Editor’s Note: This is the third and final post in the Passwordless Authentication Series , which shares insights from our journey on enforcing FIDO2 authentication via hardware authenticators (YubiKeys) across all of Palantir. The first post focuses on hardware selection and logistics ; the second post covers technical controls, rollout, and edge cases . While Palantir has enforced mandatory strong multi-factor authentication for well over a decade, hardware-backed authentication using FIDO2 represents the strongest form of modern authentication available. New Hire Onboarding One of the first issues that organizations face after moving to passwordless authentication is creating a seamless new hire experience. Regardless of which identity provider your organization chooses, you’ll need one that enables new users to enroll quickly and begin using their FIDO2 device for authentication without having to rely on a traditional password. You’ll find that this quickly leads to a classic “chicken and egg” problem, where a new user requires a registered FIDO2 authenticator in order to add a new FIDO2 authenticator to their account. There’s a lot of variance in how different identity providers handle this problem. For instance, Okta addresses this by providing admins with a console they can log into and manually add a...
Subscribe to Darntons Premium to access this exclusive content.
Unlock with Patreon