How Passwordless Can Elevate Higher Education
Passwordless authentication is one of the biggest trends in security this year. From the largest of software providers to the smallest of startups, everyone is adding their voice to the chorus of passwordless converts. And we’ll admit, Duo is a convert as well. We truly believe that passwordless authentication will be a sea change that simultaneously enables stronger security while making it easier for users to login. That’s why we’ve committed to making the transition as easy as possible from a world filled with passwords to one with far fewer “password123”s.
However, headlines about passwordless typically read like this: “Company X Wants to Eliminate the Password” or “The Time for Passwordless Authentication Is Now.” The problem with these articles is that the pitch of passwordless is the easy part. These headlines basically state, “Horses are slower than cars” or “The time for the car is now.” While definitely true, it’s not particularly helpful in assessing whether a car is right for me as an individual. Whether a car is valuable depends on a few things: Do I travel over great distances or do I live in a city? Can I afford to pay for the car and the ongoing gas consumption? How do I choose which car is right for me?
As such, it’s high time that we start to get specific in describing current environments and how folks in those specific places can begin their passwordless journey. For example, let’s take higher education as a sector. To address whether a headline like “The Time for Passwordless Is Now” applies to higher education, begin with the lens of security. We know that higher education definitely has its fair share of security concerns. From the protection of research and intellectual property to the safeguarding of student data and financial information, the job of securing a university environment is a serious one. Hackers leveraging stolen credentials can target student loan dollars via student disbursement fraud, or administrators tasked with dispensing cash to vendors, speakers, or entertainers.
Given the risks to a university associated with password weakness and credential theft, it’s fair to say that higher education environments fall firmly into the “would benefit from the technology” category when thinking about whether passwordless authentication is a fit.
However, is the new technology valuable enough to make the transition from the status quo? Many universities have been successful in their adoption of multi-factor authentication and zero trust principles. So why move from MFA to passwordless?
Naturally, at Duo we believe in the power of multi-factor authentication. It’s the simplest yet most potent control to put in place to improve security posture. By placing MFA protection in front of critical infrastructure and applications, IT and security professionals not only take great steps in preventing hacks and breaches, but can also see a drastic reduction in cyber liability insurance premiums.
Over time, we’ve seen firsthand the ire of students frustrated by login processes. Though we’ve worked very hard to make the MFA experience as seamless as possible, there are certain academic use cases where accepting a second factor might be inconvenient, like in an exam setting where phones are not allowed.
In many cases, passwordless authentication can help alleviate frustration with login experiences:
“Friction around the login process is one of the greatest sources of stress for students. Passwordless is a great way to improve their experience while simultaneously improving the security posture of the institution.” —Helen Patton, Advisory CISO, Duo / Former CISO, Ohio State University
Passwordless implementations often take advantage of advances in hardware technology to simplify authentication. For example, most passwordless solutions can leverage platform biometrics, like TouchID on a Mac or Windows Hello on a Windows device, to securely log on without a password. Don’t worry, passwordless still counts as MFA, with possession of the device being one factor and the biometric being the second. If a student could securely authenticate with a single gesture, without the need for a second device, wouldn’t that address both the security concerns addressed by MFA, but also provide the ease of use that students desire? We hope so.
But wait, you may now be asking yourself, how prevalent are biometrics among my student population? And are these students ready to start authenticating with biometrics like a fingerprint instead of a password? The answer may surprise you. In a recent survey conducted by Duo, spanning thousands of consumers aged 16-24, the results showed that 90% of respondents own at least one device with biometrics enabled. Furthermore, 70% of respondents said they’d feel comfortable using their fingerprint as a mechanism to login.
Given the growing prevalence of both biometric-enabled devices and comfort with their use, passwordless seems like a good fit for the higher education environment. However, the question now becomes how to implement this new technology. Does the university IT team take it on themselves to build an internal passwordless authentication solution? It’s possible. Stanford University has touted their Cardinal Key mechanism as a solution to the password problem. However, for many universities, taking on a homegrown passwordless project may be akin to building a car from scratch in the garage. This is a car that must start and must drive consistently.
Another consideration is the passwordless journey. Passwordless may be a great fit for the student population at a university, but professors and administrators will have different use cases or expectations. Perhaps they just got used to the idea of push-based multi-factor authentication and don’t want to transition to a new form of authentication, or maybe the prevalence of usable biometrics is lower on their set of devices.
In situations like these, it may be worthwhile to start a passwordless journey with a certain set of users while maintaining the security of MFA with others. Advisory CISO Helen Patton suggests, “Choosing a population that will not only embrace passwordless, but also help the rest of the institution see the benefits of it, is a great way to start on the passwordless journey.” Taking this approach, there’s no backward security motion as the environment progresses to passwordless.
Duo is looking to help solve this use case. Our passwordless solution makes it easy to roll out passwordless to particular sets of users at a time, while maintaining the security of MFA for everyone else. We agree with the headline “Passwordless Is Here to Stay,” but we also know that highlighting particular use cases and sectors where implementation makes the most sense is key to passwordless adoption. After reviewing the specific needs of higher education, we find that colleges and universities are a great fit for exploring and benefitting from the passwordless future.
EdTech Magazine: Higher Ed's New Approach to Pandemic Cybersecurity
Secplicity: Security in Higher Ed - Trust, Student Experience, and Multi-Factor Authentication
TechCrunch: How Startups Can Go Passwordless, Thanks to Zero Trust
TechCrunch: Yubico’s New Hardware Key Features a Fingerprint Reader for Passwordless Logins
Duo’s Passwordless Authentication Resources
Explore our Administrator's Guide to Passwordless blog series
Learn more about our passwordless authentication solution
Read our white paper, Passwordless: The Future of Authentication
Watch our webinar, How Duo is Making Passwordless Progress Easier
Watch a Threatwise TV video that discusses and demos Duo passwordless authentication
Read a Cisco blog by Product Marketing Manager Ted Kietzman explaining why passwordless is just one part of a holistic security strategy
Try Duo for Free
Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.