Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Deploying passwordless successfully within large organizations can be difficult—and difficult to measure. This piece explains how to set appropriate goals and measure progress when implementing passwordless authentication.
Passwordless is a relatively new advancement in authentication, so it is challenging to develop appropriate passwordless deployment timelines and success metrics. How long it takes to reach critical
mass really depends on the method and the intended scope of the passwordless deployment. Size and scope can vary significantly with some large organizations successfully deploying
passwordless internally verses other passwordless deployments in consumer environments of 50,000 or more users. That said, your mileage may vary, depending on your specific goals and environment.
Given passwordless’ security improvements, risk reduction and general user experience improvements, all large organizations should at least evaluate the options and consider deploying a passwordless model that works for best them. The biggest challenge
or barrier to passwordless deployment for a large company is implementing a centralized passwordless capability that integrates with
a large portion of your applications.
How you measure success usually hinges on the type of deployment. If you use something like Microsoft’s Windows Hello which integrate with desktops and laptops, the major metrics for measuring success include:
When users are highly skilled and projects are highly desired (like passwordless), you may see faster deployments. However, there are always holdouts, which should be brought along in the normal technology refresh cycle (typically, three to five years).
If you are implementing more of a central deployment/update to existing authentication infrastructure deployment can be as fast as the modules can be delivered and the associated policies applied.
Typically, these centralized deployments involve rapid implementation, with rapid impact to user experience. The biggest blocker tends to be integration with the central authentication provider. You can implement passwordless, but if nothing uses the
provider, you won't get much coverage. However, if you have a backlog of applications waiting to be integrated, you can accelerate deployment in this model by adding temporary staff, contractors, etc., to work through the backlog.
Determining when a project is complete depends on the original goals of the deployment. It’s important to choose a goal that is both measurable and achievable. Typically, the primary objective for passwordless is to deploy and/or enable passwordless authentication to high-risk and impactful technologies. This usually means areas like remote access and technologies like central authentication providers.
You know a passwordless project is done when:
When starting your passwordless journey, the major pitfalls and failures to watch and plan for in your deployment include:
However, no IAM project (passwordless included) is ever truly complete, given the evolving risks, usage and possible number of integrations. To ensure your passwordless rollout stays on track:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
February 21, 2024
By IANS Research
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.
February 15, 2024
By Alex Sharpe, IANS Faculty
IANS Faculty member Alex Sharpe discusses the risks around AI adoption and provides governance guidance to make your AI launch safe and mitigate risk.
February 13, 2024
By IANS Faculty
Learn how to how to use NIST to modify secure baseline configurations to account for risk and improve security posture.