Passwordless Authentication – Going Beyond the Hype With 3 Key Considerations
There’s no denying that passwordless is a hot topic. And rightly so, no one likes passwords – users have too many to remember and manage, and IT admins spend a lot of time on password-related help desk tickets and password resets. Moreover, compromised passwords are still the leading cause of breach.
What is Passwordless Authentication?
For those wondering what “passwordless” even means - here’s a quick definition: Passwordless authentication establishes a strong assurance of a user's identity without relying on passwords.
“I define passwordless authentication as the act of authenticating without a shared secret. I think it's as simple as that and I say it like this on purpose - because passwordless can take many different forms. Depending on the use case or vendor you're talking to, passwordless can mean a mobile push, certificate based auth or biometric auth or any number of other solutions. However, whatever form it takes, passwordless should increase security, make it faster for users to login and be easy to deploy. At Duo, we have strong opinions that passwordless technology should be based on asymmetric cryptography, as enabled by a protocol like WebAuthn.” — Chris Demundo, Product Manager, Duo
The Promise of Passwordless Authentication
The promise of passwordless technology is that it will both increase usability, by streamlining authentication, while simultaneously increasing security, by removing the password as a weak point in authentication. The traditional trade-off in security is that in making environments more secure, more rules and restrictions are placed on end users. Passwordless potentially throws this relationship out the window.
So, it’s not very surprising that organizations are increasingly exploring this technology. Consequently, there’s a lot of noise from multiple vendors related to passwordless authentication today, turning it into more of a buzzword! But as with any new technology, organizations need to think about their own goals and use cases and map them to the best-aligned solution in the market.
3 Key Considerations For Passwordless Authentication
In this blog, let’s talk about some key considerations while adopting passwordless:
1. Passwordless Is a Journey
As much as we would like it, passwords won’t disappear overnight. Modern IT environments are complex and replacing every authentication use case with passwordless technology will need a lot of planning and has to be a phased approach.
Here are some important questions to ask:
Which authentication use case should be targeted first while rolling out passwordless authentication?
Are you making any security tradeoffs while choosing an application for the passwordless authentication use case? Will the same application be able to provide other authentication capabilities, or will you need to add multiple vendors?
In order to ensure a smooth rollout, will you have the option to enable passwordless authentication for a subset of users before expanding to the full workforce?
In cases where passwordless authentication might not be a good fit yet - either due to technological or budget limitations – will there be a fallback to another secure authentication mechanism?
2. Providing Frictionless Usability
Passwordless authentication is promising technology, but promising doesn’t automatically mean usable. One of the motivations for passwordless is saving IT teams time responding to password-related help desk tickets. But if not implemented thoughtfully, passwordless authentication could lead to other user issues for the IT team.
Organizations should be thinking about the following:
Today, with passwords, users are well aware of the self-service password recovery process. Will there be a seamless recovery process available in case passwordless does not work, for example, due to lost or stolen devices?
Will passwordless work for users with multiple devices, as well as for users with shared devices?
Will the passwordless application be able to provide a consistent end user experience across all authentication use cases, passwordless or not?
3. Passwordless Authentication Alone Is Not Enough
Perhaps most importantly, customers should be aware of the security tradeoffs they may face when leveraging a passwordless authentication solution that doesn’t offer the same robust functionality in terms of other authentication use cases.
The focus should always remain on increasing trust in authentication while simultaneously reducing authentication friction and leveraging all use cases that can get you there.
Duo Is Making Secure Passwordless Authentication a Reality
Here at Duo, we are excited about passwordless too! We have developed an extremely thoughtful approach to passwordless to help our customers securely and seamlessly transition to passwordless. We want to ensure that Duo continues to meet our customers where they are today without being disruptive, and that it aligns with their future plans and initiatives.
Stay tuned to hear more about Duo’s approach to passwordless and how we address all the considerations mentioned above.
Also check out prior blog posts on passwordless authentication.
Try Duo For Free
With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.