Passwordless authentication is any method of verifying a user without requiring the user to provide a password.
Proving the user’s identity can instead be done using an alternative factor like a proof of possession factor (mobile authenticator apps, hardware token, one-time OTP), biometrics, or—in less than ideal cases—a knowledge factor (PIN, passphrase, etc).
You’re probably already familiar with some forms of passwordless from everyday use like logging into an app using FaceID on iOS, Android fingerprint authentication, and logging into your laptop via Windows Hello.
Passwords are no longer enough
IT worldwide sees the beginning of a new era, where passwords are considered a relic of the past. The costs now outweigh the benefits of using passwords, which increasingly become predictable and leave users vulnerable to theft. Even the strongest passwords are easily phishable. The motives to eliminate authentication systems using passwords are endlessly compelling and all too familiar to every enterprise IT organisation.
For enterprise IT departments, nothing costs more than password support and maintenance. It’s common practice for IT to lessen password risk by employing stronger password complexity and demanding more frequent password changes. However, these tactics drive up IT help desk costs while leading to poor user experiences related to password reset requirements. Most importantly, this approach isn’t enough for current cybersecurity threats and doesn’t deliver on organisationall information security needs.
You can reduce your odds of being compromised by up to 99.9% by implementing multi-factor authentication (MFA).
Source: Microsoft 2018 Security Research
Why eliminate passwords?
Password authentication has always been challenging throughout the evolving enterprise security landscape. A password is supposed to provide a key to accessing an account and a security barrier to protect the account from attackers. To distinguish between the account owner and the attacker, organisations have needed to move beyond using just passwords for protection.
Multi-factor authentication (MFA)— for instance, a pin and password, or biometrics—has presented a more secure method for organisations. With increasingly complex access environments and more access points than ever before, IT teams have every reason to add multi-factor authentication options such as smart cards, hard and soft tokens, SMS, and more— wherever users connect to resources. By going beyond passwords to add authentication steps, you can make user access to your resources more secure.
However, depending on the implementation, MFA can also lead to increasing complexity regarding the user experience. It’s imperative for IT teams to deliver a seamless user experience while balancing security risk.
Adopting a password-less strategy
At its core, the underlying principle of password-less authentication is to eradicate the use of passwords and thereby drain their value for attackers. Moving forward with this approach requires technologies that can support it—and time for organisations and users to adopt these technologies. Adoption also involves a new mindset. Organisations have to understand how their approach works with their flow of operations and make the necessary technical and cultural shift to operate in this new password-less world.
Here are the key considerations for implementing password-less authentication into your MFA strategy:
1. Choosing the right technology –
Develop password-replacement offerings with a new set of alternatives that address the shortcomings of passwords while embracing their positive attributes. This early stage is about implementing an alternative and getting users acquainted with it.
2. Understanding how it works –
Get to know how password-less technologies overcome security challenges and reduce the user-visible password-surface area. Adopting these technologies means upgrading experiences related to the life-cycle of a user’s identity—including provisioning of an account, setting up a brand-new device, using the account/ device to access apps and websites, and enacting recovery. It also means deconditioning users from providing a password any time a password prompt shows on their computer.
3. Increasing user adoption –
Simulate a password-less world—that is, enable end-users and IT admins to replicate the approach in a test environment and transition into a password-less world with confidence. This simulation should encourage a cultural shift within the organisation—getting users comfortable with the idea of never typing, changing, or even knowing a password in the future.