Passwordless authentication: making the vision a reality
The concept of passwordless authentication has been getting a lot of hype. And for good reason. The human element accounts for most data breaches, with 82% stemming from stolen passwords, phishing, misuse, and errors.
The idea that users wouldn’t need to create and remember complex passwords, store them in a password vault, or regularly change them sounds very appealing. How many times has your IT ops team needed to reset passwords because users forgot them? Or, help users change passwords because they have gotten locked out?
The more seamless the authentication experience, the more likely users are to use the secure processes you’ve put in place
Infosec leaders know that the more obstacles you place in front of users in the name of security, the less likely they are to comply. So, the more seamless you can make a user’s log-in and authentication experience, the more likely they are to use the secure processes you’ve put in place, rather than find ways to skirt them.
According to Forrester Research, more enterprises are adopting passwordless authentication. A recent poll found that roughly half are experimenting with passwordless experiences. Most are doing pilots, proof of concept programs, and small deployments with specific user groups. Moving forward, we expect to see further adoption as companies continue to perfect their strategies and embed passwordless experiences into more use cases across the enterprise.
While a passwordless future is upon us, when we talk about going passwordless, there’s more to it than meets the eye. While a user’s experience may appear to be passwordless, in fact, so-called passwordless solutions are still reliant on using secrets behind the scenes. That means that without the proper security controls and protections, your enterprise authentication is still at risk from cyber criminals.
Put another way, the rumor of password death has been greatly exaggerated.
Keep reading to learn more about how passwordless authentication works, how this approach reduces risk, and important considerations for enterprises to create a secure passwordless future.
What is passwordless authentication?
Consider the traditional log-in process. A user is required to present an identifier (typically a username) and a verifier (such as a password, passphrase, pin, credential, key, certificate, or another type of secret). The identifier confirms the identity of the user and determines what verifier is needed to authenticate and provide the level of access permissions.
With passwordless authentication, secrets are still exchanged to verify the user’s permissions and access level – they’re just exchanged behind the scenes. Secrets can be permanent or temporary, depending on your level of risk and security goals.
You can create passwordless experiences for users logging into cloud, on-premise, hybrid, and legacy applications, databases, servers, and other types of enterprise systems.
There are numerous ways to enable passwordless experiences to make identification and verification easier. For example, rather than require a username to be typed, you could allow users to submit a biometric sample, such as a fingerprint, or use facial recognition.
With a Multi-Factor Authentication process, you can add another layer of identity assurance and confirm users are who they say they are by requiring them to provide additional information. This could be something they know or something they have. For example, you could send a one-time code to their mobile phone and require a user to provide it to help confirm their identity.
It’s important to keep in mind that biometrics in this case do not replace passwords as they are not secrets. Rather, they replace or enhance the username or identity portion of authentication and have enhanced security attributes. Separately, verification and access controls are still happening through the exchange of a secret.
Security benefits of passwordless authentication
Passwordless authentication protects your critical enterprise systems for many reasons.
Passwordless authentication mitigates risky user behavior
There’s no need for users to write passwords down to remember them or store them in insecure places like sticky notes, Excel spreadsheets, or email folders. These common practices have proven time and again to open the door to cyber attacks on the enterprise. In the enterprise, passwordless practices also avoid the need for people to use consumer-grade digital wallets to store their passwords. While consumer password vaults are helpful for personal use, they don’t meet the consistency, monitoring, and reporting requirements of the enterprise. They also put the onus of responsibility for password maintenance on the shoulders of users (who are busy and have other priorities) rather than IT security experts.
Passwordless authentication offers greater protection from password theft
People often take the path of least resistance with passwords and create ones that are easy to remember and type. As such, many passwords are easy to crack. You’ll find many readily available for purchase on the dark web.
Cybercriminals have an abundance of tools for brute force, pass-the-hash (PtH), and other attacks that center around stealing and leveraging passwords. For these reasons, relying on passwords alone isn’t sufficient for protecting sensitive accounts.
Passwordless authentication makes it harder for bad actors to penetrate your cyber defenses. Simply put, they reduce the risk that cybercriminals will steal and apply passwords and other privileged credentials.
Passwordless authentication eliminates password sharing
Password sharing is a way for users to avoid paying more for services—making it a major source of revenue loss for subscription service providers. It’s also an easy way for IT teams with a shared responsibility to maintain access to systems when someone is out of the office or on vacation.
However, password sharing is a big security risk because it allows multiple users access to critical systems and makes it impossible to know which user conducted which activity. Compliance reporting, auditing, and post-event forensics are virtually impossible.
Passwordless authentication eliminates the opportunity for password sharing. If users never even see their passwords, they can’t share them with others.
Passwordless authentication boosts productivity
Besides improving security, passwordless experiences also offer some enticing productivity benefits, which we’ll look at next.
Ensuring speedy logins
Passwords are difficult to remember and often act as barriers during log-in. They’re a drag on productivity and contribute to IT help desk overload. This is inconvenient for IT departments dealing with staffing shortages.
Passwordless experiences expedite the login process and help companies avoid account lockouts and password resets.
Improving user experience
Most people are experiencing application overload and are constantly moving between personal and work applications and websites. They want to log into services quickly and gain secure access with minimal effort.
Passwordless experiences directly improve user experience by streamlining authentication while enhancing security. This results in happier users and fewer complaints.
User experience is also a big competitive differentiator for companies that create software applications and want to improve the employee experience.
To learn more about boosting user productivity while maintaining security, read our Cybersecurity Team’s Guide: Balancing Risk, Security and Productivity
Keys to successful passwordless experiences
Before rushing in, it’s important to remember that passwordless authentication still comes with a few risks and challenges. Here are a few things to keep in mind before starting on your journey to becoming a passwordless organization.
Vulnerable systems need oversight and layers of defense
Even with passwordless authentication in place, critical enterprise systems are still at risk from unauthorized users and cyber attack. Cybercriminals can potentially intercept links, PINs, and email notifications and use them to gain access.
It’s a good idea to integrate passwordless authentication with a comprehensive privilege management strategy for enhanced visibility, security, and control. This way, you can centralize access management and limit data drift and exposure.
Provision and migrate to new devices
One of the major challenges with a passwordless experience is when users get new devices, and those devices need to be enrolled or migrated from an old device. This causes several risks in getting the new devices ready for a passwordless strategy. This process typically requires a backup key or recovery key in the case that the old device is no longer functioning or is lost.
Continue to educate users on security best practices
Not all users may immediately understand the need for passwordless experiences, and some may fear or question the change at first.
Consider holding a lunch-and-learn session or workshop to go over the shift to passwordless experiences and explain why the system is changing. This way, you can answer questions and guide users through the process.
Ensure careful orchestration and execution
Businesses that fail to properly implement passwordless architectures risk security vulnerabilities and access and performance issues.
The easiest way to avoid implementation issues is to work with expert third-party passwordless experience enablers who can help you get up and running properly.
Manage secrets through enterprise PAM
It’s necessary to rotate secrets periodically to reduce risk. However, manually rotating secrets takes time and creates extra work for IT operations teams and users.
Using solutions like Privileged Access Management (PAM), you can rotate secrets regularly and randomly without interrupting the user experience. This approach is much more efficient and eliminates time waste for users and IT teams.
How Delinea enables passwordless authentication experiences
Delinea is on the front lines of passwordless authentication with invisible Privileged Access Management. Invisible PAM enables you to manage multiple types of secrets seamlessly and securely. And it operates entirely in the background, so passwords are hidden and users stay productive.
By deploying invisible PAM, your company can stop asking employees to remember and manage passwords and use modern, alternative options to grant and manage access.
For the full scoop, learn more about invisible PAM, a core requirement for achieving a true passwordless state.