Is Passwordless Really Possible?

The age-old debate continues: are passwords every really going away? Passwords have been the foundational authentication mechanism that have enabled users to gain access to their applications for decades. But, passwords have their flaws. Over 80% of data breaches are caused by weak, reused or stolen passwordsand IT teams are spending an average of 4 hours per week on password-related issues alone. All of which beg the question: what can be done to alleviate the password problem? 

The need for a more secure and easier way to authenticate users into their apps is clear. The obvious solution is to eliminate the password problem is to eliminate the password – but how? The solution is passwordless authentication. 

Passwordless authentication enables users to securely authenticate into their applications, without having to enter a password. In a business environment, this means employees can authenticate into their work without having to type a password, all while IT teams maintain complete and control across every login. 

The Role of the Password in Passwordless 

There are two types of passwordless authentication: eliminating the password from the IT infrastructure and eliminating the password from the employee login experience. While both are possible, I do not see passwords being completely eliminated from the IT infrastructure any time soon. This is why I encourage organizations to focus on delivering a passwordless login experience. A passwordless login experience means that while passwords may still exist behind the scenes, the employee will not have to manually enter a password during their login.  

Passwordless authentication benefits the business on two fronts, from both an employee productivity and business security view. Passwordless authentication means employees are no longer burdened with having to manually enter a password for every single application they need to get their work done. The average employee uses 36 cloud services at work – that’s a lot of passwords to remember and a lot of time wasted manually typing each and every password in. Passwordless authentication gets employees authenticated into their work faster because they are not slowed down by typing out a password every time they navigate between applications – which is frequent! Passwordless authentication eliminates password frustrations and gives employees more time to get their work done. 

Second, password-related risks are eliminated. Employees no longer have the option to use and reuse easy-to-remember passwords across their various applications. These weak passwords generate a great deal of risk as they are the easiest for hackers to crack. 34% of organizations cite lost or stolen password credentials monthlyso many organizations are experiencing password security challenges on a regular basis. In addition, a passwordless login experience for employees means that the passwords are still working behind the scenes, which enables IT teams to enforce stronger password requirements that employees will never need to manually type – the best of both worlds. 

Making Passwordless Possible 

If a password isn’t connecting an employee to their work, then what is? A few examples of passwordless technologies are biometrics, secure protocols and integrations. 

Authentication protocols 

One example of a passwordless technology are authentication protocols. One way a protocol works is to facilitate the communication between an identity provider and a service provider. When an employee is authenticated to the identity provider, they are also authenticated into the assigned service providers, without having to enter a password.  

An example of this is single sign-on (SSO) which is commonly built with the Security Assertion Markup Language (SAML) protocol. With SSO, when an employee is authenticated to their identity provider, an organization’s SSO will also authenticate the employee into all their assigned applications, or service providers. This means that after the employee is logged in, they will no longer have to enter passwords for all their work – a passwordless experience. 

Protocols such as SAML help increase overall security because passwords are eliminated, and the protocol offers a more secure connection than a password alone can provide. And employees are happy, because they can access all their work without having to type additional passwords. It’s a win for both IT and employees. 

Federation 

Federation connects an identity provider to a service provider, so once the employee is authenticated into the identity provider, they will also be authenticated into the assigned service providers as a result of the integration. This helps IT teams securely manage the employee throughout their lifecycle, from onboarding to offboarding and across multiple IAM solutions with a unified view. 

Because the two IAM technologies are integrated to one other, the secure relationship is established behind the scenes meaning employees will not need to type a separate a password for each. Once logged in, employees will gain access to both integrated resources to maintain a passwordless experience throughout their workday. 

Biometrics 

Biometrics are physically who you are as an individual. Examples of a biometric include your fingerprint, your face, or even your voice. Biometrics are becoming an increasingly mainstream way to authenticate employees into their work. This form of authentication is becoming so popular in fact that 70% of consumers want the expanded use of biometric authentication into their workplace.4 

The main reason why biometrics are rising in popularity is because they provide the simple, seamless user experience employees are looking for. Authenticating with the touch of a fingerprint is much easier than manually typing out a password, and employees do not want added security obstacles that will slow them down. 

However, it’s also critical that biometrics are stored securely. I recommend organizations to seek biometric authentication solutions that are built on a local-only encryption model. This means that biometric information is stored on the device itself, versus in the cloud. Local-only encryption helps ensure that biometric data remains safe and private. Biometric authentication helps ensure users are who they say they are by using who they are, all while delivering a passwordless login experience. 

Go Passwordless 

Going passwordless helps organizations achieve increased productivity amongst employees, reduced IT costs, and stronger security. However, keep in mind, passwords are still the most prevalent method of authentication and are not going away any time soon. That’s why organizations should couple a passwordless login experience for employees along with enterprise password management for every password that is still in use, to secure every access point while delivering a seamless login experience.  

 Sources 

  1. 2019 Verizon Data Breach Investigations Report 
  2. LastPass SMBs Guide to Modern Identity 
  3. McAfee’s CASB: MVISION Cloud 
  4. Security Magazine, Biometric Consumer Sentiment Survey 

Leave a Reply