Strata Identity on LinkedIn or learn more about us at: Strata.io.