Moving to Passwordless Authentication
Part 1: The Drivers and Strategy
A recent Axiad/ESG survey found that 82% of respondents indicate that moving to passwordless authentication is a top-5 priority. This shows organizations understand how critical passwordless authentication is today, but many are getting hung up on how to get there. To help organizations plan and execute their journey to passwordless, Axiad has provided a Guide to Passwordless Authentication to answer the big questions around moving to this more secure paradigm.
The following is the first component of a two-blog series that touches on the key elements from the guide. In the first installment, we discuss why organizations are moving to passwordless authentication and how to make the initiative more manageable. The second installment will address some of the challenges companies experience along the way – primary among these being credentials management.
The Drivers Behind Passwordless Authentication
There is a fact of life with which we are all familiar: that is, the world has changed from an office-centric environment to a hybrid one, where the workforce could be at home, in coffee shops, or any other remote location. This has put a great deal of stress on IT departments. It was hard enough to secure an organization when most people were in the office all the time. It’s monumentally more difficult to provide acceptable levels of security when most people are scattered across various locations and not in the office.
Chief among the elements keeping security pros awake at night is passwords, for the following reasons:
- They are costly – The average large U.S. organization spends more than $1 million annually supporting passwords, according to Forrester. Password issues have a two-faceted cost impact: Employees have to take time out of their workday to call IT help desks to reset or manage their passwords, and IT help desks have to spend time managing all these requests.
- They are complex – Employees often have almost 200 passwords to log into different applications and systems. With so many to remember, employees often try to simplify things by using repeat passwords across accounts – which can open them and their employers to greater security risk.
- They are easily compromised – According the Axiad/ESG survey, 59% of respondents are confident that compromised accounts or credentials have led to a successful cyber-attack over the last 12 months. Weak passwords play a big part in the vulnerability of credentials, as they can be easily phished, intercepted in transit, and uncovered via a variety of attacks.
Add it all up and one thing is clear: passwords need to be retired. This is why Gartner says that, by 2025, 50% of the workforce and 20% of customer authentication transactions will be passwordless.
Doing away with passwords is a priority as organizations seek to make themselves more secure against modern threats and to reduce costs. (We actually like to talk about “no password passwordless” because several passwordless offerings today mask the password in the user interface, but still send it – or a shared secret – over the network, thereby leaving them vulnerable to attack.)
Moving to Passwordless Authentication
Moving to passwordless authentication can be a “win-win” for both organizations and their employees. For organizations, it makes them more secure, by eliminating the inherent security flaws of passwords and implementing stronger multi-factor authentication (MFA) methods. This can greatly reduce concerns about weak password use habits and phishing attacks. It also allows IT help desk teams to be more efficient because they no longer have to spend hours resetting passwords and recovering accounts. This is time that they can devote to initiatives that will move the business forward.
For employees, passwordless authentication delivers a superior experience, because they no longer need to remember passwords for every application or device they use. They also enjoy fewer delays with streamlined authentication – no more password-related calls to the IT help desk.
It’s a Journey, Not a Race
However, the first thing to understand about passwordless authentication is that it is a journey, not a single action. This is especially important when you consider that organizations need to take a holistic view of authentication, so they ultimately include every person, machine, asset and interaction. While cloud and on-premises software systems are critical, machines are also particularly important, since they outnumber people three-to-one. These machines not only include devices used by employees (such as laptops and mobile phones), but also the machines that the employer uses.
Creating an organization that relies on passwordless authentication can seem overwhelming, but it doesn’t have to be that way. The key to making it manageable is taking incremental steps along the journey. The typical organization will prioritize and start the process toward passwordless authentication with privileged users. From there, it will work its way down the line to include non-privileged users, mobile, and other devices, and so on, until the entire organization is passwordless.
No One-Size-Fits-All Strategy
The other thing to understand about going passwordless is that it’s not a “one-size-fits- all” strategy – different use cases require different modes of authentication. Unlike consumer passkey applications, different users in organizations will require different privileges and means of authentication.
Organization-wide passwordless includes two categories of authentication factors:
- Possession factors – Which includes something each user has (certificates, hardware tokens, etc.)
- Inherence factors – Which proves you are who you say you are (biometrics, facial scans, etc.)
The typical organization will need a range of solutions that include these two factors to implement passwordless authentication. This might include strong authenticators such as USB keys (e.g., YubiKeys) and smart cards, and strong mobile authenticators and credentials, such as certificate-based authentication (CBA) and Windows Hello for Business.
In the end, there are three primary reasons why organizations want to move to passwordless authentication: superior security, a better end-user experience and reduced support costs. These are why Gartner and others predict the wholesale movement of organizations to passwordless authentication. As we mentioned earlier, more information is available in our Guide to Passwordless Authentication. In the next blog, we’ll look at common challenges in the journey to becoming a passwordless organization and best practices to overcome them.