Identity, IAM Technologies, SSO/MFA

Workforce identity security: Why you need enterprise password management

In a threat intelligence post Thursday, Microsoft said a campaign by APT 33 began in February and used more sophisticated tactics, techniques, and procedures (TTPs) than its previous attacks. (Photo: Fabian Sommer/dpa (Photo by Fabian Sommer/picture alliance via Getty Images)
Credit: Getty Images

Passwords remain one of the weakest points in enterprise security, even as organizations adopt new authentication technologies.

In a recent CyberArk webcast, host Adrian Sanabria and Timothy Arvanites, Senior Director, Field Technology Office and Advisory at CyberArk, explored the persistent risks associated with workforce credentials, why passwordless authentication is not yet universal, and how organizations can better protect identity systems.

Despite decades of security improvements, stolen or compromised credentials are still one of the most reliable entry points for attackers.

"Research consistently shows that roughly 87% of breaches involve some sort of credential theft or compromise," Arvanites said.

The modern enterprise uses hundreds of applications, many of which fall outside traditional IT management. At the same time, employee behavior often undermines security policies through password reuse across personal and corporate accounts. Many employees knowingly bypass security rules to complete their work more efficiently.

The combination of valuable credentials, sprawling applications, and human shortcuts creates what Arvanites called a "perfect storm" for attackers. Why deploy complex malware to break in when you can use stolen credentials or hijacked session tokens to log into enterprise systems?

Passwordless authentication is often presented as the ultimate solution to this problem, but Arvanites and Sanabria agreed that most organizations can't eliminate passwords overnight.

Legacy applications remain a major obstacle, as many older systems require traditional username-and-password authentication. Many SaaS platforms and regulatory frameworks also assume password-based authentication.

"The vision of a fully passwordless enterprise is compelling," Arvanites explained, "but it doesn't happen overnight." 

The reality is that for years to come, organizations will have to use hybrid implementations in which passwords, passkeys, and multifactor authentication (MFA) all coexist.

This places renewed importance on how passwords are managed within the enterprise. Too many companies rely on consumer password managers, but those are designed for personal accounts with a single authorized user, and security teams will lack visibility into how credentials are stored and shared across the organization.

Enterprise-grade workforce password management platforms, by contrast, provide centralized oversight, policy enforcement, and audit capabilities. They let administrators enforce password complexity standards, monitor access activity, and integrate with identity providers like Active Directory or Okta.

Then there are threats that go beyond traditional password theft, such as session hijacking, in which attackers steal temporary authentication tokens from web browsers after a user successfully logs in. With stolen session cookies or OAuth tokens, attackers can bypass multifactor authentication entirely and impersonate legitimate users.

To address these risks, organizations must extend identity security beyond the login page, Arvanites said. Continuous session monitoring, identity-threat detection, and secure enterprise browsers are critical tools for defense against post-authentication attacks.

Arvanites stressed that credential management must be part of a broader identity security strategy. Strong authentication, session protection, and behavioral monitoring all play complementary roles in defending enterprise environments.

He also offered practical guidance for deploying workforce password management solutions. Successful implementations typically follow a phased approach: establishing modern password policies, deploying tools with minimal user friction, migrating credentials from insecure storage locations, and continuously hardening the environment with monitoring and security reviews.

User adoption, however, remains a critical factor. Password management tools must improve productivity as well as security to gain acceptance among employees. As Arvanites noted, if security tools create too much friction, employees will find ways around them.

"The password-management side," he said, "is one component of a larger identity-security strategy."

Organizations that treat credential protection as part of a unified identity platform, rather than a standalone tool, will be better positioned to defend against increasingly credential-focused cyberattacks.

Passwordless authentication remains the long-term goal, but the discussion made clear that the path forward involves strengthening password security today while building the infrastructure needed for the identity systems of tomorrow.

Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Access Control ServiceAuthenticationAuthorizationCertificate-Based AuthenticationDigest AuthenticationExtensible Authentication Protocol (EAP)False RejectsIdentityLightweight Directory Access Protocol (LDAP)Password Authentication Protocol (PAP)

You can skip this ad in 5 seconds