As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Bassam Al-Khalidi, the Founder and Co-CEO of Axiad, shares some expert insights on the value in moving to passwordless authentication.
Today it’s widely understood that passwords are critically flawed and ultimately lead to over 80% of data breaches. They’re also expensive to maintain, with organizations often allocating more than $1 million annually for password-related support, including Help Desk administration and other IT tasks. And when passwords expire or get lost, they lead to user frustration and loss of productivity. According to Axiad’s 2021 Passwords & Productivity Survey, 60% percent of office workers polled say that passwords have stopped them from doing their job.
Moving to passwordless authentication eliminates the risk and expense of passwords and helps protect your users, machines, and data in today’s digital era. However, to make a successful transition to passwordless, it’s essential to consider the technologies needed and the people who will use them.
Understand Your Technical Requirements
Companies should consider all of their specific use cases that require authentication. Both privileged and non-privileged users need secure authentication to the machines on your network, especially since devices like laptops and mobile phones now outnumber people 3 to 1. Other use cases include legacy on-prem applications, web and cloud-based applications (Office 365, Dropbox), physical office buildings and data centers, and VPNs or corporate networks. Unfortunately, no one technology meets all of these use cases. Instead, you’ll most likely need to deploy different credentials for each of your use cases.
Many businesses have already started using stronger credentials such as mobile authenticators, biometrics, Windows Hello for Business, and hardware tokens like YubiKeys. Gaining perspective on all of your authentication requirements upfront will help you develop a strategy that addresses all of your current authentication needs and scales as you grow.
Focus on the Users
Ultimately, users are the weakest link in any company’s security strategy. This remains true for passwordless implementation, especially since the move to remote work has further complicated authentication issues. When remote workers forget or lose a credential, they can no longer walk over to their helpdesk for assistance. They have to wait for IT to help them virtually, leading to frustration, lack of productivity, and ultimately, security workarounds. And the sending of a one-time temporary password via email creates an easy opportunity for hackers to intercept and gain access to your entire system.
So how can you make your move to passwordless both secure and easy for employees to use? Here are three ways to reduce user friction and help companies make a successful transition to passwordless:
Emphasize best practices
If you haven’t already, implement a company-wide security awareness program and require participation by every employee, including senior management. This sets the stage for users to accept responsibility for following important security policies and understand how they can make a difference in helping prevent cyber-attacks. Then engage and train employees in how to use their new credentials. The implementation process needs to be gradual and transparent.
The goal is to alleviate user concerns about the move to passwordless, help them understand how to use it, and emphasize the benefits of following your company’s new security protocols. If employees don’t cooperate, create a system that reinforces good security policies, such as asking users to complete security training or renewing an expired credential through the platform before they can access their entire system.
Look for ways to streamline credential management and minimize the number of tools needed for deployment. Requiring users to switch between different platforms to issue and manage various credentials can be confusing and challenging to keep track of. No credential lasts forever; if there’s an issue with their Yubikey or mobile authentication app, do they have to go to different platforms to fix it? When new systems are complicated and cumbersome, employees quickly get frustrated and disregard best practices.
In an Axiad study conducted last year, 52% of tech leaders said their remote employees had found workarounds to their company’s security policies. Managing all of a user’s credentials from one place simplifies the process. It reduces user friction and gives users the same experience when they renew or issue their credentials, no matter which they use. Streamlining the user’s experience helps significantly increase the success of your new passwordless implementation.
40% of Help Desk calls are related to credential problems. If a credential gets lost or expires, users are locked out of their system while waiting for IT to help them regain access. This wastes valuable time and frustrates users who want to be productive and get their job done. The best approach is to find a way for employees to manage their credentials through a self-service portal or other tools. Being able to issue their credentials significantly reduces dependency on the Help Desk, increases employees’ productivity, and allows help desk resources to be more effectively deployed on other projects.
Transitioning to passwordless is an essential step toward securing your company’s resources. When it comes to security, users are just as valuable as managers and administrators. IT leaders need to implement passwordless with security and user experience in mind. By simplifying the authentication process and reducing user friction, you can make employees the biggest advocates in your journey to passwordless.
- Self-Sabotage: How You are Undermining Your Journey to a Passwordless Future - September 30, 2022
- Simplify Your Move to Passwordless Authentication by Reducing User Friction - February 4, 2022