Five Pitfalls to Avoid on the Road to Passwordless
The move to passwordless authentication is gaining momentum. One study shows that 92% of businesses believe that passwordless is the wave of the future and for good reason. Passwordless speeds access to resources, delivers a better user experience for employees and even provides ROI by reducing the burden on help desks created by password problems. To succeed, however, passwordless has to be done right. Here are five pitfalls to avoid so you can achieve smooth implementation and wide adoption.
1. Failing to Meet Standards
Passwordless access is based on remote proofing of identity and authentication. It’s essential to have clear definitions of these terms, both for securing sensitive assets like PII and for regulatory compliance. The U.S. government’s National Institute of Standards and Technology (NIST) provides these definitions in NIST standard 800-63-3. The basic idea is to match trusted credentials with biometrics. Typically, the process involves scanning a trusted credential such as a driver’s license or passport, verifying its authenticity, and then matching the photo to a video selfie. It’s quite simple, and the result is a trusted identity that can be used over and over again.
2. Neglecting Ease of Adoption
The second pitfall is making the process of going passwordless too complicated. Often, passwordless authentication is first deployed to IT professionals using a self-service tool that works well for technically savvy individuals but isn’t appropriate for the whole workforce. For mass adoption to be successful, self-service is the best practice, but the process needs to be simple and intuitive. Also, it’s best to provide for gradual adoption. One approach is to use a coexistence strategy, IT can target a passwordless rollout to departments where employees have the option of going passwordless or using the old system that’s in place. Over time, the passwordless solution will go viral as employees share with one another how much easier it is.
3. Disregarding Passwords Completely
Even though identity-based authentication is clearly superior to passwords from a security perspective, it’s a mistake to abandon passwords altogether. For one thing, there will likely be a few legacy systems where moving away from passwords doesn’t make sense for one reason or another. The best strategy is to understand passwords won’t completely disappear, incorporate self-service reset tools and implement a password rotation system that’s convenient for everyone involved.
4. Not Providing Options for Authentication
The smartphone is the device of choice for passwordless implementation. Everyone has one, and they incorporate all the technology required. Also, with today’s containerized architectures, business functions can be separated from personal data, so that companies can’t inadvertently wipe an employee’s personal data. But there are situations where phones aren’t an option. What if an employee doesn’t have a phone? What if state laws create barriers to the use of personal phones in business? It’s important to explore alternate authentication methods, and in fact, many different ones are already in place in most large companies. If you can consolidate these into one set of APIs or tools, you have the mechanism to significantly simplify infrastructure management.
5. Failing to Measure Success
ROI is the most common measure of results for any IT solution, and passwordless is one of the rare cyber security solutions that deliver ROI. It significantly reduces help desk calls, a result that can be measured in hard dollars. It also cuts authentication time by roughly 75% and this delivers a soft dollar benefit in terms of efficiency. The user satisfaction passwordless provides, which can be measured in NPS scores, is even more important. In one study of IT professionals, 65% of the respondents cited the user experience as the most important for employees. It’s crucial to measure ROI and user satisfaction, both to justify budget expenditures and to identify areas for improvement.
Implementation Best Practices
The first step in implementation should be a thorough review of the existing means of authentication available to employees. The next step is evaluating which are the best candidates for passwordless. That’s followed by a beta program, which should include a variety of non-technical employees. After testing, the next step is the actual roll-out, which should be on a gradual basis and permit coexistence with the old password system, at least at the beginning. It’s best to use industry-standard connectors, e.g., SAML and OIDC.
All in all, the challenges of going passwordless can be overcome with proper planning, processes and communication with users. Consider the recommendations above for avoiding roadblocks when deploying passwordless to workforce environments.