Passwords are as out of style as skinny jeans are with Gen Z at this Cerritos, California-headquartered cloud-hosted SaaS company.
For the past year, vendors and employees at AuditBoard have been seeing traditional static passwords less and less as the company inches closer to being 100% passwordless.
AuditBoard CISO Richard Marcus told IT Brew that the move to the Holy Grail cybersecurity status was spurred after observing an increase in the number of third-party breaches that were occurring in AuditBoard’s vendor ecosystem. A 2024 study by Prevalent found that 61% of companies experienced a security incident related to the use of a third party in 2024, up from 41% in 2023.
“It’s just a wake-up call for us that as our world becomes more interconnected and we become more reliant on third parties, we just have to be really thoughtful about the sensitivity of the information we share with them and passwords are certainly in that category,” he said.
He added that the audit, compliance, and risk management software company also underwent the ongoing transition after seeing a 400% year-over-year increase in social-engineering attack attempts against its employees between 2023 and 2024.
“If you don’t have a password, you’re not susceptible to those attacks,” Marcus said.
The great authentication metamorphosis. The quest to passwordless at AuditBoard began at the start of 2024 with a focus on its vendors. Marcus told IT Brew that the company focused on moving those relationships to more dynamic authorization methods such as single sign-on, open authorization, and OpenID Connect. AuditBoard also upped their evaluation process for vendors they would like to work with to ensure that the third-party companies were on the same page with their conversion.
“We’ve disqualified vendors that maybe functionally were better solutions, but we’ve disqualified them on the basis of inadequate security for the use case that we’re offering if all that they support is a static authenticator,” Marcus said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
It didn’t take long for AuditBoard to make the push passwordless internally. The company—which previously relied on certificate-based authentication built with public key infrastructure that it set up and managed—leaned more on Microsoft’s solutions such as Entra ID, which it has integrated with Windows Hello for users in possession of a Windows laptop at the organization, to do so. AuditBoard is currently working with its unified endpoint management solution provider to enable similar syncing features for Mac users.
“We think in a quarter or two, we’ll be able to do the same exact thing on the Mac side because our endpoint management provider understands this is the future,” he said.
No regrets. Today, 90% of AuditBoard’s vendors have been switched over to passwordless, while 50% of AuditBoard’s internal Windows and Mac users respectively have made the jump. Marcus told IT Brew that he anticipates the company will be fully passwordless by the middle of the year.
While there is still a small portion of the process left, the impact of the transition has already been felt. Marcus told IT Brew the most “compelling argument” to make the switch has been the convenience boost for end users.
“With passkeys, we’re never going to ask you to rotate them,” Marcus said. “You’re not going to get that annoying message every 90 days that says, ‘Come up with a new password.’”
Marcus added that other benefit has been becoming more “resilient” against social engineering and supply-chain security incidents.
“That’s the biggest benefit I think for me is we’ve just shrunk the threat surface down,” Marcus said. “We just got rid of the thing that the attackers are after.”