• +1 (240) 720-2889
  • editor@thecxoconnect.com

The Issue with Passwords Today
Today, passwords are the main gateway to growing online services and the “crown jewels” of any organisation. Passwords are shared secrets that are managed centrally and known to the system as well as the user. Ensuring that passwords are secure is the responsibility of both the user and the system; requiring them to follow complex policies introduced by security teams that take password complexity, expiry, recovery, etc., into account.

For the end user, passwords introduce the added burden of adhering to complex rules with the aim to be unbreachable. It also involves going through complex verification processes if the user forgets the password. An individual user, on average, has 22 accounts and reuses passwords for 16 of them.

What is Passwordless Authentication?
Passwordless authentication eliminates the root cause of user friction and the weakest link in security. It takes away the frustration of remembering, storing, and transmitting passwords along with adherence to complex rules when setting/resetting passwords. It offers a world without passwords, combined with improved security and a better user experience.

Fast Identity Online (FIDO) Alliance introduced simple and secure ways for passwordless authentication and a new standard, FIDO2, which utilises the device that a user normally uses, such as a laptop, desktop, or mobile phone, in addition to external authenticators that could be used as a USB attachment or connected over NFC or BLE to authenticate the user.

FIDO Alliance was established in 2013 and now has leading global technology, industry, and government organisations as its members. FIDO’s mission is to promote open authentication standards and reduce the world’s overreliance on passwords.

How Does It Work?
Before a user can log in with a FIDO authenticator, users have to register the authenticator with a service, for instance, a web, SaaS, or mobile application.

The user can register on a platform or a roaming authenticator, based on business and security requirements, with the ability to decide what local authentication option to use, for example, PIN, fingerprint scan, or pattern swipe. When a user registers for a service, a cryptographic key pair (public and private key) is generated and stored securely on the user’s device. This key pair is referred to as FIDO credentials or simply passwordless credentials.

Benefits of Going “Passwordless”
Passwordless authentication balances security and privacy along with providing an enhanced user experience and ease of integration/adoption, thus making it a compelling alternative to passwords.

  1. Frictionless user experience
  2. Improved security
  3. Privacy by design
  4. Ease of integration and adoption

Can Passwordless Authentication Be Adopted Universally Across Industries?
FIDO2 passwordless authentication has universal applicability and can be adapted for both, the workforce and customers. It needs to be tailored based on the industry, user expectations, security, and regulatory requirements.

For the workforce, implementing passwordless authentication will help reduce friction, enable remote work, reduce helpdesk password reset costs, and reduce the time spent on password resets.

  • Platform authenticators are best suited for a workforce that has dedicated laptops or desktops, irrespective of whether they work remotely or in office.
  • Roaming authenticators can be deployed for a workforce that shares machines, such as call centres/ITES or frontline workers in retail. This can help reduce the lack of accountability that may arise with sharing user IDs, a common practice in retail.

For customers, a frictionless experience to access the service from multiple devices is of the highest priority. Organisations aim to offer this experience securely, and going passwordless can help enable this.

Preparing for the Journey to a Passwordless Organization
Moving to passwordless authentication is not just a technology change, but also a mindset shift for all stakeholders—user, security, business, and technology teams. Organisations evaluating passwordless authentication should consider the following while developing their adoption strategy:

  • Define programme goals and outcomes
  • Adopt a platform-based approach
  • Start small and build on success
  • Set realistic and achievable goals for adoption
  • Focus on user experience, communication, and training to maximise adoption
  • Measure and review program success

Are We Ready to Go Fully Passwordless?
Support for passwordless authentication is evolving as vendors, platforms, and applications continue to build support for FIDO protocols. While factors such as deployment costs, regulatory guidelines, and user readiness will affect full-scale adoption, legacy and modern authentication factors will continue to co-exist as passwordless authentication gains acceptance.

Organisations should start evaluating passwordless login to improve their overall security and user experience. Organisations should also consider utilising frameworks and architecture offered by access management or specialist authentication vendors to enable a smooth transition to a passwordless organisation.

Leave a Reply

Your email address will not be published. Required fields are marked *