Traditionally when a user is on-boarded into an organisation they are given a desktop password along with a whole host of other passwords to access the required business applications to enable them to do their job. Inevitably there will be numerous associated company information security policies that dictate that passwords should not be written down or shared with colleagues etc.
Trying to remember numerous passwords can be onerous on the end user at the best of times and can lead to a plethora of password sins committed by the end user. Whilst we can deploy some SSO technologies to relieve password fatigue, the on-boarding provisioning process often means that the user needs to know their passwords at some point – or do they?
I recently worked on a project at a leading engineering company who were in the process of deploying a large new ERP system. The end users were highly skilled engineers focusing on cutting edge technology but password security was not high on their list of priorities. Traditionally within the organisation, credentials for new applications were sent by email and sometimes they were communicated over the phone. Inevitably these were written down in text files and diaries or passwords were changed to be the same “pet’s name” type password for multiple applications.
This was a huge concern for the Chief Architect who wanted to remove end user password management and provide “zero touch” credential provisioning for the new ERP applications. He also wanted to satisfy auditing and compliance requirements by enforcing complex passwords whilst preventing unauthorised credential sharing. All this needed to be achieved without inconveniencing the users.