Strengthening Corporate-wide Authentication at Adobe | by Renae Kang | Aug, 2024

Over the past decade, phishing attacks have become one of the biggest threats to the security of global organizations. The Anti-Phishing Working Group (APWG) reported more than 4.9 million phishing attacks in 2023 alone. As the number of attacks increase and evolve in complexity, organizations need to adopt stronger authentication methods that offer greater resistance against these threats.

This is precisely what Adobe did when we embarked upon a campaign that resulted in our global workforce of 30,000 employees adopting a more secure, phishing-resistant means of authentication.

Establishing Trusted Users and Devices

Early last year, Adobe Security launched an initiative to identify trusted users and devices across the company. First, we needed to determine what we meant by “trusted,” which resulted in the following definitions:

• Trusted User — A verified user with one or more Adobe-managed devices who employs a phishing-resistant authenticator, such as operating system biometrics (e.g., Windows Hello for Business, TouchID, and FaceID) or hardware security keys supporting FIDO2/WebAuthN.
• Trusted Device — A managed device that is enrolled in Adobe’s unified endpoint management (UEM) tool and complies with the company’s Secure Device Standard to meet specific posture signals — such as minimum operating system version — with disk encryption enabled and the endpoint detection and response (EDR) agent installed.

We began by focusing on our full-time employees and interns with Adobe-provided and -managed Windows or Mac laptop and desktop devices enrolled in Adobe’s UEM tool and had EDR installed. With seamless access and visibility into user and device data, we could make the initiative successful.

Standardizing on Phishing-Resistant Authentication

Our corporate identity provider formed the foundation of our phishing-resistant strong authentication program. Together, the multi-factor authentication (MFA) desktop client and phishing-resistant authentication provider help us verify and enforce trusted user requirements. The MFA desktop client provides visibility into device posture compliance, and user enrollment in the authentication provider helps ensure the use of strong, phishing-resistant authenticators, personal verification methods or FIDO2 hardware tokens.

However, we had to overcome an obstacle to fuel user enrollment and adoption. As is oftentimes the case with the rollout of technological improvements, we needed to engage and incentivize our employees to rally behind a new initiative toward stronger authentication. By clearly communicating the benefits of enrolling in a new service, we were able to help our employees prioritize taking action to play their part in Adobe’s goal to adopt all Adobe users before the end of the year.

The Great Auth Race

To rally the entire company toward stronger authentication, we launched the Adobe “Great Auth Race” contest to creatively educate Adobe’s global workforce during the authentication journey. Our security team aimed to promote engagement during the race by encouraging employees to quickly adopt our phishing-resistant authentication provider and educate themselves and others about the importance of the initiative.

Throughout the campaign, we fostered friendly competition among global sites and organizations using leaderboards to track adoption rates. As an added incentive, we offered fun prizes through random drawings for early adopters.

To further support the initiative, we created educational infographics that highlighted the importance of preventing phishing and communicated the benefits of adopting a phishing-resistant authentication provider. Maintaining an open line of communication was also a key aspect of this campaign, as we invited employees to provide feedback and share concerns to help continuously improve their enrollment experiences.

As a result of the Great Auth Race campaign, we achieved remarkable success within six months, with a 99 percent enrollment in the new phishing-resistant authentication method. This not only created a more secure environment at Adobe but also improved the overall user experience for our employees by providing a more seamless and efficient authentication process with a passwordless setup in place.

Keeping Up with Authentication

The successes of Adobe Security’s strong authentication initiative and deployment of the Great Auth Race has marked a significant milestone in Adobe Security’s ongoing efforts to keep data secure. As Adobe Security continues to enhance our security infrastructure, we remain dedicated to protecting our digital assets and ensuring a secure working environment for Adobe workers.

The need to achieve and maintain strong authentication processes is an ongoing evolution. As long as phishing attacks continue to grow more ubiquitous and sophisticated, Adobe’s efforts to secure our systems against them must also grow and expand to match them.