Password-less Authentication: A Step-By-Step Guide

Organizations moving to password-less authentication should consider externalizing login processes from individual applications to either Kerberos (via AD/Integrated Windows Authentication) or using federation technologies such as SAML or OpenID Connect (OIDC). Once this is done, gradually move login processes from traditional, password-based ones to new processes that combine local-to-device biometric authentication with login to network services using cryptographic key material stored securely on endpoints. 

However, it’s important to implement new authentication mechanisms carefully because there are many compatibility challenges with devices, offline use and diverse user locations and network connectivity. 

This piece offers a step-by-step guide for implementing password-less authentication, including best practices to follow and pitfalls to avoid. 

Getting Started with Password-less Authentication

Before you make the move to password-less, you should make sure you have a solid understanding of password-less authentication.   

With that theoretical background in mind, implementation of a password-less authentication system should typically proceed in the following sequence: 

• Take inventory. Assemble an inventory of client devices, physical/network locations and services where authentication takes place. And consider how to prioritize these – in what context should the legacy login process be replaced with a password-less alternative? 
• Select combinations of credentials that will be supported. Ideally, in each case, combine a type of biometric (fingerprint, faceprint, etc.) with a possession factor (phone, hardware device). Multiple combinations will be required because no biometric works for all users or on all devices, and no hardware device is accepted by everyone. 
• Outsource the login process. Work through the application inventory to “outsource” the login process to shared infrastructure: 
  • For on-premises apps or VPN-accessible apps, integrate login processes with Kerberos where possible. 
  • For web apps, federate login screens to an identity provider (IdP) using SAML or OIDC. 
  • Optionally, link the IdP to Kerberos. 
• Implement the chosen authentication systems on the endpoints and federated IdPs. This is where password-based logins are replaced with multiple factors, presumably avoiding knowledge-based ones. 
• Roll out the new mechanisms to user populations gradually, allowing time to detect and respond to problems users will inevitably experience. Issues may arise due to compatibility with specific apps, client devices or operating systems and with the inability of some users to leverage specific biometrics. 

READ: When to Consider a New IAM Solution

Password-less Authentication Best Practices

Rolling out password-less isn’t easy. When planning a password-less system rollout, organizations should consider the following best practices: 

• Understand the user community. Consumer-facing systems present lower risk and lower complexity, but at higher scale. Worker-facing systems present higher risk and higher complexity, but at a smaller scale. Often, it's simpler to deploy something that sounds advanced, like "password-less authentication" in a lower complexity setting. 
• Understand your motivation and business drivers. Is the move to replace passwords intended to address user convenience issues? IT support cost? Real or perceived security vulnerabilities? Focus on the business drivers first and foremost. The decision process may not necessarily lead to the adoption of password-less authentication, or it may lead to different types of credentials for different users, based on their risk profiles (e.g., dedicated hardware devices versus smartphone apps). 
• Do the heavy lifting just once. Federate application logins to a single, shared infrastructure and then implement new authentication processes once (at the IdP level) rather than once per application. 
• Consider compatibility above all else. No one set of authentication technologies will work for everyone. Client device type and operating system, managed versus unmanaged devices, application compatibility, offline operation and more are all important. 
• Use MFA. Every type of credential has intrinsic compromises. The best solution is to combine multiple factors. 
• Don't disregard passwords or other knowledge factors out of hand. They are often more convenient than alternatives. Do combine passwords or other knowledge factors with hardware devices and/or biometrics as appropriate, however. 
• Listen to the users. You will learn about authentication factors that don't work in specific contexts or for specific users and about what users really perceive as convenient. The alternatives to passwords are not necessarily perceived as preferable by all users. Make it easy for users to report problems and be sure to respond to their complaints. 

Password-less Authentication Challenges 

Password-less seems like the answer to the decades-old problems with passwords—usability, security, support cost and more—but to date, it’s not an easy goal to reach. Most large organizations are bound to run into issues with password-less, increasing cost and limiting scope. The technology is promising and maturing, but not trivial. Overall, success requires laser focus on endpoint types and capabilities, network (and offline) usage, and application compatibility. It also means focusing on the business and where password-less makes the most sense—and where it doesn’t. Overall, teams should understand: 

• Password-less does not mean frictionless. Some password-less implementations might actually be more onerous for a user. 
• The "big bang" approach to deployment doesn’t work. Password-less deployments have many moving parts. It’s best to start small with simple use cases and iterate from there. 
• Proper funding is important. Password-less requires funding of both tech and human resources to procure, deploy and support the initiative. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.