How to Make Passwordless Work in the Real World
The passwordless authentication market is surging as larger numbers of vendors offer platforms promoting user feasibility and enhanced security with one centralized sign on. The challenge is that most passwordless solutions require several different technologies to support it all. Many approaches will solve for one passwordless use case but not another.
This piece explains common passwordless platform issues and provides alternative solutions as well as tips to make passwordless work in real-world business environments.
Passwordless Market Challenges
A lot of confusion in the passwordless market stems from the fact vendors are promoting passwordless as if it’s a passwordless experience across all applications, but very few can actually tackle all those use cases. This leaves out legacy applications and systems, which often have no compatibility with passwordless technologies.
One approach is to partner with vendors that will do a heterogeneous passwordless approach. Effectively, these vendors replace the Windows and Mac login experience. This means people have a consistent login experience and can log in using their security token or their biometric. For larger organizations, however, this is usually a nonstarter, due to the risk and complexity involved with chaining primary authentication to a single small vendor.
Alternatively, many organizations start by relying on native tools for device authentication, such as Face ID or Touch ID for Mac and Windows Hello for Windows. They then take that initial experience and use that device factor or a comparable authentication mechanism to go from the device into the applications. This is a more common approach for organizations to take with passwordless. It targets specific enterprise scenarios and extends the value the organization gets from their MFA/SSO vendors.
READ: Centralized IAM Best Practices
Aim for Less Passwords vs. Passwordless
Few organizations have moved entirely to passwordless. From a technology perspective, this is due to:
- Limitations in legacy applications: Many legacy applications cannot support passwordless and cannot be upgraded.
- Limitations in modern applications: Some SaaS applications can either directly support passwordless (FIDO2) or support it through SSO with federation (SAML, OAuth/OIDC). However, many SaaS apps cannot support either approach today and, therefore, an organization’s application portfolio will have coverage gaps.
In addition, many of today’s business processes increase the complexity of passwordless deployments. Many employees have multiple separate accounts (e.g., application owners, IT administrators, operations, etc.), and many processes require passwords. For example, a privileged user might log onto their primary desktop and then go to a privileged access management system to get another password, or they could log in with their admin account and request additional privileges. These scenarios are usually easier to handle because they concern IT people, who are comfortable with complexity. However, business processes involving nontechnical users are more challenging.
In the end, most organizations are taking a “less passwords” approach, instead of aiming for complete passwordless.
Take a Realistic Approach to Passwordless
Passwordless works well in situations where users identify themselves to their dedicated device and when a majority of the applications they access are provided either locally or over SSO. This use case can demonstrate the efficacy of passwordless to the organization and be used to communicate and negotiate with internal and external auditors.
Tips to improve the chances of success with your passwordless deployment include:
- Identify the appropriate user population: People who are excited to try an easier way to authenticate, who have dedicated computers and who are patient when working through the edge cases are the best candidates to start with.
- Partner with SSO providers on passwordless: SSO products can be used to accept the device authenticator (Windows, MacBook) to log into the SSO launcher and then seamlessly provide access to SSO-supported apps.
- Keep pressure on application vendors: Use purchasing power to keep pressure on vendors to either directly support passwordless standards or federation and SSO standards.
- Take a defense-in-depth and risk-based approach: Passwordless shouldn’t be about only removing the password. It should also be about increasing trust in authentication. Consider using RBA (risk-based authentication) to address the risk of
stolen devices with spoofable biometrics or guessable PINs.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.