Managing passwords has always been a challenge for companies, and it puts an enormous responsibility on regular users who deal with hundreds of passwords in their digital lives every day. The idea of a “Passwordless†future seems like music to everyone’s ears, right? Of course! But before jumping in and becoming 100% Passwordless, let’s demystify what that means and the options and challenges companies may face.Â
What Does Passwordless Mean?
Many of the apps on your mobile device offer an optional login using your fingerprint; if you accept, you’re logging in with Passwordless authentication. If you have Windows Hello enabled on your laptop, you might find it convenient to log in using facial recognition, right? That’s Passwordless authentication. Any time you have an alternative way to log in that doesn’t require a password, you are using a Passwordless method.Â
However, there are a couple of interesting observations to note about this concept:Â
- Passwordless doesn’t necessarily mean you’re removing the password – you just have a Passwordless user experience. If your alternate authentication method (like facial recognition) fails, the password will usually still be there.
- The Passwordless methods used on your phone and laptop are not interoperable. If you log into your mobile banking app using your fingerprint and now need to access it through your laptop, you will need to provide your password.Â
The fact is, passwords aren’t going away any time soon. Websites, streaming subscriptions, your laptop, banking card, and banking website all use passwords, each with different requirements such as length or a specific combination of characters.
Steps to Shift to Passwordless Experience?
If your company is trying to shift to a Passwordless experience, there are a few options, but they may only cover a portion of your needs.Â
The first option is using SAML (Security Assertion Markup Language), an XML-based protocol that allows cloud applications to create a trusting relationship with an Identity Provider or SAML IdP. Within that trust, whenever you want to access a Cloud application such as Salesforce, it will redirect you to an Identity Provider for authentication. The benefits for a company are enormous and allow employees to utilize a single sign-on method in those cloud applications via a completely Passwordless experience. You will need to log in once to the Identity Provider, but you gain access to all configured applications, removing the need for passwords once you do it. You just have to use a reliable MFA method to log into the Identity Provider. MFA holds the key to the castle.
The second option is adopting a FIDO2 device that can bring you a Passwordless experience. The FIDO Alliance created specifications to create a Passwordless method to log into websites and applications. It typically requires a hardware token that uses a certain connection method – USB, Bluetooth, NFC, etc. – to authenticate into a FIDO2-enabled application. Like the Windows Hello facial recognition example; FIDO2 devices can also be used to log into your computer without using a password. It’s an excellent, wholly secure method.Still it comes with barriers such as limited support applications and the need for backup methods of authentication in case your token is forgotten or lost. Not to mention the cost barrier – FIDO2 devices can get pretty pricey.
A Passwordless implementation should consider user experience as well as security. For example, you should not remove the password if you plan on keeping a 1FA method to authenticate. SMS OTPs, for instance, are notoriously insecure; making them your only form of authentication is a huge mistake. When using push-based authentication only, without an additional method, attackers can still use MFA bombing to force users to accept a Push if the MFA process itself is not protected.
Finally, I see many people questioning the need for a Password Manager if Passwordless is the new trend. Passwords are not going away soon, and it’s nearly impossible to have different and complex passwords for each application. A password manager is a great way to educate users and mitigate issues with hard-to-crack dark web databases while offering users a Passwordless experience. Log into your password manager with MFA and let it launch the website and log you in automatically.
See More: Meeting Evolving Security Challenges With Biometric Authentication
Here are a few key takeaways and suggestions based on the current state of Passwordless authentication:Â
- “Passwordless†means the user isn’t inputting a password; it doesn’t mean the password no longer exists.
- Passwords aren’t going anywhere, so you’ll need to find better ways to manage and mitigate any issues that come up along the way.Â
- SAML is an excellent way to provide Passwordless SSO access to protected cloud applications for cloud business applications.
- FIDO2 tokens can provide a great user experience and security for computer logins, but usually at a higher price.Â
- A Password Manager can give users a Passwordless experience for applications not supporting MFA natively while mitigating multiple credential-related issues.Â
As you can see, depending on what you’re trying to achieve, a completely Passwordless method might be the best course of action.
There is still no clear standard for Passwordless authentication that can interoperate with multiple devices and applications. You will need a very expensive, “Swiss Army knifeâ€-like hardware token to have similar experiences with your laptop and mobile device, but only for some applications. Suppose you log into your computer every day using facial recognition with Windows Hello; the Windows Hello login cannot be used to access most of the websites you access every day. Each website has its login method. In a few years, FIDO2 might become the de-facto standard for Passwordless, but for now. its use is still very limited.Â
My recommendation, as always, is to identify the most critical applications you’re trying to protect and which Passwordless methods might apply to each one. Take user experience into consideration, but don’t forget about security or management costs.
What are the key factors your organization have to consider before adopting a passwordless authentication approach and implementation? Let us know on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .