Presented by Dashlane
Businesses have always faced the risk of a data breach, but today the threat has increased in many ways, partly due to the rise of generative AI tools. Gartner recently discovered that the number of SaaS applications used per employee is increasing has doubled since 2019and a large portion of those applications are AI tools that employees use without IT oversight.
Unmanaged apps are not protected by options like Single Sign-On (SSO) or Multifactor Authentication (MFA), so there is no visibility into whether these apps, which may contain sensitive data, are opened with secure credentials, and with what type data or intellectual property is leaked into the wider internet, thanks to ChatGPT, Gemini and other tools.
“The explosion of SaaS apps in the cloud has created many gray areas for IT,” said Fred Rivain, CTO of Dashlane. “The effectiveness of login and password security has largely depended on user participation, but today that is not enough. It’s not enough to just have the classic password manager, or just MFA or single sign-on. You need all that, plus you need to improve the hygiene of your references across the board of the organization.”
The challenges of SSO, MFA and securing credentials
Of course, IT leaders can determine what they know about all their critical systems and deploy SSO and MFA on top of that. But today’s challenge is not just shadow IT, but also the sheer number of tools that are not compatible with SSO. There’s also what security professionals call “SSO tax,” or the fees vendors charge to add SSO integration. Identifying the tools that need to be secured and adding SSO integration becomes an expensive exercise, both in terms of time and money.
Many companies are waiving these fees – understandable when companies are dealing with an average of 53 credentials that aren’t automatically covered by SSO (and chances are many of those passwords are duplicates), and inventorying apps across the organization is a large undertaking. which requires C-suite buy-in. In the meantime, small and medium-sized businesses are completely excluded because they simply don’t have the resources to pay for SSO integration.
Companies of all sizes typically use individual, manual passwords because the initial adoption costs are much lower. Unfortunately, there are also large hidden administrative costs and profound security implications because all of this data is at risk, and many of those risks are not visible.
“That’s why it’s critical to encourage employees to use a credential manager to generate a unique and complex password for those systems,” says Rivain. “It helps them develop the right authentication habits and best practices. The hope is that employees will also add that protection to the unauthorized apps they use, which is at least better than the alternative.”
However, employees regularly use and share their credentials, both the strong generated passwords and the weak or compromised credentials they create themselves. Getting them to understand the risks and stay informed about phishing attempts is often an uphill battle.
Add passkeys as a layer of security
Passwords can add an extra level of security and help reduce identification risks in some parts of the organization, Rivain says. It is a form of passwordless authentication, developed by the FIDO Alliance and supported by major technology companies. Passwords are always unique and strong and do not require storing private information on servers. A user is asked to prove their identity when they log in to a website or app. They could use biometric identification such as a fingerprint or facial recognition to confirm their identity, or conversely they could accept a challenge from a credential manager. Once confirmed, the user will be automatically logged in, no password required.
Passwords are much more secure than any password, are resistant to phishing and cannot be stolen or guessed. From a liability perspective, since releasing customer data can land an organization in major legal trouble, asking employees to use key codes whenever possible can measurably improve security. IT leaders can explicitly encourage teams to use passkeys where they are available in the tools they use. For example, the marketing group can move to passkeys for most social media platforms.
However, passkeys as an enterprise solution aren’t quite ready for prime time, Rivain says. For example, they are not available for every tool or platform. Moreover, it is still an emerging technology, with some accessibility issues, such as a somewhat clunky UX in Chrome and Apple, but also problems with proper attestation of the origin of passkeys, difficult account recovery if a passkey is lost, and no control over where is the passkey. is saved.
“IT administrators obviously want that control. They want to know where they keep the keys to the kingdom,” says Rivain. “There are many enterprise use cases that have not yet been resolved around password keys. That is part of the work of the FIDO Alliance, which will also take time.”
As more consumers adopt passkeys, which are supported by many larger websites, apps and technology companies, passkeys will become a bigger part of the enterprise security conversation. Rivain predicts that we will see completely passwordless solutions for the enterprise in the future, but the situation is still playing out.
“They’re not perfect, but they’re also a way to protect employees so they can’t accidentally give away a password, and they’re going to use the technology because it’s more convenient and more secure,” he says. “That’s why it’s important that the industry continues to work on this and promote it. It will be a very long adoption process, but it is better than what we had before.”
Where does that leave the company in terms of security? Unsecured credentials such as passwords continue to pose a persistent and evolving threat to organizations, even with other protections in place. Businesses need a whole new approach to security and credentials.
Changing the game of login security
As the number and sophistication of attacks continues to rise, along with the number of invisible, unauthorized apps employees use, even the best-layered security strategy isn’t foolproof.
“We need to find a new approach, one that ensures that even those workers who don’t pay much attention to safety are still protected, and we need to move to active protection, instead of passive defense,” Rivain explains. “That means going beyond traditional password management and securing every employee’s credentials in context and in real time.”
To this end, Dashlane has integrated detection, intelligence and response capabilities into tools that provide maximum insight into identification risks.
Dashlane’s Credential Risk tool continuously monitors enterprise-wide reference data to detect risks in real time. When an employee enters weak, reused, or compromised credentials, or is about to enter their credentials on a suspicious website, the tool automatically sends an alert to IT. Dashlane Nudges automates credential response by sending personalized, automated messages to employees, alerting them to the risk and prompting them to update their credentials.
Continuous scanning of app login methods gives IT much more insight into the login risk of all tools and systems employees use, whether authorized or not. Meanwhile, employees are encouraged to develop good security habits throughout the day.
“There is a lot of potential in this new approach,” he adds. “We’re trying to tackle the problem of identification and security across the organization from a whole new angle, adding another critical layer of protection to a robust security strategy.”
Dig deeper: Click here to learn more about Credential Risk Detection, Dashlane Nudges, and other powerful enterprise security tools.
To discuss the purchase, Visit Dashlane here.
Sponsored articles are content produced by a company that pays for the post or has a business relationship with VentureBeat, and is always clearly marked. For more information please contact
