Tips for Passwordless Adoption

Traditional password authentication presents a host of increasing security risks for organizations of all sizes. As a result, a growing number of organizations are considering passwordless authentication as a more secure, and user-friendly, alternative. 

This piece provides guidance to determine whether passwordless is right for your organization and offers best practices to help get started. 

Common Password Issues 

To help make a business case for a transition to passwordless authentication it’s helpful to understand common password problems.

Almost every application shared by two or more users must identify its users when they establish a login session. Users normally claim an identity, e.g., by typing a login ID. Unless the application represents near-zero business risk, the application must then verify that the claimed identity really belongs to the person attempting session initiation. This verification is called authentication and there are many ways to do it, passwords being the primary method for most organizations. Passwords have many well-known problems, including:

• They are a nuisance to enter.
• Different systems often have different requirements and abilities with respect to how new passwords must be composed and what they may contain. This diversity can make crafting new passwords painful for users.
• Passwords are forgotten. This leads to two other problems: either high help desk call volume to reset forgotten or locked out passwords, or people writing down their passwords, which reduces (possibly strong) logical security to the level of (typically weak) physical security.
• Users are inclined to select simple, easily guessed passwords. This makes their login accounts easy to compromise.
• People often share their passwords, especially executives under time constraints. This means systems performing successful authentication cannot differentiate between the legitimate owner of an account and others with whom they may have shared the account’s password.

Passwordless Authentication Issues 

Passwordless authentication relies on user possession factors (a mobile device) and physical factors (a fingerprint or other biometric input). With multiple factors of authentication, it becomes more difficult for attackers to gain access into systems.

Before getting started with passwordless authentication, consider whether or not it is a good fit for your security strategy. Common issues faced by organizations moving to passwordless include:

• Biometrics feasibility: Costly specialized sensor hardware, user accessibility issues and optimal environmental conditions are common challenges.
• Physical Device upgrades: Users who replace their endpoint devices will experience friction, as they have to enroll local biometrics, reestablish trust between network services and local key material, etc. Plan on supporting users when they upgrade or add endpoint devices.
• Credential problems: Users will have issues with lost or forgotten devices, forgotten PINs, etc. Be sure to allocate staff to assist.
• Externalizing login from apps that only support local passwords: In these cases, password injection will be required. This can be an opportunity to retire old apps with primitive authentication capabilities.
• Externalizing login from apps hosted by third parties where you have no admin rights to change configuration: Here, too, you may be reduced to password injection.
• Compatibility problems due to new device types and even OS patches: Test before rolling out significant updates, especially on macOS (the least “enterprise” of the popular client OSes).

READ: How to Drive SSO Adoption at Your Organization 

Research Passwordless Products 

You will need a few tools to get passwordless authentication working:

• Device-local biometric authentication. Windows Hello and native capabilities on iOS and Android are great. Biometric unlock is hard to miss on modern iOS and Android devices, but not for macOS. To get passwordless OS login on macOS, third-party products are needed.
• Passwordless login platform products.
• Cryptographic authentication from devices to network identity providers.
• Federated logins into apps based on network identity.

Best Practices for Launching Passwordless Authentication 

Passwordless rollouts are always complex. To avoid some of the biggest issues:

• Go for MFA, rather than a single type of credential.
• Offer two or more valid combinations of credentials.
• Consider retaining passwords as a part of, at least, one of the MFA options going forward: They aren’t really worse than alternatives.
• Configure network services to “remember” successful authentication from trusted, personal devices and prompt for login less frequently: This reduces the frequency of login prompts and significantly improves user experience.
• In the case of biometrics, offer two or more mechanisms: For any given biometric type, some users will be unable to enroll or authenticate.
• Think through modes of failure for each credential and provide recovery mechanisms: For example, consider what will happen if users lose their device, forget their PIN, leave their device at home, need to sign in from a device without a relevant biometric sensor, etc. This augments existing password-related support (i.e., forgot password, triggered lockout, etc.).
• Deploy federated logins to apps first and roll out new authentication methods second.
• Move app logins to shared infrastructure gradually, but ideally, a few apps at a time, so you don’t have to send an announcement to users for every single app that was migrated over.
• Move users into the new infrastructure incrementally, one small group at a time, by office location, department, etc. Find champions within each small user community to help with user education and transition.
• Assign a team to support the user community in transition and rapidly respond to login failures: Login failures due to device incompatibility, app incompatibility, network state, etc., can be highly disruptive. Be sure to get ahead of that so failures remain small, short and local, and do not derail the whole initiative.
• Incorporate authentication standards (typically, via federated login) into all new app procurement and development: Make sure integration of new apps is easier than legacy.
  

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.