Landschap voor Identiteits- en Toegangsbeheer

In order to grow, every company, business, or organization must have a systematic method to arrange employees or members. Today that method frequently falls under the banner of Identity and Access Management (IAM), or also sometimes known as Identity Credential Access Management (ICAM). In both cases, the overall framework outlines how to onboard new employees to the organization, and manage succession and de-provisioning of accounts when needed.

Elements of Identity and Access Management pertain to all companies of all sizes. It is never too early to start thinking about how an organization should manage and maintain employees or members.

In this paper, we explore the six primary elements of Identity and Access Management, and how you can apply them to your organization.

With a long, complex, random, and unique password per account, users put themselves in a strong position to stay protected. An even stronger step is to add two-step login, or two-factor authentication, to both the login for your password manager as well as other websites and services.

With your password manager, two-step login can be configured with authenticator applications, security keys, email, or SMS. Note that these days SMS is considered to be one of the more susceptible methods for hacking due to the prevalence of SIM jacking as a break-in strategy.

Whichever path users choose, be sure that everyone understands the ramifications of two-step login, retains a copy of website two-step login recovery codes if offered, and has a method to back up the authentication keys offered during the two-step login registration process.

Some password managers offer built-in authenticators. This delivers tremendous convenience for users, especially in shared settings. Users can now share a login, including the two-step login sequence, and not have to worry about calling or texting each other to find out the secret code.

Of course, some might ask about the point of including a built-in authentication step with your password manager, and does that negate the value of authentication. Ultimately, users have choices, and employers can educate on preferred practices. These are the reasons to pursue an integrated approach

1. Your Password Manager Vault should have two-step login itself using another method. (Important: you should not use your password manager's built-in authenticator to protect your password manager account.) Therefore your vault and accounts are currently protected with a high level of security and, in fact, two-step login.

2. Having two-step login enabled for websites and applications provides more security than not having it enabled. A tighter bundling of two-step login makes it easier to use more frequently, which promotes better security practices.

3. If you need to share an item, you can share it with two-step login enabled, which, again, promotes better security. This is a collaboration and two-step login power move.

4. You do not need to remember which authentication app you used, since it remains built-in.

5. You can always choose, on an individual basis, which login to authenticate internally within your password manager authenticator, or externally using a separate authenticator app.

As the world moves to passwordless, be sure that your password manager, and overall Identity and Access Management strategy involves passwordless options. For example

• Ensure you can log into devices with biometrics, as well as enable autofill capabilities for credentials with biometrics

• For Single Sign On, also discussed later, explore options that offer passwordless experiences

• Consider the use of security keys throughout your organization

• When deploying security keys have redundant options in mind, as well as backup and recovery procedures if keys go missing, of if keys are connected to company-critical user accounts

• For example, it might make sense for an employee to list the location of any backup security key(s) in their password management vault, only available to view upon account takeover and emergency access

With the boom in software-as-a-service (SaaS) applications, many companies took advantage of Single Sign On to enable unified access to website accounts. Of course, Single Sign On requires that the website or service has that feature available. While many websites catering to businesses offer Single Sign On, there remains a world of websites and services that do not. A password manager fills that gap and more.

Some password managers can also integrate with Single Sign On, allowing companies to auto-provision users into an organization. 

Of course, an end-to-end encrypted application such as a password manager is a bit different from your typical SaaS service. Since a password manager security model with zero-knowledge encryption guarantees that the provider cannot see anything within your vault, the context of Single Sign On takes a different flavor.

The root premise for a password manager is that the end user holds the key to encrypt and decrypt their data. The password manager does not know the key, and cannot provide it to the user should it be lost. Similarly, a password manager cannot just blindly give an end user decryption key to another 3rd party service (such as an identity provider) and rely on that other provider to keep the key safe.

Recognizing this, a secure model to integrate with existing Identity Providers enables the authentication through the Identity Provider, but retains the encryption and decryption with a master password retained by the user, specific to the password manager. This ensures that no 3rd party has access to decrypt the end user vault. It also means that the encryption and decryption master password should be unique to the password manager.

This approach also ensures that users can benefit from every client application offered by the password manager across browsers, mobile operating systems, desktop operating systems, web access, and command line interfaces.