Thinking Strategically About Passwordless
The best security control is the security control people actually use. We’ve shifted from enforcing security to creating security that users want to adopt. When it comes to zero trust, one thing many of us have been considering is how to make it attractive to end users. Enter passwordless authentication.
The problems of passwords are well understood. People have too many of them, for starters. People forget passwords. This results in IT and help desk work resetting passwords and unlocking accounts. People reuse passwords. This leads to the security team working overtime to stop attackers from logging in with credentials from the latest password dump.
No one likes passwords.
Going passwordless means establishing a strong assurance of a user's identity without relying on passwords, allowing users to authenticate using biometrics, security keys, or a mobile device. Passwordless authenticates with whatever is appropriate for the use case. No passwords, no problems. (That might be a slight exaggeration.) The shift away from passwords both improves the user experience while improving the security. When positioned as part of an overall zero-trust architecture, passwordless becomes what’s in it for the people.
The journey to passwordless begins with carefully selecting the people, devices and applications. As with other transformations, it is imperative we scope the use cases to maximize buy-in, risk reduction and efforts. Given the scope, the high-level approach to passwordless includes:
- Reduce Password Reliance: Strong Authentication for All Apps - Reduce your reliance on passwords and lower the risk of credential theft by protecting cloud and on-premises applications with Duo’s multi-factor authentication (MFA).
- Achieve Less Passwords: Minimize Passwords for Cloud Apps - Achieve less passwords by using WebAuthn with Duo and single sign-on (SSO) for SAML-based applications. Ideally, users can log in using a single biometric authenticator (or security key) to access any web-based application.
- Achieve True Passwordless: Eliminate Passwords for Legacy & Cloud Apps - Achieve true passwordless for all use cases, including passwordless for both legacy tools using older protocols and cloud-based applications by removing passwords as the primary factor.
The strategy is strengthening the user identity while improving the user experience. From a security perspective, a passwordless play establishes the cornerstone of a zero-trust architecture. Without the ability to establish and maintain trust in the user identity, the additional components of zero trust have nothing to build upon. More importantly, from a usability perspective, a passwordless play actually improves people’s daily work.
User adoption has taken the front seat in security today, and passwordless gets us there.
Come visit us at RSA Conference 2020 at our Duo booth [#1835S] to learn more about the human element of passwordless and ask for a demo. Talk to our team and ask them about how through our technology partnerships, Duo is innovating toward a true passwordless future!
If you want to hear more about our vision for true passwordless, stop by the Cisco Booth [#6045N] at 5:00 p.m. Tuesday, Feb. 25 as Steve Won, Group PM for Authentication, gives a booth talk about the journey to passwordless.