It’s no secret — passwords can be a real headache, both for the people who use them and the people who manage them. Over time, we’ve created hundreds of passwords, it’s easy to lose track of them, and they’re easily compromised. Fortunately, passwordless authentication is becoming a feasible reality for many businesses. Duo can help you get there.
Passwordless authentication (or “modern authentication,” as it is known by some) is the term used to describe a group of identity verification methods that don’t rely on passwords. Biometrics, security keys, and specialized mobile applications are all considered “passwordless” or “modern” authentication methods. Because it addresses the ever-pervasive problem of credential theft, some industry experts have even characterized passwordless as the future of authentication.
Passwordless provides secure access for every enterprise use case (hybrid, cloud, on-premises and legacy apps). Through technology partnerships, Duo is innovating toward a true passwordless future that balances usability with stronger authentication. Passwordless gives users a frictionless login experience, while reducing administrative burden and overall security risks for the enterprise.
In an effort to combat hackers who target passwords to access cloud-based applications, passwordless methods that associate users to their devices offer increased security and usability, which is a rare win/win for security. (Gartner Security & Risk Management Summit 2019)— Peter Firstbrook, Research Vice President, Gartner, Inc.
Passwordless authentication isn’t just a nice-to-have — it can actually improve an organization’s security posture and reduce costs associated with password management. Passwords create higher friction for users, slow down business productivity, and are inherently a weak form of user authentication.
Passwordless authentication ideally involves less user interaction during the login process than traditional forms of authentication. It uses public key cryptography, which authenticates the user with a pair of cryptographic keys — a private key that’s a secret, and a public key that isn’t — and it comes with a lexicon of new (or relatively new) acronyms and standards like FIDO2 standard (FIDO stands for Fast IDentity Online and FIDO2 is just an umbrella term for the combination of WebAuthn and Client to Authenticator Protocol (CTAP)).
Implementing passwordless is no small task, especially when you’re dealing with large user populations, a substantial number of apps, hybrid infrastructures and complex login flows. Achieving a completely passwordless environment is a journey that involves a phased approach as technology continues to evolve and user adoption increases. Although complete elimination of passwords is still far off, reducing reliance on them is already feasible by implementing MFA, establishing trust in devices, leveraging SSO and implementing adaptive access policies.
Passwordless authentication provides a single, strong assurance of users' identities to achieve user trust. For enterprises, this means:
A reduction in user frustration and an increase in user productivity.
A reduction of the administrative burden of password-related help desk tickets and password resets.
The elimination of threats and vulnerabilities related to passwords (phishing, stolen or weak passwords, password reuse, brute-force attacks, etc.).
If your business has a goal of reducing the security risk associated with passwords, the answer is almost certainly “yes.” Identity is becoming the new perimeter, and to secure it, companies must put access controls around both users and their devices — also known as the “workforce.”
To address this new reality, many organizations are adopting a zero-trust security approach, under which trust is verified at each access attempt. The best security should be invisible and have minimal impact on the productivity of users. Passwordless authentication is a key part of verifying user trust, in a more user-friendly, simplified and secure way.
However, there are a few factors that will determine the level of effort involved in implementing passwordless. If you have a complex hybrid environment, it’s going to be more difficult to transition to passwordless.
We recommend having a few technical experts assigned specifically to your passwordless project, so that you can address any issues as they arise. When done correctly, however, a passwordless approach significantly minimizes the likelihood of a breach due to stolen credentials.
Pairing passwordless technology with strong MFA is a practical way to provide the broadest security coverage today. With MFA in place, you can reduce your reliance on passwords and modify password policies to require less frequent resets, alleviating help desk burden and reducing user frustration. We recommend taking a phased approach to securing access for the workforce, with each step taking you closer to a fully passwordless future:
Begin to reduce your reliance on passwords and lower the risk of credential theft by selecting specific enterprise use cases for a passwordless approach.
Reduce passwords by using single sign-on (SSO) for SAML-based Cloud applications. For on-premise services, integrate application workflows using access and authentication proxies.
Enable users to log in using a single biometric authenticator (or security key) to access applications at the point of federation.
The final step in the journey is integrating the technology and moving towards continuous improvement. True passwordless will eliminate reliance on passwords for any login workflow, either behind the scenes or throughout your users’ experiences.
Duo creates consolidated solutions that balance security with usability, providing strong MFA, single-sign on, adaptive access policies and establishing device trust for hybrid environments. The building blocks to support a passwordless login experience exist today for access to cloud based applications. Our goal is to support organizations as they move to a passwordless future through the following:
With MFA enabled for all applications, users’ credentials are protected by a strong security layer that thwarts account takeover. Once MFA is in place, password policies can be configured to require less frequent resets, getting you one step closer to a password-free user experience.
Duo MFA is available in all Duo editions.
Leveraging federated logins protected with MFA is an excellent step on the road to a passwordless user experience for your workforce. Use Duo to integrate an existing single-sign-on (SSO) platform, or take advantage of its alternative SSO options for SAML based applications.
Duo SSO and the Duo Access Gateway are available in all Duo editions.
Configuring access policies to evaluate contextual signals around each access attempt makes anomalous user behavior obvious and easy to detect. In turn, it’s easier to verify trust in the devices authorized for access, and ensure those devices don’t introduce any level of risk or compromise to an environment.
Duo supports the use of open standards, such as WebAuthn, as MFA methods for SAML applications, allowing users to authenticate without the use of a password. With this functionality, organizations can establish a passwordless login workflow for cloud applications, without ripping and replacing existing infrastructures.
WebAuthn and Agnostic Integrations are available in all Duo editions.
While federation provides a starting point, enterprise companies are filled with complex use cases, including OS login and protecting legacy applications.
There is work to be done to provide passwordless homogeneously throughout an environment and organizations will move iteratively towards a true passwordless future, tackling one use case at a time.
Duo is investing and building tools that will provide the ability to scale a passwordless experience throughout a hybrid environment. Duo is working with industry and technology partners to create a comprehensive ecosystem that can support true passwordless across every enterprise use case.
Learn more about what Duo is doing to pave the way for a passwordless future by working to make passwordless technology and standards open, accessible and easy for the broader community:
Duo’s MFA is the foundation for any passwordless security strategy. MFA minimizes the risk that compromised credentials of any kind can be used to access your applications.
Duo’s Single Sign-On lets you streamline access to any and every application, reducing the number of passwords users need to manage.
Duo gives you granular control of the authentication methods available to your users. Allow the ones that meet your security needs and block the ones that don’t, based on who’s accessing which application, and how.
A world without passwords is closer than you think. In this guide, we'll explore the considerations associated with a shift to passwordless, dig deeper into what is achievable today, and plot a five-step phased approach to your organization can follow to lay the foundation for a passwordless future.