Passwords have not only become increasingly inconvenient for users, but they also create serious security concerns. Despite their vulnerability, passwords are still widely used and are even a top cause of breaches. Verizon reported that roughly 70% of network intrusions in 2021 resulted from compromised credentials.
As the stakes get higher, IT leaders are advocating for a passwordless future to become a reality. A recent study revealed how reliance on passwords can’t sustain in the current business environment, including employees entering a password 12 times a day. In fact, 25% estimate they input a password 20 times or more. Most troublingly, 94% of IT leaders are concerned about passwords, including 50% who worry they are too weak for security purposes.
At the same time, IT departments are experiencing a 30% rise in password-related incidents. And their employees are suffering from lost productivity, wasting minutes or even hours a week entering and re-entering passwords. With new and advanced security options available, IT leaders recognize that the best password security might be one with no password at all.
The solution most IT leaders favor is passwordless authentication, which is a more effective security mechanism to ensure only the right people have access to the right things and for the right reasons. The journey to passwordless is not short, but there’s a clear roadmap to reach that goal.
1. Centralized authentication
Enterprises should start with the basics — centralized authentication based on username, password, and multi-factor authentication (MFA) to provide a single sign-on experience. It provides the framework needed for passwordless authentication. Multi-factor authentication requires users to verify their identities using two or more authentication factors, while two-factor authentication (2FA) requires just two factors.
Passwords are often used as the first authentication factor, but that is not a requirement for MFA or 2FA. Authentication factors include:
Knowledge = Something You Know (password, PIN, etc.)
Possession = Something You Have (smartphone, key fob, etc.)
Inheritance = Something You Are (fingerprints, retinal scans, etc.)
As we phase out the password, three stronger authentication factors remain for MFA and 2FA. Minimizing reliance on passwords not only makes the network more secure, but it reduces calls to IT help centers for password resets.
2. Risk-based MFA
Progress continues by phasing out passwords and adopting risk services and biometric authentication. Risk-based MFA, also known as adaptive MFA, dynamically assesses the risk of a given interaction based on various factors and adjusts the authentication process accordingly.
By looking at the context and behavior of the login attempt, bad actors using compromised credentials can be stopped before they gain access to an enterprise. Effective risk-based MFA also has intelligence based on machine learning so that the system will learn and therefore recognize normal behavior for a specific user and, conversely, flag abnormal behavior, which can trigger additional authentication requirements or, in extreme cases, block the access attempt.
For example, if a user is logging in from a suspicious IP address and trying to gain access to sensitive information, additional authentication methods can be required before access is granted. Failure to provide the additional proof will cause access to be denied.
By evaluating whether adequate security requirements have been met for each transaction and stepping up authentication when they haven’t, an additional layer of security protects data without introducing unnecessary friction into the process.
Many companies use this step as a way to get to partial passwordless. There may be a password set for a user, but with proper risk-based MFA configuration, they can access resources using other authentication factors, and the password does not need to be entered.
3. FIDO login
The next step is to adopt standards-based authentication with Fast Identity Online (FIDO) and public key cryptography. Numerous organizations have joined together to form the FIDO Alliance to develop alternatives to passwords. FIDO is a set of open, standardized authentication protocols that use standard public key cryptography techniques to secure user authentication.
All communications are encrypted, and private keys never leave the user’s device, reducing the chances of someone discovering them during transmission. If biometric information is used for verification, it is also stored on users’ devices, making these authentication processes stronger and more secure. Users are able to sign on to a FIDO-enabled product or service using their preferred authentication method (fingerprint scan, entering a PIN, etc.) among the methods the product or service accepts.
4. Passwordless achieved
The last step is to go fully passwordless by removing passwords from everything. Start with the account creation process. Rather than using passwords during account creation, use a fingerprint scan or other authentication methods.
Identity proofing can also be part of your move to passwordless — at registration, during account recovery, or some other high-risk event triggered by a signal. Identity proofing is a method to provide extra assurance that the person registering is whom they claim to be, such as tying a selfie to a government-issued ID. Having the greater assurance that your users are whom they say they are, makes the transition to passwordless easier.
Usernames and passwords can become a thing of the past, along with the security issues associated with them. Eliminating passwords eliminates the friction associated with creating, remembering, and resetting passwords. Because more secure authentication methods exist, the tools are currently available to reach your passwordless goal.
Final Thoughts
There is no one-size-fits-all approach to making a move to passwordless. Each enterprise must assess its current situation and proceed at its own pace. Finding an in-house champion and a passwordless partner to help can make the journey easier.
Enterprises could also combine simple passwordless authentication flow with intelligent risk management services for even better security levels to create a great user experience with minimal security concerns. These ideas are just the tip of the iceberg. Much more is planned, and the future is bright for passwordless flows, which will someday be the most common way to authenticate users.