Passwordless offers the promise of usability and defensibility. The password has frustrated people for close to 60 years. While dumping this string of text reduces support calls and security incidents, it is difficult to shake our reliance on passwords.
To continue assisting enterprises and CISOs with the transition, we share a phased approach to providing secure access for the workforce in this article. We have an opportunity to increase trust in authentication and strengthen our security while reducing user friction.
Passwordless has a unique business case; let’s look at how to execute it.
Identify Use Cases and Enable Strong Authentication
At its most basic, passwordless replaces the text a person knows for a stronger factor that the person has. The security benefits of passwordless begin here.
Multi-factor authentication (MFA) has long been used to reduce the risk of guessed, forced or stolen credentials. However, impact on usability and productivity is an often-raised concern about MFA. CISOs must ensure the solutions we introduce are easy to use, easy to manage and support various factors and pesky edge cases in the enterprise. Ultimately, there is no way to remove passwords as an authentication factor without introducing stronger factors. The sooner we deploy MFA, the sooner we tackle any challenges, and the better the resulting user experience.
The basic passwordless definition quickly breaks down when we get into the specifics. What about various devices? How about the legacy applications? The apps we’re building? The apps we’re using as a service?
The journey to passwordless begins with identifying the use cases, selecting specific high-value scenarios, and taking a pragmatic and iterative approach.
Streamline and Consolidate Authentication Workflows
Accelerating the adoption of passwordless requires a reduction of friction.
People demand passwordless from corporate IT because the current state is painful. The typical enterprise has thousands of apps and services, meaning the typical employee has hundreds of passwords. This is the starting point for the usability benefits of passwordless. The current state offers many opportunities to consolidate and improve the user experience.
We should centralize the apps and services into a set of authentication workflows and move towards single sign-on (SSO). The workforce will see benefits early in the journey by prioritizing SSO. Lessening the number of passwords will reduce the amount of pain.
"We should centralize the apps and services into a set of authentication workflows and move towards single sign-on (SSO)"
SSO also provides a transition protocol. SAML has a 15-year head start on the protocols enabling passwordless, such as FIDO2. Most services today support modern authentication and SSO. It may take several years for passwordless to reach the same level of adoption. Therefore, a move to SSO initially allows us to provide the workforce a great user experience without waiting for the market to catch up.
Increase Trust in Authentication
Adopting passwordless requires trust in authentication. The number one concern raised in conversations around passwordless is this: what happens when this new factor is compromised?
The answer lies in the next set of security benefits from passwordless. Pair strong user authentication with device authentication. By configuring workflows with rules, correlation, and policies, at-risk authentications can be identified and blocked, such as people using suspicious or new devices.
More mature approaches will include user behavior analytics. Consider a criminal who is cloning or spoofing a person’s biometrics. With device authentication, the adversary will also need to compromise the person’s phone and computer without being detected. With behavior analytics, the criminal will also need to open apps that the person normally uses during typical work hours — again, undetected. This increases the complexity required for an attack, increasing the organization’s likelihood of recognizing and responding before the attempt is successful.
Increasing trust in authentication creates barriers for criminals. It reduces risk and enables us to investigate factors other than passwords.
This cannot be only a technological solution. It includes the human connection, which forms trust. Done right, the technical controls remain invisible to the workforce unless there is cause for concern.
Provide a Passwordless Experience
Making systems easier to use and aligning them with human behavior is crucial. Passwordless offloads the security burden for users, making it easier for them to log in while enhancing the system’s overall security.
Reaching this point will be incremental. Our environments are complex. For every application supporting a passwordless protocol, there’s another on a legacy stack that can’t be migrated. Our workforce is diverse. For some, a biometric on a phone app is a welcome change. Other people may raise privacy or technology concerns. It’s normal for passwordless roadmaps to have a three-to-five-year time horizon, prioritizing the straightforward use cases, starting slow and accelerating as the team builds confidence.
Passwordless provides a rare opportunity for CISOs to roll back user requirements and take a significant leap forward in security. The first step is the need for strong, non-password-based factors. We need to inventory, consolidate, and streamline authentication, providing early wins for users and telemetry data for IT. We also need to instrument the authentication process to evaluate the contextual and conditions and make enforcement decisions.
This approach not only accelerates the adoption of passwordless but also provides benefits.