peshkov – stock.adobe.com
It’s not hard to understand why passwordless authentication continues to gain traction. Passwords are a major security vulnerability and a leading cause of data breaches. In fact, Verizon’s “2021 Data Breach Investigations Report” found 89% of web application breaches involved credential abuse.
Completely eliminating passwords isn’t feasible yet, but there are passwordless authentication methods companies can deploy today that can help reduce reliance on risky passwords and thus reduce the use of credentials as an attack vector.
Current passwordless authentication options
Companies can consider the following available passwordless authentication methods:
- Email-based. Users receive a temporary one-time passcode via email to log in to their account. A URL with the embedded code or token can be included to speed up the process and make it more convenient for users.
- WebAuthn-based. The WebAuthn API relies on something users own instead of what they know for authentication. Using public key cryptography, a trusted device — such as a smartphone, laptop or security key — serves as the authentication factor.
- Biometrics-based. Biometric authentication relies on users’ physical or behavioral characteristics to verify identity. Devices with advanced cameras, high-quality microphones or fingerprint scanners determine users are who they say they are.
- A combination of methods. Use WebAuthn and biometrics, for example, to enable a layered authentication approach. Biometric scans authenticate users to a device, and then WebAuthn token generation provides further authentication.
Passwordless implementation best practices
When creating a passwordless strategy, keep these best practices in mind for success:
- Review current authentication processes. Conduct an inventory on how your organization — employees, contractors, partners — authenticates users today. Understand legacy authentication methods before beginning to determine what is replaceable with passwordless authentication.
- Implement a beta program. Deploy passwordless authentication methods to small test groups. Participants should represent a diverse community across job roles, demographics, age and business functions.
- Assess beta program feedback. After the testing period, gather thoughts from the participants involved to determine whether the passwordless authentication strategy was effective and efficient or needs updating.
Also, keep the following in mind as your company embarks on the mind shift, technological shift and risk posture shift to passwordless:
- Be patient with users. Expect an increase in help desk requests, comments on Slack and other internal channels, and users looking for ways to bypass passwordless. Inertia and comfort level with password-based schemes may result in initial pushback. Be proactive with fun videos and simulated phishing attacks, and recruit employees who are influencers to become passwordless evangelists.
- Increase privacy awareness. With regulatory and consumer focus on privacy, it is important to recognize the increased amount of employee, contractor and partner data that is stored and accessed. Biometrics, including fingerprints, facial scans and retina scans — as well as extending these to personal devices — suddenly increases a company’s privacy and security footprint. This means raising user awareness, conducting regular risk assessments and ensuring compliance are critical.
- Consider cost control. As with any project, staying within a targeted budget is critical. Particularly in the case of passwordless, dealing with legacy applications and their nuances could result in increased cost. Also, keep in mind new technology adoption — such as drones, robots and metaverse systems — where passwordless would need to work in the future. Project out and estimate for these use cases going forward.
Passwordless offers companies a reliable and less risky way of authenticating users compared to password-based. Becoming an early adopter will help organizations become more secure if the above factors are taken into account.
This was last published in January 2022
Dig Deeper on Data security and privacy