Passwordless Authentication in Enterprises: Metrics and Milestones for a Seamless Deployment

July 27, 2023 | By IANS Faculty

Deploying passwordless successfully within large organizations can be difficult—and difficult to measure. This piece explains how to set appropriate goals and measure progress when implementing passwordless authentication.

Passwordless Authentication for Enterprises 

Passwordless is a relatively new advancement in authentication, so it is challenging to develop appropriate passwordless deployment timelines and success metrics. How long it takes to reach critical mass really depends on the method and the intended scope of the passwordless deployment. Size and scope can vary significantly with some large organizations successfully deploying passwordless internally verses other passwordless deployments in consumer environments of 50,000 or more users. That said, your mileage may vary, depending on your specific goals and environment.

Given passwordless’ security improvements, risk reduction and general user experience improvements, all large organizations should at least evaluate the options and consider deploying a passwordless model that works for best them. The biggest challenge or barrier to passwordless deployment for a large company is implementing a centralized passwordless capability that integrates with a large portion of your applications.

Password Deployment Progress Metrics 

How you measure success usually hinges on the type of deployment. If you use something like Microsoft’s Windows Hello  which integrate with desktops and laptops, the major metrics for measuring success include:

  • Coverage: The speed at which software packages are delivered to impacted machines.
  • End-user acceptance: How many users can use the updated login experience post-deployment (e.g., they can register phones, adopt the new login/authentication style, etc.).

When users are highly skilled and projects are highly desired (like passwordless), you may see faster deployments. However, there are always holdouts, which should be brought along in the normal technology refresh cycle (typically, three to five years).

If you are implementing more of a central deployment/update to existing authentication infrastructure deployment can be as fast as the modules can be delivered and the associated policies applied.

Typically, these centralized deployments involve rapid implementation, with rapid impact to user experience. The biggest blocker tends to be integration with the central authentication provider. You can implement passwordless, but if nothing uses the provider, you won't get much coverage. However, if you have a backlog of applications waiting to be integrated, you can accelerate deployment in this model by adding temporary staff, contractors, etc., to work through the backlog.

Measuring Project Completion 

Determining when a project is complete depends on the original goals of the deployment. It’s important to choose a goal that is both measurable and achievable. Typically, the primary objective for passwordless is to deploy and/or enable passwordless authentication to high-risk and impactful technologies. This usually means areas like remote access and technologies like central authentication providers.

You know a passwordless project is done when:

  • High-risk and primary objectives are completed based on original scope.
  • High-volume/high-risk technologies are enabled for the new technology/deployment.
  • You have critical mass/usage of the technology to justify capital investment, improved security and reduction of risk.

Passwordless Deployment Pitfalls 

When starting your passwordless journey, the major pitfalls and failures to watch and plan for in your deployment include:

  • Missed expectations: Many organizations deploying passwordless expect all applications will integrate and work with the solution. They then quickly see their entire environment does not or cannot work based on how it is deployed. For instance, applications that use legacy authentication (e.g., LDAP) may not be able to support modern/passwordless mechanisms.
  • User pushback: Despite the fact that passwordless aims to improve user experience, it can be disruptive. Some users may resist the deployment due to the need to change the user login, require additional devices, enforce mobile enrollment, etc. It’s important to plan for alternative authentication methods and options to address these challenges.

Keys to a Successful Passwordless Deployment 

However, no IAM project (passwordless included) is ever truly complete, given the evolving risks, usage and possible number of integrations. To ensure your passwordless rollout stays on track:

  • Determine an initial goal/metric: When planning the initial deployment, ensure “complete” is measured based in that initial goal so that goal posts don’t keep moving.
  • Ensure ongoing milestones are staffed/budgeted properly: You should also plan for ongoing operations for continued integrations and deployments as new technology purchases occur, existing technologies are identified and so on. This means setting new goals, earmarking budgets and assigning staff on an ongoing basis.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.

Access time-saving tools and helpful guides from our Faculty.

IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.