1 Introduction
Password Management is an established discipline in IT. However, there is a dichotomy between the factual need for having such solutions in place in a world of widespread use of passwords and other secrets, and the perception of a diminishing relevance of passwords. The latter, unfortunately, is a perception that is backed by reality only to a rather limited extent. While we observe an increase in solutions for passwordless authentication, and a broader use of Identity Federation as a mechanism for Single Sign-On, the use of passwords still is prevalent.
Passwords are ubiquitous. This starts with passwords as fallback for many of the (not so truly) passwordless authentication approaches. Passwords are still common for many legacy applications, but also network devices and other systems. Passwords are common when accessing applications of business partners, not to mention retail web sites or other web sites that are frequently accessed, e.g., for industry news.
With passwords rightly being perceived as a major security risk, there is a need for protecting and managing passwords and adding security to all the use cases where passwords can't easily be replaced and will not disappear in foreseeable time.
This is where Password Managers and, closely related to them, Enterprise Single Sign-On solutions (E-SSO) come into play. They help organizations in managing and protecting passwords. Password Manager solutions are available as both single user editions, targeted at consumers and individual users, and enterprise solutions, which add centralized management across all users and other enterprise-level features. The line between enterprise-grade Password Managers and E-SSO is blurring, these solutions are often complementary. The main distinction is the client-side support of E-SSO for password-based login into legacy, non-web applications, which is not a common capability for Password Managers. The latter commonly focus on username and password fill into web applications and sometimes extend to support for identity federation protocols such as OAuth, but lesser to authentication for legacy solutions.
The core requirement for any Password Manager solution is security. Storing passwords centrally increases the risk, if not done right. There are multiple potential points of attack:
- The password store, commonly named "vault", where passwords and other secrets are centrally kept and managed, must be well-protected. HSM (Hardware Security Module) support is a key requirement.
- The admin console, which allows altering the configuration to the favor of attackers, must be well-protected.
- The transmission of secrets to the endpoints also exposes an attack surface and requires strong protection.
- Finally, the client components themselves are subject to attacks.
While today's enterprise-grade Password Manager solutions commonly provide a strong set of security features, this remains, aside of usability and integration, a key differentiator between the various offerings in the market. These solutions, implemented correctly, provide a significantly higher level of security than the unmanaged, decentralized use of passwords.
Keeper Enterprise is one enterprise-grade Password Manager with a well thought out security model categorized as "zero trust/zero knowledge", and a broad set of integrations to IdPs, target services, and security components such as HSMs.