Pack Your Bag : A Gear List for a Successful Passwordless Journey
Adopting new processes and technology solutions designed for the corporate workforce is a little like planning for a backpacking trip. The parallels are that you gather all your gear, plan your route, but ultimately once you start your journey there is no way of knowing what trials or roadblocks you may face.
In the words of Benjamin Franklin “If you fail to plan, you are planning to fail.”
Passwordless is Coming
In our previous blog on Providing a Passwordless User Experience, we discussed the nature of passwordless as a journey. When I talk to organizations, the complexity in their authentication environments astounds me! Being an aspiring backpacker, it reminded me of planning for a trip to go out into the wilderness and all of the factors that I’ve had to consider. Unlike the wilderness, where there are natural disasters and untamed wild animals, in the corporate setting there are a lot of knowns — such as multiple different authentication factors being used, underlying protocols and end user requirements (which one could argue are much like the untamed wild animals.)
One firm I spoke with told me, “When I think of passwordless, I think about the next five years, not the next 12 months.” Similar to me planning my trek into the wilds, this organization is thinking well in advance of how they are going to reach their final destination of being password free.
With any journey it is understood that things may not go exactly to plan, and despite the challenges, there is a clear desire in the market to realize a passwordless reality. An internal survey we conducted showed 57% of respondents are considering implementing a passwordless authentication solution in some form over the next two years. The building blocks are there from a technical perspective. In the last few years we’ve seen advances in biometrics and secure hardware, continued development of platforms like TouchID and Windows Hello and increasing adoption of open standards like FIDO2.
But What is Passwordless?
Similar to planning for an outing, you have to make sure you have all the key equipment. While each item on its own has value, you’re not ready until you have all the elements together. When I think of passwordless from a product perspective, we’re currently seeing the evolution of building blocks fitting together into solutions.
One way to think about passwordless is simply ‘the removal of a password as a factor.’
If we remove the password and combine multiple, weaker factors in one authentication, we can try to verify the identity of a user accessing a system. The problem is, this still puts the burden on the user to ensure they are ‘doing the right thing’ — for example, ensuring they’re not entering their OTP on a malicious site. This runs counter to the benefit we expect from passwordless — removing friction and making things easier. It’s like asking a hiker to embark into the wilderness relying solely on an outdated paper map. You’ll hopefully have a successful journey, but there is a likelihood of increased challenges and unknowns. In contrast, when you leverage GPS, technology designed to ensure you don’t get lost, there is a clearer, safer path to your destination.
The potential of passwordless is to create a world where users are safe by default. The simple action we ask the user to perform for authentication (scanning their fingerprint or face) is backed by a FIDO2-based factor that is not phishable.
As we discussed in Can Passwordless Authentication Be Trusted?, layering contextual information and policy on top to identify risk increases security and can reduce how often a user needs to authenticate. The goal is a solution that is iPhone-easy for end users, but has the strong security properties needed by modern organizations.
The Road Ahead
There is a long path forward to get to the vision I outlined here. Organizations can start taking the steps needed to support reducing reliance on passwords by implementing multi-factor authentication (MFA), single sign-on (SSO), and Access Policies, but thinking about realizing the passwordless utopia means there needs to be an evaluation of key use cases to address and a conscientious approach for implementation.
In considering passwordless, we are really at the base of the mountain. Some of us have hiked the first few miles, but what is ahead of us is the ascent to the top. As WebAuthn is supported across all major browsers, there’s a clear path forward for federated, web-based applications.
Given the diversity of authentication scenarios in most companies however, any admin will immediately ask, “What about the rest of my applications?” When thinking about legacy apps and auth methods (in the last 30 days alone) Duo handled hundreds of millions of authentications for applications that do not support FIDO2 authentication.
As we discussed in “Providing a Passwordless User Experience,” right now it’s about incrementally shifting use cases away from using passwords where possible. Like any hike, we need to start with the easiest path to get you the furthest along the journey in the shortest amount of time.
In the long-term, passwordless solutions should abstract this complexity away for the end user. The user experience should be the same simple interaction regardless of the application or device involved. I, for one, can’t wait!
To help organizations prepare for passwordless, we published a new white paper “Passwordless: The Future of Authentication.”
Try Duo For Free
With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.