Should Your Enterprise Embrace Passwordless Authentication?

Should Your Enterprise Embrace Passwordless Authentication?

Should your enterprise embrace passwordless authentication? In fact, is passwordless authentication even possible? What benefits can it offer your cybersecurity and identity security? How can you deploy it effectively and cost-efficiently?

Technology research giant Gartner predicts the future of identity management lies heavily in passwordless authentication. In fact, Gartner predicts by 2022, more than 50% of use cases shall utilize passwordless in 60% of large enterprises and 90% of midsized businesses. So it certainly appears your enterprise should consider embracing this essential cybersecurity technology. 

Before you do, you need to have a full understanding of why your enterprise can no longer rely on passwords alone. 

Why Passwordless Authentication Trumps Passwords

In several previous articles, we outline the inherent identity management risks embedded in passwords. However, a brief refresher can certainly benefit enterprises of all sizes. Identity experts and cybersecurity professionals alike recognize the increasing liability of passwords. 

First, hackers can easily guess or crack passwords. On the one hand, this issue stems from the users themselves. Most individuals must remember dozens if not hundreds of accounts and passwords. Usually, this leads users to either use simple, easy-to-remember (and thus easy to crack passwords). On the other hand, hackers can also monitor and evaluate information posted freely on social media. As such, they can discover information commonly used in passwords like birthdays or maiden names. Otherwise, they can use it to pull off fairly successful social engineering attacks. 

Second, users tend to repeat their passwords for added convenience. Every time users repeat their passwords they increase the chances of hackers guessing or cracking them. Furthermore, the proliferation of data breaches can create cascades of cyber attacks down the line. Hackers sell and share stolen passwords on the Dark Web. Other hackers obtain this information and use techniques like credential stuffing to access enterprise databases. The cycle continues with every breach. 

Third, passwords prove inadequate when dealing with modern enterprise infrastructures. Identity authentication serves as the new perimeter for cloud and for unmanaged devices. 

These aren’t idle concerns. According to a study by EMA, 64% of enterprises rely on password-based authentication. Unfortunately, 90% of those businesses suffered a password policy violation within the past month. As a result, 71% of enterprises reported serious consequences to their password violations.    

How Passwordless Authentication Differs

Of course, the consequences of access management failures differ wildly based on the enterprise, the data compromised, the length of time of the attack, etc. The consequences can include any of the following and more: 

  • Enterprise reputational damage. 
  • Regulatory compliance failures and fines. 
  • Planted malware. 
  • Endpoint failures. 
  • Loss of revenue. 
  • Server downtime. 

So the natural solution, in this case, would involve removing passwords from your authentication schemes and identity management. But how? There are plenty of alternatives to passwords for strong identity management authentication. These include: 

  • PINs.
  • Mobile device authentication.
  • Thumbprint and other biometric factors (facial and vocal recognition). 
  • Hard tokens and other keys. 
  • Email one-time passwords
  • Software tokens. 
  • Behavioral biometrics.    

Perhaps unsurprisingly, passwordless authentication aims to replace passwords with any of the above-listed verification capabilities. In fact, your enterprise may choose to deploy one kind of capability or may choose to deploy multiple factors at once.

Example: Email-Based Verification

Place yourself in the shoes of a consumer, a role we all must fulfill at least once in a while. At some point, you may have forgotten a password to a service or shopping portal. Usually, this service will send you an email containing a link to bypass normal authentication and reset your password. The link remains secret, time-sensitive, and one-time only. 

Some users find this method so convenient they don’t bother remembering their passwords—they just keep getting the reset emails for their verification. Thus in passwordless authentication, IT security teams just forgo ever resetting passwords and simply use those links as the authentication factor. Also, hackers can find your users’ email passwords and exploit that information. 

Does It Completely Remove Passwords?

Surprisingly, passwordless authentication can include any authentication factors, but it may not completely remove passwords from the equation. 

First, enterprises need to contend that switching to passwordless verification presents challenges to people and processes. You need to consider how you plan to conduct user training and how your identity management integrates with other management tools. Additionally, how will this next generation identity and access management integrate with your current cloud and directory services? 

Keeping passwords as at least part of your authentication can help with all of these issues. Moreover, some business processes function more optimally through passwords. These include enrollment, account resets, etc. 

As such passwordless authentication may work to reduce the number of times your users must input passwords. You need to consider your use case to determine whether this makes sense for your business. 

How to Deploy Passwordless Authentication In Your Enterprise

Of course, your business can simply replace your passwords with a different authentication factor. Often, enterprises do this through biometric authentication. However, you can also incorporate passwords into two-factor authentication or use two different factors in your verification process. 

Yet the most important lesson of passwordless authentication is this: the more factors between users and databases, the more secure they stand against hackers. Certainly, hackers can try to subvert a multifactor authentication…it just takes significant time and resources. Most hackers don’t possess these resources, and would rather invest their time on easier targets. 

Moreover, multifactor authentication without passwords can actually facilitate your business processes and reduce friction. Passwords clog up so much of workers’ and IT teams’ time in recovery it can actually devastate your business processes. Most multifactor authentication systems take less time and actually require less from their users other than their honesty.  

Above all, you need to consider your enterprise’s use case. This includes your industry, users, third-party vendors, and business size. Through this, you can evaluate your identity lifecycle and determine the best integrations. 

Also, you can’t just jump to passwordless authentication alone. You need to work with endpoint security and SIEM solutions to have the most comprehensive cybersecurity for your enterprise. But dropping passwords can only benefit your business in the long term. Time to make your life easier. 

You can learn more in our 2019 Identity Management Buyer’s Guide!

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner