Planning for a "Passwordless" future
Passwords have been beyond their "sell-by" date for over twenty years and managing the password lifecycle within an organisation comes at a large cost to any enterprise; passwords also form an attractive target for hackers and organised crime alike. Passwordless systems promise not only to save us from the nightmare of passwords but enable us to move to an environment where access is based on risk, leveraging multiple factors to determine whether a user should be allowed access; as well as provide the foundations for other corporate initiatives such as Zero Trust, Software Defined Networking and a modern work-from-anywhere culture.
Commissioned by Duo Security
1 Introduction / Executive Summary
Passwords have been beyond their "sell-by" date for over twenty years and are being regularly exploited with lists of usernames and passwords being traded for a few cents on the dark-web.
Managing existing passwords within an organisation comes at a large cost to any enterprise, with figures of between $50 and $70 for a password reset; with potentially up to 80% of all help desk interaction involving a password issue.
The whole notion of passwords is based on an oxymoron. The idea is to have a random string that is easy to remember. Unfortunately, if it's easy to remember, it's something non-random like 'Susan.' And if it's random, like 'r7U2Qnp,' then it's not easy to remember[^1]. (Bruce Schneier)
Passwordless systems are now a viable solution to the password nightmare, where users need to remember tens (and in some cases hundreds) of passwords and if implemented correctly provide a higher level of security.
Passwordless gives us the ability to increase the trust in authentication while reducing friction; with the added benefit of giving increased confidence in the health and status of the devices accessing applications and systems as well as allowing the monitoring of access risk.
A passwordless solution also has the ability to convey identity, authentication and risk information to support other corporate initiatives such as Zero Trust and Software Defined Networking, as well as enable a modern work-from-anywhere strategy.
If successful, you end up with a modern authentication system that does not rely on users remembering passwords and is frictionless for the users - while adding substantially to the overall security posture of the organisation.