Passwordless Authentication: Should You Go Passwordless?

Passwordless authentication is a method for verifying a user’s identity that does not require the user to remember and provide a password. In addition to being easier and faster for the user to log in, passwordless authentication drastically increases security. This increase in security alone makes going passwordless a worthwhile investment for any organization. Until […]

Passwordless authentication is a method for verifying a user’s identity that does not require the user to remember and provide a password. In addition to being easier and faster for the user to log in, passwordless authentication drastically increases security. This increase in security alone makes going passwordless a worthwhile investment for any organization.

Until recently, passwords were seen as a necessary evil, but they present many security risks. The most significant risk of using a traditional password is its potential to be guessed or stolen. Despite efforts to increase password security awareness and strengthen policies, users often rely on poor and risky passwords.

According to Digital Citizens Alliance, a nonprofit focused on internet consumer safety; the average user has around 200 passwords to manage. With more and more websites and services requiring an account to be set up, this number will only increase. Password managers are becoming more popular, but there is always the temptation to reuse an easy-to-remember password, which dramatically increases the possibility of security breaches.

According to the 2021 Verizon Data Breach Investigations Report, 61% of all data breaches in 2020 were carried out using stolen or unauthorized login credentials. In an effort to combat this growing trend, organizations and services are moving toward passwordless authentication.

Types of passwordless authentication

Traditional password options verify the correct combination of a username and password to grant access. With passwordless authentication, the number of valid combinations increases by adding additional factors like physical USB keys, biometrics, or authenticators, therefore increasing security.

There are three main categories of passwordless authentication:

  • Knowledge-basedsomething you know Seeks to prove the user’s identity by asking for knowledge only known to the individual, such as a PIN or a “secret” question.
  • Possession-basedsomething you have Grants a user access based on something a user has in their possession separate from the device being accessed, such as a FIDO2 key, a phone, or an authenticator.
  • Inherence-basedsomething you are Uses unique inherence factors to verify the user’s identity, most commonly biometrics such as fingerprint, facial recognition, or retina scan.

Common passwordless authentication technologies

  • Authenticators – A third-party app (like Microsoft Authenticator) that generates a code needed to log in. The code is not sent to the user (like an email or SMS) and is less likely to be intercepted by a hacker.
  • PINs – Match a code entered by the user with an encrypted key stored on the computer. PINs only allow logging in with the correct code on a specific device. So, if a PIN is stolen, it will not work on another machine.
  • FIDO2 keys – A piece of hardware similar to a thumb drive that needs to be carried by the individual, inserted into the computer, and touched by the user when prompted in order to log in.
  • Biometrics – Like fingerprint scanners or facial recognition cameras, biometrics can be a powerful passwordless login option.
Should your organization go passwordless?

Before moving to passwordless, the most significant considerations an organization needs to be aware of are the type of authentication that will be implemented (FIDO2 keys, biometrics, PINs, etc.), cost, compatibility, and the logistics of rolling it out. Be aware the passwordless option you choose could mean a significant financial investment, specifically if new hardware is needed. For example, FIDO2 keys are about $34 a piece, and each employee should have a spare (~$70/employee), and fingerprint scanners are $75+ each if not built into an employee’s computer.

Compatibility can be an issue when considering to go passwordless. Not all builds of Windows 10 support passwordless login on the desktop. So, every organization should check with their IT team to make sure their computers can support passwordless authentication.

Next is logistics. Employees are often slow to adopt a change to their routine. So, working with an experienced IT team to plan the rollout is paramount. It’s essential to make sure everyone in the organization who is moving to passwordless has the proper hardware, software, apps, etc., to make the switch.

It’s also vital to make sure the transition to passwordless is complete. If employees use a combination of passwords and passwordless authentication, it undermines the efforts to move toward passwordless and creates a potential security vulnerability.

Common mistakes organizations make when going passwordless

Perhaps the biggest mistake organizations make is not entirely going passwordless. If your old passwords are being used, there is no added security benefit of using passwordless authentication.

Other mistakes include:

  • Not having a backup option It’s always best to have a backup option if something goes wrong. For example, if a FIDO2 key is lost, have a spare key available. If both are lost, biometrics might be an excellent secondary option.
  • Leaving a FIDO2 key inserted into a machine If it is accidentally left in a computer, anyone with access to the device could potentially log in.
  • Not every organization can make the switch overnight It’s important to know that network infrastructure needs to meet certain requirements, and Windows 10 needs to be a specific build in order to use passwordless authentication. Make sure to contact your IT team before making any technology changes to make sure your systems are compatible.
  • Underestimating the adoption rate of the users Know that moving toward passwordless authentication will most likely change employees’ routines, which can be a challenge. It may be prudent to start with a small group of individuals before rolling it out to the whole organization.

As the need for tighter cybersecurity increases and passwords remain the weakest link, it’s recommended that every organization moves toward passwordless authentication. It is always best to have a team of well-qualified IT professionals to lead the transformation when making any significant technology change in your organization. Make sure your IT team is aware of all the challenges and can implement passwordless authentication successfully.