IAM market strengthening with password authentication on the rise

A new report sponsored by IAM vendor SecureAuth validates its strategy of moving towards passwordless as the first stage in an IAM strategy, to be backed up by other technologies like MFA, 2FA and SSO.

Paul Trulove, CEO of SecureAuth

A new report, conducted by Enterprise Strategy Group, and sponsored by Identity, and Management [IAM] vendor SecureAuth, finds an increasing number (57%) of organizations are moving towards adopting passwordless, continuous authentication because of frustrations with older authentication technologies. The survey also found that 58% of organizations considered risk scoring to be critically important for customer identity types. The study was based on ESG research with 488 IT security and cybersecurity professionals.

Paul Trulove, who took over as CEO of SecureAuth several weeks ago after spending 14 years at Identity Governor vendor Sailpoint, thinks the survey is an important validation for SecureAuth and its market strategy.

“I came to SecureAuth at a really important time in its journey,” Trulove told ChannelBuzz. “We are at a point today where the market is evolving quickly, and there is an opportunity to deliver a next-generation IAM solution focused mainly on the large enterprise. COVID accelerated that but people had already begun to accept the things behind the trend. We just ended up there a little a faster.”

SecureAuth has reworked its business model to be able to deliver this next-gen solution.

“Our last incarnation was a SaaS deployment,” Trulove said. “Cloud delivery is still important, but enterprise buyers are increasingly looking for something beyond the ability to run identity in the cloud. SaaS-centric identity vendors have a limited ability to create a tailored environment. Those customers are the ones we want to serve, who are underserved by the SaaS -only options. We developed cloud solutions and can run them as SaaS, but some customers have unique needs, such as requiring airgapping.

The acquisition of passwordless vendor Acceptto in November 2021 is critical to this strategy.

“We are looking to accelerate our vision based on the Acceptto acquisition, and that will be the basis for where we go next,” Trulove stated. “Part of where we see the future of authentication in the enterprise is moving down this continuous authentication path, moving the control point closer to the end user in a more frictionless way. It’s not that we replace existing products. We can layer for advanced capabilities on top of that existing infrastructure.”

The IAM spend in the enterprise is expected to continue to increase according to the ESG report, with 47% expecting it to increase slightly and 37% expecting it to increase significantly.

“I think that in IAM there was an over-rotation to running everything in the cloud. but the reality for large enterprises is they still have a lot of apps and data that reside on prem,” Trulove said. “Some still run mainframes and they need good IAM around that.”

The report found that 57% of organizations using, evaluating, or testing the elimination of passwords say that passwordless authentication methods have a significant positive impact on improved user experience. That’s a number that Trulove thinks can and should go up.

“The number is not higher because it comes back to the complexity of integrating passwordless into an existing infrastructure,” Trulove noted. “Now we have to get them over the hump. You have to lower the bar of complexity for implementation and administration. Some start with small pilots to see if they can do it without disruption. This is what we did ourselves. We found that it was very easy and the experience afterwards was much better than 2FA and MFA in the past.”

The report also found that 40% of organizations using MFA for customers make it optional, likely to reduce the friction that “MFA fatigue” creates each time a customer accesses their products or services.

“Passwordless will change the way in which MFA is ultimately delivered,” Trulove said. “If you can put a passwordless experience in front of MFA, you can still fall back to MFA. But instead of the first thing you do, it should be more of a last resort. SSO [Single sign-on] means lower friction, and people still rely on it as primarily a way to reduce that. It is still considered the most effective IAM solution, but it is also now seen as kind of legacy. Hopefully passwordless replaces this in importance.”

58% of organizations considered risk scoring to be critically important for customer identity types and almost half of organizations using identity risk services for third-parties considered risk scoring to be critically important for these third-party organizations and third-party individuals.

“I’m a big fan from my time at Sailpoint of calculating risk to improve user experience and security,” Trulove said. “People understand the use of risk score but haven’t put it into practice. That’s something I would like to see change. Most organizations don’t have the ability to deliver a validated process on risk. It is incumbent on vendors in the space to be able to use the tools to be able to show visibility and be able to tailor it to the customer – as an industry best practice.”