Passwords are inherently insecure, and adding multifactor authentication can help compensate, but ultimately, organizations should be aiming to eliminate the password altogether because strong password polices are difficult to enforce, and passwords are easily compromised and are costly in terms of management, password resets, and lost productivity.
As discussed in the previous edition of KC Navigator, adopting MFA can immediately enable stronger authentication to reduce cybercrime, but it should be regarded as a short-term improvement over passwords alone, with the ultimate goal being truly passwordless authentication.
It could be argued that with the migration to cloud and increased remote working, it is critical for organizations to adopt passwordless authentication, because traditional MFA systems typically involve the use of a password, and are therefore inherently vulnerable.
Fortunately, going passwordless is becoming easier due to the development of new authentication standards and personal computing devices capable of creating and storing biometric data locally in secure enclaves such as Trusted Platform Modules (TPMs).
MFA does, however, offer multiple layers of authentication. For this reason, IT and security practitioners at organizations that require high levels of identity assurance are looking to move their organizations to passwordless MFA to remove the weaknesses of passwords, but to retain the value of multiple levels of authentication.
The modern enterprise finally has ways of combining passwordless and multifactor authentication by using facial or fingerprint scanning, and then authenticating to other systems and services using the cryptographic keys securely stored on the device without the need to create passwords, maintain huge databases of passwords or password hashes, and without any password having to travel over any network.
This approach is a strong form of authentication because it includes multiple factors of authentication, such as biometrics and possession of the device, and there is nothing that can be stolen to enable attackers to hijack legitimate credentials.
The added advantage is ease of use, which is important in improving the end user experience, whether it is for employees or customers. In other words, passwordless authentication combines security and convenience without compromising either.
For these reasons, organizations should be investigating what they need to do to go passwordless as soon as possible to offer end users alternative, easier to use, and more secure ways to authenticate. It will be a long journey because a lot of services, applications and websites still use passwords, but the sooner everyone makes a start, the sooner everyone will benefit.
Passwordless authentication – if you do it right – combines security and convenience, which means you can achieve a higher level of security with a higher level of convenience
— Martin Kuppinger, Principal Analyst at KuppingerCole.
Because we understand the value of implementing passwordless authentication with MFA, and because we are committed to helping your business succeed, KuppingerCole has a great deal of content available in a variety of formats.
This includes live events such the 2022 KuppingerCole European Identity and Cloud (EIC) conference taking place in Berlin and online from 10 to 13 May. The agenda features a dedicated track that includes presentations on Trends in Enterprise Authentication, A Blueprint for Achieving a Passwordless Reality, The State of Passwordless Authentication, and panel discussions on The Future of Authentication and MFA usage in enterprise. There is also a Deep Dive session entitled: MFA, (E-)SSO & Passwordless in Hybrid & Multi-Cloud.
Research
Several Leadership Compass reports touch on passwordless authentication. For an overview of passwordless authentication options, have a look at the Leadership Compass on Identity as a Service (IDaaS) - IGA. Passwordless authentication options for consumers, in particular, are covered in the Leadership Compasses on Consumer Authentication and CIAM Platforms.
For a wider perspective, with particular reference to the enterprise, have a look at the Leadership Compass on Enterprise Authentication Solutions and the one on Access Management.
If you are looking for some suggestions and recommendations for starting on your passwordless journey as quickly as possible, look at this Leadership Brief on How to Get Rid of Passwords - Today.
Advisories
A key enabler of passwordless authentication is mobile biometrics. For more information on this topic, read this advisory on Mobile Biometrics for Authentication and Authorization.
Audio/video
If you would prefer to listen to what our analysts and other experts have to say on this topic, listen to these conversations on How to Combine Security And Convenience and the Future of Authentication, or these analyst chats on Getting Rid of the Password , Enterprise Authentication, and Innovation in CIAM.
For further video content about eliminating passwords, have a look at this presentation that highlights possible pitfalls and necessary considerations when implementing passwordless FIDO and WebAuthn protocols entitled: FIDO for Developers - How Developers Can Master FIDO and Passwordless Authentication Without Adding Unnecessary Complexity.
Strong and continuous authentication is a fundamental building block of Zero Trust. To find out how you can make it happen without making the user experience miserable, have a look at this presentation on Going Passwordless and Beyond - The Future of Strong Authentication.
Learn how to set up your defenses so you have the lowest likelihood of account compromise, and accounts which do fall present minimal risk in this panel discussion on: Zero Trust, Machine Learning, MFA & Passwordless.
Blogs
The development of new authentication standards and new products, devices, and services built on those standards is essential to enable enterprises to move away from password-based authentication. For some keen observations on Microsoft’s introduction of passwordless sign-in support for Azure Active Directory suing FIDO2 authentication devices, read this blog post entitled: Passwordless for the Masses.
Webinars
Several webinars have been dedicated to ways of eliminating passwords, such as the webinar entitled: We Need to Talk About Passwords – Urgently! Have a look at the recording of this webinar to see how your passwordless strategy needs to be carefully considered and integrated into existing architecture.
To help you on your journey towards eliminating passwords, have a look at this webinar on The Path to Going Passwordless, and for more insights on how to use Azure Active Directory in these efforts, have a look at: Managing Azure AD – Regardless of How You Use It.
As mentioned earlier, organizations with a need for high levels of identity assurance and security should consider a combined approach of passwordless MFA. To learn more about this topic, have a look at this recent webinar entitled: Eliminate passwords with Invisible Multi-Factor Authentication.
Eliminating passwords improves security, but to effect fundamental change, organizations must start with the customer experience. To find out what that means in practice, have a look at this webinar entitled: A Customer-First Approach to Identity-Based Authentication.
Eliminating passwords is about improving security, but it is also about identity. Both of these things are at the heart of the Zero Trust approach to security. If you would like to find out more about the relationship between passwordless authentication and Zero Trust, have a look at these webinars:
- What Does the Future Hold for Passwordless Authentication and Zero Trust?
- The Passwordless Enterprise: Building A Long-Term Zero Trust Strategy
- Technological Approaches to a Zero Trust Security Model
Whitepapers
Eliminating passwords is also touched on in several whitepapers. For recommendations on how to go about planning to go passwordless, have a look at this whitepaper entitled: Planning for a "Passwordless" future.
For a useful perspective on Identity API Platforms and an overview of the key capabilities of the AuthO platform in terms of going passwordless, have a look at this whitepaper entitled: Do Identity Right - So Your Digital Business Strategy Succeeds.
For insights on moving to passwordless authentication, have a look at this Whitepaper that discusses an approach to operationalizing validated identity data for enterprise workforce use, entitled: A World with Validated Identities.
Tech Investment
Organizations investing in technologies to support going passwordless, can have a look at some of the related technology standard and solutions that we have evaluated:
- FIDO2
- Beyond Identity Secure Work
- BehavioSec
- WSO2 Asgardeo
- NRI SecureTechnologies: Uni-ID Libra 2.4
- Keyless Biometric Authentication
- Widas ID GmbH cidaas
- BeyondTrust Endpoint Privilege Management
- HID Global Authentication Platform
- Auth0 Platform
- Auth0 Customer Identity Management
- Microsoft Azure Active Directory
- Indeed Certificate Manager
- iWelcome IDaaS and CIAM
- SecureAuth IdP