Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Deploying passwordless authentication is, essentially, a problem in integration and compatibility. Different types of client devices (Windows, macOS, Android, iOS), managed either by the user or the IT organization,
connect over a network to a variety of services and applications—any one of which may or may not support non-password authentication or, at least, not in the same way.
This piece explains passwordless and other authentication methods and offers recommendations for a well-planned, incremental passwordless deployment.
The oldest and simplest form of authentication is for the user to key in a ‘secret’: their password. The system or application compares what was typed to a previously enrolled value
to verify the user attempting to sign in entered the correct string and is, therefore, presumably the one and only person who knows the secret. Using a password is just one of many forms of authentication; others include:
Just because passwords have problems, this does not imply alternatives are perfect:
Users typically interact with passwordless authentication mechanisms via the following sequence of steps (a great example of this pattern is Windows Hello)
How this works in detail depends on the type of client device (OS), how it’s managed (centrally or BYOD) and the type of network service being accessed. In short, there is no single solution that performs this sequence in all cases.
Some mechanisms only work when the user’s device has an active network connection (possibly a VPN). They won’t work for someone signing into their laptop on an airplane or while away from cell service, for example. This includes sending the
user a PIN via SMS or using a one-time-password service such as RSA SecurID), where the code is validated by a server on the network. A few
network services support cryptographic authentication directly. However, most do not, and instead:
Keep in mind that well-managed passwords are a useful tool for security; it is poorly managed passwords that give passwords a bad reputation. In addition, authentication using biometrics or hardware devices also has friction, and this friction is
sometimes perceived by users as worse than passwords.
Because every kind of credential has its own operational problems, it’s a good idea to combine two types of credentials at login time and give users two or more valid combinations, in case one combination is nonfunctional at a given time, in a given
context or for a given person.
The most common combinations of credentials are:
Implementing a passwordless strategy is an exercise in integrating authentication services with various systems and applications and overcoming compatibility issues on both client devices and back-end systems. This can be complex, so planning is essential.
Best practices here include:
This can be done before passwordless or MFA are deployed. We recommend moving one app at a time over to the new system, because this gives you time to identify, diagnose and remediate any compatibility problems as they arise.
Test with different devices, users and network services, and plan on rapid response to login failures to forestall user revolt if things go wrong.
Deploying an identity provider service, configuring MFA, integrating apps with that IdP and changing client OS authentication to use hardware tokens plus biometrics are all tasks that will require significant time and effort. Validating each part of this
infrastructure, including testing as many combinations of client device type/client state and location/authentication method/IdP login/app login will take time. A small team and a year or more of elapsed time are going to be required.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.