Getting Started Designing Passwordless and Zero Trust
Picture a rumpled yet dapper man walking the streets of 1970s Silicon Valley carrying a heavy briefcase. The man is Bill Moggridge. The briefcase holds computer components: circuit boards, hard drive, floppy drive, a power supply. The question on Moggridge’s mind is could a computer be portable. While he works the question, he carries the briefcase. Feeling the weight. Opening and inspecting the parts. Closing and thinking some more. You are picturing the essence of innovation.
I think about Moggridge and his briefcase often when planning out a strategy for an emerging category. There are a few lessons we can take. First, be specific about the use cases we’re trying to solve. Second, start where we are with what we have, even if it means putting the parts in a briefcase and carrying them for a bit. Finally, learn from the experiences to rapidly iterate and improve the implementation.
The place many of us get held up is where to begin. It’s not feasible to move everything into a zero-trust architecture. And passwordless, arguably the first step in establishing strong user identity in order to provide zero-trust for the workforce, doesn’t yet support all applications and workloads. That’s why selecting specific use cases is key to being successful. A good use case is one where the design simplifies the user experience, reduces security and compliance risk, is in an area that matters to the business, and has applications which work with passwordless authentication and fit within a zero-trust architecture. In other words, begin with the briefcase.
In 1982, the GRID Compass hit the stores. Moggridge had figured it out. All those times opening and closing the briefcase led to an inspiration which continues in all modern laptops to this day. The computer opened up to show the display and keyboard. What began as a collection of parts, evolved into a sleek design, and set the standard for the next four decades. In much the same way, the components we have today -- SAML, WebAuthn, MDM, NAC -- will be brought together in a unified design. We get there by carrying them, implementing what works, keeping an eye towards iterating and simplifying. The first step is to start.