Veridium The True Password-less Enterprise
In February 2017 when I joined Veridium as CPO, I recognised and appreciated one of the biggest challenges for Enterprise organisations today, that of user authentication.
I had first-hand experience, not only from my customers at my previous company but also as an employee in a 10,000 user software company with strict policies on password enforcement and use of 2FA, particularly for remote access.
The reality was, I dreaded when I was forced to change my password every month, it would cause me at least half of day of inconvenience while my corporate account settled itself down. With 4 devices, all configured to access email and the password hard coded into the device, the IT system would put me into a lockout situation within moments of me changing my password. Call to the help desk, 20 mins on hold to have my password reset again and then another lockout within moments, password change day was a painful day.
If I wasn’t phoning the help desk because of a lockout situation caused by my devices having the old passwords, I was phoning the help desk because I couldn’t remember what my new password was. Despite a strong password policy to enforce upper case, numeric and special characters, I wanted a password that I could remember, so I didn’t have to make that dreaded call to the help desk. The reality? I incremented the number at the end of my password by 1 each time, then it was a question of which number am I now on from the last password change?
Then there was my SaaS applications, password policy on these were not synced with my active directory account, these systems hosted their own identities and that compounded my issue even further. Sadly, just after I joined Veridium my old company was compromised by an external hack, not only did I find out through word of mouth, but my ex employer notified me in writing that my personal data may have been compromised. How was this possible? Through password re-use, phishing, brute force, I’m not sure in this particular case, but sadly it’s a common occurrence, especially phishing attacks on Enterprise organisation in this COVID environment we live and work in.
Password-less, that was the future 3 years ago.
Password-less is such an obvious choice for users, why should I be asked for a password every time I attempt to access applications or services? Why do I somehow pick my token up and type my PIN and token number in at the exact moment my OTP changes? Such a frustrating and poor user experience.
Apple changed that experience for me in 2013 when I could use my fingerprint to unlock my iPhone 5S and then subsequently my mobile applications, I could use my fingerprint to access, no longer was I required to type in a PIN or a Password on my phone. This was the nirvana I had been seeking.
So, way back in 2017 as I joined Veridium, I set out to create a solution for Enterprise organisations to replicate their mobile experience to their work experience. We created a solution for customers with our VeridiumID platform to deliver a password-less experience for users, using nothing but an individual’s mobile phone and their biometric as a secure way to authenticate to Enterprise applications and systems. What was even better, as well as creating a password-less experience, by definition of using 2 factors, the possession of the phone and yourself as a biometric is was strong authentication, so I no longer had to use OTP token technology to support our password-less experience. This kept us in line with a lot of the new regulation that was popping up around the globe.
In addition to the exceptional user experience, no more calls to the help desk to unlock my account and the cost savings we generated, through reduced help desk calls, increased user productivity and the elimination of tokens from the workforce. The benefits to the company were also immense, yes, they had happy users, more productive users. But they could also close down one of the weakest points of their IT infrastructure, the password.
No passwords, meant no credential sharing, only valid users could login and if there is no password, that means the entry point for the bad guys to get in was closed. They couldn’t brute force, or social engineer my password, because there was no password !
We had our first success at the back end of 2017, a global Swiss bank implemented our technology. I started to panic in all honesty. Yes, we had created an exceptional product with huge business value, but did our solution scale, was it robust, could it deal with the high workload that it was about to experience. The answer was YES !, we implemented a high availability, scalable and fault tolerant system, which 3 years on, has never experienced a total system outage, which is testament to the hard work the development and test teams put in over 3 years ago.
It frustrates me so much when I see people trying to login to systems without success, I’m more frustrated when I see data compromises, particularly on organisations who I am signed up with, that my personal data that has been lost….. it didn’t have to happen.
While passwords exist, there will always be a route in for the bad actors but Veridium created password-less in 2017. Three years on, I not only see competitive products coming to the market, which validates our thinking was correct all those years ago, but I think the penny has finally dropped, the lightbulb has come on. PASSWORD-LESS is becoming the new normal and what a proud feeling it is to have been the visionaries in this space.