Is it time to shift to passwordless? Why passwords are on the way out

Passwordless authentication has been steadily growing in recent years. New technologies and increased cyber attacks have made IT leaders and consumers more ready to explore the shift to passwordless.

The overall market share of passwordless authentication tools is a strong reflection of the growing push to leave passwords behind. The passwordless authentication market is expected to grow from US$12.8 billion in 2021 to US$53 billion by 2023, an impressive CAGR of 16.7%

Additionally, consumers are starting to see how they can stop remembering while maintaining security with passwordless technologies. A recent study found that 61% of consumers are willing to use non-password login methods, with 45% of respondents indicating they are very comfortable with using non-password methods.

Both IT leaders and consumers have relied on passwords to secure identities for decades, but now it’s possible to leave them behind. 

Is it time for your organization to shift to passwordless? What exactly does passwordless mean, and what’s involved in shifting to it? Keep reading to learn more about this emerging authentication practice and how your business can put it to work.

What Exactly is Passwordless Authentication?

Passwordless authentication is an umbrella term for any technology or process allowing users to log in with an alternate form factor other than a password. Organizations can choose the best factor authentication for their needs and consumers’ convenience or use several of them.

Identity and Access Management (IAM) is an overarching framework focusing on managing how users or customers access resources and what they can do within them. As a result, passwordless is a cornerstone trend shaping the future of IAM.

Passwordless uses a familiar process many users are already familiar with; however, implementation at the IT level can be a challenge. Yet, when done correctly, shifting to this new authentication methodology can provide powerful benefits for both users and enterprises.

Is Passwordless Still Secure?

Let’s take a small step back; why do we even use passwords? They’re a form of authentication to help secure accounts and company resources. Authentication is any method that validates a user as the valid owner of the identity they’re attempting to use.

Authentication is all about security; it’s not inherently reliant on passwords. Passwordless uses new technologies and processes to provide the same, or better, security as passwords. Shifting to passwordless also provides customers and employees with a frictionless authentication experience that leaves password resets behind.

Multi-Factor Authentication vs. Passwordless

A common misconception about passwordless authentication is that it’s a new way to describe Multi-Factor Authentication (MFA). However, MFA is a specific authentication practice; it’s not the same as going passwordless. In fact, 72% of IT leaders indicate passwords are an integral component of their MFA strategies.

MFA is a process of increasing the confidence that a login attempt is being made by an authorized user. Many organizations use MFA as part of their passwordless process, but they’re not equivalents. 

What Enables Passwordless Authentication?

So what exactly allows enterprises to make passwords a relic of the past? First, let’s explore authentication factors and new technologies behind the shift to passwordless.

Three Overall Authentication Factors

Passwords are only one of the three core categories of authentication factors. These categories cover a range of possibilities and are:

  1. Inherence factors: Something inherent to who the user is, such as facial recognition, fingerprinting, voiceprints, or any other biometric that, is a substantial challenge to fake.
  2. Possession factors: Something you have, like an RSA key, access to your email address, or your smartphone. While malicious parties can still obtain them, they’re significantly more challenging.
  3. Knowledge factors: Something you know, such as passwords, pins, or answers to security questions. These are easier to guess or brute force than other factors.

You can see how the first two factors have only been made possible with recent technology. In the past, knowledge factors were essentially the only option. Now, we have a range of tools at our disposal to improve authentication processes.

First IDentity Online (FIDO): The Key to Passwordless

FIDO is a foundational technology behind passwordless authentication factors. Reviewing how the overall process plays out demonstrates how it differs from passwords:

  1. The user follows a prompt to use a FIDO authentication factor, such as a fingerprint reader or second-factor device
  2. The user then unlocks the authenticator, generating a unique public and private key pair
  3. Then, the user logs into the service using the same factor they chose during the initial registration
  4. Lastly, the user’s device varies the public/private key pairs are a match and logs the user in

It’s worth highlighting that the first step can still be a password rather than another authentication factor. However, many customers and employees are already familiar with this process, so replacing the password with an alternative factor will create a better user experience.

Additionally, the above process is a general overview and can be modified with additional authentication factors as necessary. To bolster security, you may also consider contextual factors, such as IP address, device, or time of day.

Specific Types of Passwordless Authentication

What specific methods for handling the first step in our FIDO process? Passwordless authentication uses either possession or inherent factors, leaving knowledge factors behind.

  • Biometrics: Most smartphones have fingerprint readers, microphones, and cameras that unlock three forms of biometrics. An organization can even use all three depending on the level of security they require.
  • Magic links: You may already use magic links as a part of your current MFA workflow in conjunction with passwords. However, magic links can also be a standalone passwordless option requiring possessing the account’s email address.
  • Additional possession factors: RSA keys or smartphones must be physically in the user’s possession for other types of passwordless authentication. As a result, they’re a significant challenge for a malicious user to obtain. 

You can combine several of these passwordless options as necessary to secure IT resources and customer accounts. None of them require a password, with the exception of the password to the user’s third-party email account — which is outside of your control and responsibility.

It’s easy to see why and how organizations are shifting to passwordless. Many of these authentication factors are already in use in conjunction with passwords; all that remains is replacing knowledge factors and ensuring all systems are correctly configured and secure.

Benefits of Shifting to Passwordless

What are organizations across all industries shifting to passwordless authentication? Although we’ve touched on some of the benefits, let’s explore more of the common reasons passwordless is growing in popularity.

Improved Security

A recent study found that 80% of breaches involve compromising passwords, either by using brute force attacks or leveraging stolen login credentials. Passwordless authentication removes both of these possibilities. 

Consider the complexity of imitating someone’s voice or fingerprint or physically obtaining their smartphone. While both are not impossibilities, they are significantly more challenging than running a brute force program or phishing passwords.

Security is ultimately the primary driving force behind the shift to passwordless. User accounts and the IT resources they can access won’t be susceptible to password-based data breaches — a significant risk reduction.

Provides a Better User Experience & Boosts Productivity

On average, an individual has over 100 passwords to manage, making passwordless solutions a must-have for CIAM. Remembering which password to use is frustrating, and many of us are accustomed to doing a password reset for platforms we rarely access. Giving your customers one less password to manage significantly reduces friction and improves customer satisfaction. 

This benefit extends to your employees, too. For example, calling IT to reset a password or three different passwords to access a critical system is frustrating and time-consuming. Shifting to passwordless entirely removes these processes, letting your employees focus on the tasks that actually contribute to your company.

Decrease IT Costs

Shifting to passwordless can make a noticeable impact on your IT costs. You’ll likely have the upfront expense of new technologies plus the expense of testing and deployment. However, you may realize a reduction in IT expenses in the long term.

Password reset calls will be a thing of the past, and for many help desks, this is the most common type of request. However, instead of resetting passwords, your help desk can spend more time on solving more complex issues or be cross-trained into other departments that make a more significant impact.

Additionally, consider the IT resources consumed every time someone uses a self-service password reset portal. Depending on your organization’s size, eliminating this resource consumption can make a notable difference.

Reduce Account Takeover Fraud

Account Takeover (ATO) fraud primarily targets financial institutions but can affect a user account in any industry. ATO fraud generally involves a combination of social engineering and phishing and allows a malicious user to gain complete control over a user account.

Shifting to passwordless makes it significantly more challenging for someone to conduct an ATO attack. This improved security is because the attacker will require physical possession of a device or a user’s biometrics to take over the account instead of a password or other easily obtainable information.

We’re focusing on ATO fraud, but many other types of fraud enabled by social engineering and phishing can also be similarly reduced by shifting to passwordless. 

How to Implement Passwordless At Your Organization

Implementing passwordless authentication at your company can be complex, but it’s not out of reach. A general overview of the process is as follows:

  1. Choose your ideal authentication factors:  What factor should replace passwords? We’ve explored a few different options above, considering which one will work best for your users, security, and operating expenses.
  2. How many factors should you use?: Shifting to passwordless doesn’t mean leaving MFA behind. How many authentication factors should you use to validate a user’s identity? Additionally, remember that you can use more factors for privileged accounts than standard user accounts. Build your new processes with a focus on security and ease of use.
  3. Invest in the right technologies: It’s possible you already have the right hardware and software in place to shift to passwordless. However, most organizations will need to invest in new systems that enable the FIDO process. Start with finding the right vendors to fit your needs and build from there.
  4. Provision users and deploy: Once everything is in place, start provisioning a test group of users and carefully evaluate the process. Don’t skip thorough quality assurance and security testing; you risk creating even more vulnerabilities. After you’re confident in the test group, conduct a phased rollout to deploy the new passwordless authentication process throughout your organization.

Beware that poor implementation can result in an influx of calls to IT or introduce new security risks. Therefore, slowly and cautiously implementing your passwordless technologies is necessary to benefit from the initiative.

Let Indigo Consulting Guide You on the Shift to Passwordless

Shifting to passwordless authentication can provide potent benefits throughout your organization. You’ll remove a common attack vector, provide a better user experience, and cut costs along the way. 

However, improperly implementing passwordless authentication can also create issues. Invest in the right technologies, create new processes, and roll out in phases to avoid these issues.

Indigo Consulting is a leader in IAM, including passwordless authentication. We’re ready to help you adopt passwordless authentication in a way that supports your organization.

Is it time to shift to passwordless or start laying the groundwork? Reach out to Indigo Consulting today to talk to an IAM expert and discover how we can help.

Interested in learning more about Agile Development for IAM Solutions? Download our eBook today!