What is passwordless authentication (and why does it seem so hard)?

Your company has a cybersecurity problem that it can’t eliminate: your employees. People are the number one security vulnerability in any organization, simply because we’re human and we make mistakes. Even if your people take security seriously, they’re still your company’s most vulnerable entry point for a cyber attack.

One of the reasons for this is the ubiquity of passwords in the workplace. You have a password to get onto your computer, a password to access your email, passwords for your various work accounts and applications, and even passwords for personal use that get accessed at work. 

Most people use dozens of unique passwords. That’s a lot to remember — especially if you use strong passwords made up of long strings of random characters. So passwords get reused, or they’re based on an easy-to-remember pattern. Or, worse, they get written down on paper. 

Even a strong password can be a cybersecurity liability in those circumstances.

That’s why more and more organizations are getting rid of password authentication.

Passwordless authentication is gaining a lot of buzz right now, and it’s a concept that has taken off since the beginning of the pandemic. Hackers continue to become more proficient in discovering passwords. And because your employees are creatures of habit, bad actors know that the password someone used for their Netflix account has a good chance of being the same password they use at work. 

Your company’s sensitive information can be exposed because of the movie ticket Bob Smith purchased online last week. 

What is passwordless authentication?

Traditional authentication relies on two pieces of information that are known by the user: a username and a password. The problem is that knowing that information doesn’t actually prove you are who you say you are. It only proves that you have the right information to get into a system.

Passwordless authentication requires you to prove that you have something (such as a mobile device) and that you are something (by a fingerprint or other biometric input). Using multiple factors of authentication makes it much harder for bad actors to pose as a legitimate user.

There are three basic types of passwordless authentication:

Biometrics. Sensors scan physical traits that are unique to each individual. These can include fingerprint or retina scans, facial recognition, and even behavioral traits such as typing and touch screen dynamics.

Possession factors. Users must confirm that they have something that only the valid user should possess, such as their cell phone or a hardware token. To prove you have it, a code is sent to the device and the code must be entered within a time limit.

Magic links. A link is sent to the user’s email address with a link they can click to log in.

Benefits of going passwordless

Passwordless authentication holds a lot of promise for greater security and ease of use, and people are taking notice. A 2021 Forrester survey reports that 67 percent of respondents are in the process of adopting passwordless security in their organizations.

According to Verizon’s 2021 Data Breach Investigations Report (DBIR), credential vulnerabilities account for over 84% of all data breaches. Passwordless authentication reduces your risk of a data breach because it mitigates a bad actor’s ability to use your employees’ credentials.

Going passwordless not only increases your company’s security, it also creates a more seamless user experience. There’s nothing to commit to memory, which also means users no longer have to go through cumbersome password reset procedures.

And less time resetting passwords means lower costs to your organization on user support. A single password reset costs an organization $70, and the average person spends 12.6 minutes per week resetting passwords. The cost savings can add up quickly.

Challenges of passwordless authentication

But making the transition isn’t like flipping a switch. Passwordless adoption can be time-consuming, resource-intensive, and financially costly. To successfully make the switch, organizations need to understand the challenges that stand in their way.

Convincing key stakeholders. The larger your company, the more likely you are to find resistance to change — especially one as far-reaching as this. Some key players in the IT department and in executive management may need convincing about the benefits of going passwordless. Others throughout the organization may simply resist doing things differently. 

Do your research ahead of time. The better you understand what objections you’ll face, the greater success you’ll have in making your case for passwordless authentication.

Employee restrictions. For most of your people, adopting passwordless authentication will be fairly simple. However, some of your employees may have restrictions that make biometrics or possession factors difficult. For example, lab workers may need to wear gloves or eye protection, which make biometric scanning difficult. Others may not be able to bring their cell phones into restricted areas.

Be sure you understand how a passwordless system will affect each job role in your company before moving forward with any particular plan.

Legacy applications. Most applications that use usernames and passwords were developed before the advent of passwordless authentication. They aren’t equipped to easily adopt a new authentication method. In these cases, you aren’t looking at flipping a switch — you’re faced with recoding the entire application. 

It’s an enormous and terribly expensive task that can take months or even years to complete. 

Fortunately, this is both a solvable problem and one that’s solvable with relative ease. 

Strata has a solution for legacy applications called Maverics. Maverics sits in front of the application and directs the user to the authenticator of your company’s preference. Once the user is authenticated, Mavericks communicates to the application to grant them the right access. The user context is passed to your application without any rewriting — Maverics typically doesn’t even touch the application. 

This approach eliminates the barrier of having to rebuild your applications. With Strata in the mix, you can truly unify your enforcement of password technology across your entire application landscape. 

A transition that would typically take years is now possible within days or a few weeks.

Passwordless protection today

Passwordless authentication promises to make your applications more secure, easier to use, and less costly to support. While the challenges to transitioning have held many companies back from making the switch, the day has arrived when any application can take advantage of passwordless protection. If you are looking for a better way to go passwordless without having to rewrite your apps, check out the Passwordless Orchestration Recipes.