Passwordless authentication has eluded the cyber security community for decades, but that’s changing. The technology exists, and it works – both for employees and for consumer identity and access management (IAM/CIAM).
The passwordless approach eliminates friction, of particular importance in a retail environment. It’s also far more secure than passwords, which are easily compromised. In fact, more than 80% of account compromises involve passwords, according to the latest Verizon Data Breach Investigations Report. Meanwhile, financial losses associated with identity-based fraud increased to $6.1 billion in 2021.
While passwordless access represents a clear step forward, there are potential pitfalls. Here are five best practices for implementing passwordless multi-factor authentication:
- Plan carefully. Formulate a comprehensive, organizationwide technical strategy that’s consistent with business goals. In some organizations, IAM and CIAM are often managed by different groups. Get these groups on the same page in terms of how broadly they will implement passwordless access, the teams responsible for which aspects of the deployment, whose budget will pay for the necessary technology, and the schedule. Also, large organizations typically have thousands of applications. Decide on which ones will attackers target and set priorities. For example, 80% of logins are associated with remote access. So make securing onboarding and authentication for remote access a priority.
- Communicate with stakeholders at every level. As with any new process that affects an organization’s workforce, passwordless access requires notification and some degree of selling. No matter what the potential user benefits of passwordless, some individuals will resist the transition away from passwords, so it’s important to present a convincing case to get everyone’s buy-in. Upper management and board of directors are potentially an easier “sell” given the current anxiety around data breaches and their impact on business continuity, legislative fines, customer retention and share price. Also, business units that depend on customer-facing applications, particularly B2C, will likely welcome a move to passwordless access as it significantly diminishes friction.
- Consider self-sovereign identity. Five or so years ago, technology that let users create a trusted, reusable identity didn’t exist. Now, smart phones have 12 megapixel cameras as well as hardware-based trusted platform modules (TPMs) capable of generating and securely storing cryptographic keys. These capabilities support the creation of a digital wallet that enable passwordless access, and offer users with sole access/control over their personally identifiable information. In simple terms, here’s the process: The user scans a government-issued photo ID, e.g. a driver's license or passport. The wallet verifies the legitimacy of the ID in real-time through a trusted third party. Then, because they are hard-to-spoof, the user takes a video selfie, which the wallet matches with the photo on the ID. Finally, the wallet generates a credential which protects the user via public/private key cryptography. From that point on, the user can sign on via any chosen biometric that has been securely bound to the credential.
- Practice controlled, phased implementation. Put bluntly, implementing passwordless across multiple applications and users at once can cause a disaster. If anything goes wrong, and that’s certainly a possibility with any new system, then the always-present resistance to change will surely increase. It’s far wiser to test with a small group of applications and users and then expand coverage in phases until achieving complete adoption. Start the process by offering the old system and passwordless in coexistence. The team can offer users a split screen, designating one-half for passwordless access and the other based on the familiar password. It’s likely that early adopters will serve as champions of the new approach and help speed adoption.
- Offer self-service management for legacy passwords. Just because the company rolled out identity-based passwordless access, passwords will not entirely disappear. Two or three months down the line, it’s virtually guaranteed that individuals will need to gain access to an application that requires a legacy password. Use a self-service password reset (SSPR) tool. Ideally, it’s possible to use passwordless that’s built into an app to reduce the need for authentication into the network. But whatever the mechanism, make reducing user friction to a minimum while maintaining high security top objectives.
Ultimately, think of the transition from passwords to passwordless, identity-based access as a marathon, not a sprint. While it’s likely that we’re still several years off before passwords will seem as outmoded as floppy disks, companies that move in this direction can enjoy convenience and security benefits immediately. Today, we are finally making our way into the passwordless era.
Mike Engle, chief strategy officer, 1Kosmos