Strong IT security often comes at the cost of a positive user experience. Stringent security requirements put in place to protect users often create friction. Now, with the emergence of passwordless authentication, organizations can maximize security while minimizing friction.
However, many security professionals don’t completely grasp how passwordless authentication works, nor how it contributes to a frictionless experience. Let’s explore the what, why, and how of removing passwords to improve both user experience and an organization’s overall security.
The Starting Point: Is a Password Actually Necessary?
The first hurdle organizations must address is their potential discomfort with a passwordless world. Passwords are the status quo we take for granted. They are familiar and we know how to use them.
But passwords are also easy to compromise—and all too often easy to guess, especially as we find ourselves using the same passwords for multiple logins. And why wouldn’t we? There are so many things that require a password; estimates are the average user has about 200 passwords and could have double that amount by 2023. The sheer volume of accounts requiring passwords puts users at risk simply because there’s too many to keep track of. According to the Verizon 2019 Data Breach Investigations Report, 80% of major data breaches are caused by weak or compromised passwords. Such breaches result in extreme financial loss, downtime, and reputational damage.
Whichever path an organization takes to strike the right balance of security, usability, and cost, the route will be much easier if they team with a trusted channel partner who can help them identify their security needs and access requirements.
One approach some companies are taking to mitigate risk is requiring increased password complexity and automatically shortening a password’s lifespan. But that could make the problem even worse, with users being locked out due to password expiration or needing to have passwords reset. While this may be less of a concern for the enterprise, SMBs understand that mitigating such extraneous costs can make a world of difference.
Given the security risks, usability problems, and potential added costs that passwords present, passwordless authentication morphs beyond just a good idea. It should become an imperative.
What Does “”Passwordless”” Really Mean?
What is it? And what’s the overall objective? Secret Security Wiki defines passwordless authentication as, “”any method of verifying the identity of a user that does not require the user to provide a password.””
Those who spend time in the security weeds may read that loud and clear, but what makes the idea of passwordless authentication so confusing is its inability to fit into any one particular box. More familiar terms like multifactor authentication (MFA) or single sign-on (SSO) are clearly defined products or technologies. Passwordless authentication, in contrast, is a desired outcome. And the goal of going passwordless is to implement technologies that reduce—and ideally, eliminate—the use of passwords altogether.
Understanding that difference—goal vs. product—is the first step toward making the shift to a passwordless approach much less intimidating. Once organizations and leadership understand that passwordless is the goal, and that the journey can be tailored to their needs, their IT service provider can begin to implement the technology and strategies that support it.
Priorities for Passwordless
The ideal outcome for a passwordless approach is to smooth out well-known usability issues and mitigate security risks. And, really, it’s the latter that is most important—after all, as a security team, the biggest objective is maintaining or improving those practices.
To avoid compromising security, passwordless tactics should only be implemented when an organization can ensure confidence in any user’s identity. In other words, there must be enough information to confirm that the person trying to enter a system is who they say they are. And, of course, there may not be a one-size-fits-all approach, as the needs of every SMB and enterprise will vary.
Some businesses will choose to do this through facial recognition or adaptive MFA. Importantly, whichever approach an organization takes, it can help establish a pattern of user behavior. Most of us login to our email around the same time every day—that’s a pattern that a passwordless strategy can help identify. Recognizing that pattern can reduce the ongoing need to enter a password every time we login. In this example, the priority is the pattern, not the password. And that’s exactly the point.
Sketching the Playbook
The next question is: What authentication factor should be used?
First, it’s important to note that “”multifactor authentication”” and “”passwordless”” are not the same. MFA provides a method of increasing the confidence that a user is who they claim to be by requiring an additional authentication factor to gain access to resources. Unlike MFA, passwordless authentication may involve only one factor, such as a biometric. If the authentication process requires more than one factor and none of the factors is a password, it’s then passwordless MFA.
It’s important to point out that just because a password isn’t used doesn’t mean the authentication factor is necessarily stronger. As with any security strategy, every authentication type has relative strengths and weaknesses.
And that is where the channel and managed IT service providers can prove most beneficial on the journey toward passwordless: by providing options. There is a plethora of authentication solutions available for SMBs and enterprises. Typically, they fit into one of three categories—something we know, something we have, and something we are. Each has up- and downsides.
Whichever path an organization takes to strike the right balance of security, usability, and cost, the route will be much easier if they team with a trusted channel partner who can help them identify their security needs and access requirements. From there, teams can decide upon the application access scenarios that will make it easier to identify the best authentication method(s) for each one. Regardless of industry, size, or scenario, the future of security is passwordless. It’s time to get on board.
WESLEY DUNNINGTON is senior director of architecture at Ping.