Passwordless: the juice is well worth the squeeze

In my experience, people in the workforce typically remember 20 to 40 different combinations of usernames and passwords to perform their jobs. Additional complexity comes from the hundreds of existing digital accounts we all manage as consumers.

This can lead to sticky notes, digital files filled with passwords, misremembered phrases and reuse of the same password for multiple accounts. No wonder passwords are the root cause of over 80% of security breaches.

Plus, I’m tired of consistently being prompted to remember and enter all my passwords and credentials.

Luckily for organizations and users, open standards technology can help. So, get ready to say goodbye to these horrible user experiences we’ve been dealing with over the past 20 years.

No password? How does it work?

First, let’s define this process, because many organizations will be confused by all the choices—and even by determining what passwordless is and isn’t. For example, it isn’t single sign-on. Nor is it multi-factor authentication, or the use of one-time pins via short message service, or email.

The idea is to base identity verification on what might be called ‘possession factors’ that uniquely identify users. This can be a one-time password generator, a registered mobile device, a hardware token or biometrics such as fingerprints and retinal scans. Using this in combination with zero trust creates a very strong security solution that continuously authorizes access. Benefits can include improved security, reduced costs and happier users.

Good news lately, except …

In the past year, the digital identity software industry has seen a flood of passwordless software vendors, with traditional digital identity software vendors also following suit. This is good news, except … with so many choices to vet, organizations may face challenges in selecting the correct vendor. Also, as highlighted in my previous blog post, any organization with old digital identity software may struggle to jump straight to passwordless without modernization of tools and processes.

One other consideration—and potential advantage—is the ability to also put passwordless to work in operational technology (OT). This is because most of the systems on production floors are mission-critical, and compromise can mean significant damage. Recent pipeline attacks are only one example.

For the safety of the workforce, some organizations have policies that devices with batteries cannot be on the production floor. In the past, I have witnessed separate authentication mechanisms for IT and OT due to safety requirements like these, and because of a lack of industry maturity. But, as I highlighted earlier, passwordless technology also exists to improve security and safe experience for OT.

To accelerate adoption, reduce friction

When friction occurs, users find a way around, typically circumventing security to make their lives easier. One of the organizations working toward an answer is Fast Identity Online (FIDO), an alliance that created the open standard focusing on passwordless. FIDO works to help phones, hardware tokens, sensors and software support its asymmetric encryption; now FIDO adoption support and implementation is on the rise. FIDO2, released in 2018, supports WebAuthN for browsers, operating systems and websites. However, there are challenges: Registering FIDO authenticators is currently a one-off process for each device and managing these devices falls to the organization.

These challenges should not be permitted to hold organizations back from adopting systems that don’t require passwords. As I said at the top, the juice is worth the squeeze.

Recommendations for implementing passwordless

Understand your current capabilities and build your roadmap, including knowing how your entire organization authenticates through every channel.

Work closely with business stakeholders to define and align your new authentication experience.

Select a vendor that can supplement and integrate your existing digital identity investments and understand their roadmap. Given the explosion of vendors in this space, do not be surprised if you encounter mergers and acquisitions in this changing landscape.

Take time to think through the process of managing these new tokens for authentication as well as the device registration process. Focus on low-friction, high-reward processes driven by automation. Don’t turn this into a call center sunk cost to manage device registration.