Sikov - stock.adobe.com
Passwordless authentication issues to address before adoption
The technology for passwordless authentication exists, but challenges remain. Companies must grapple with differing use cases, legacy software, adoption costs and more.
Most agree that passwords aren't the best way to keep accounts secure. One alternative vendors and customers are looking into is passwordless.
In fact, 67% of respondents to a 2021 Forrester survey said they are in the process of adopting passwordless for employees or partners.
Moving to passwordless, however, is not without its challenges. It isn't like flipping a switch; passwordless adoption can be time-consuming and resource-intensive. Before diving into the world of passwordless, companies must figure out how to address the following seven issues.
1. Accommodating employee roles and use cases
It may sound possible to initially deploy passwordless across an entire organization, but decision-makers may not realize how to implement passwordless for the various roles across their companies. The more complicated a business environment, the more difficult it is to roll out passwordless authentication methods.
"For knowledge workers, mostly on their laptop or desktop, mobile methods might work well -- something like sending a notification to their phone," said David Mahdi, analyst at Gartner. "But what if you work in a lab or clean room or are a factory worker? You need access to the same systems, but if you have to wear gloves or can't bring a device into your work environment, what do you use then?"
The issue is further complicated when accounting for third-party workers, such as contractors.
Dynamic environments require companies to decide which passwordless authentication methods are viable for which employees and users. Maybe knowledge workers use biometric authentication through smartphones or other endpoints, while field workers use smart cards, for example. Contractors are the more difficult side of the equation. One option is to use products that handle onboarding and verification and then integrate risk scores and step-up authentication from there.
2. Handling legacy applications
One of the most complicated aspects of moving to passwordless is making it viable with legacy applications, many of which may not work with anything but a password.
"Certain legacy technologies may be bound to a password," said Chris Goettl, vice president of product management at Ivanti. "In those cases, you have to create a connector for each application to bypass the password."
Vendors that help connect legacy applications with modern authentication methods exist, but it creates an extra level of complexity. One option companies can consider is password vaulting, which offers a passwordless experience and may reduce password reuse.
Newer organizations not reliant on legacy applications have an advantage over older companies that likely have legacy software in use.
"A company that goes fully cloud with newer technologies that support new approaches will be the first to get to a fully supported passwordless state," Goettl said. "A brand-new startup probably has the best chance of achieving full passwordless authentication across the entire organization."
3. Determining the technology required
To employ passwordless, the proper software and systems must be in place. Before choosing a passwordless product, companies should review their current deployment capabilities. Some companies may already have pieces of the puzzle in place. Larger organizations, for example, often already have passwordless in some capacity, said David Strauss, CTO at WebOps vendor Pantheon. For example, with Microsoft Active Directory, companies can set up their Windows users with a passwordless experience.
Beyond reviewing the technologies already deployed, companies must determine what tech is needed now and in the future. For example, Goettl said he spoke with a company that was still using Android 5 and would be for several more years. A passwordless deployment is inefficient and ineffective if it won't work with a company's current systems and devices.
Also, consider how technology being introduced works with passwordless. "Windows uses stereoscopic infrared, while my phone uses multipoint mapping," Strauss said. "I can't have the same facial profile between my phone and desktop. The inconsistency in hardware means companies require a polyglot approach. This means having other paths for authentication for devices without facial recognition."
This creates added complexity as many companies have expanded into heterogeneous deployments, which, in turn, may reduce vendor options and lead to using multiple products. Vendors may be equipped to tackle Windows and macOS deployments, for example, but not Linux devices.
"When customers go to pick a vendor, they find they have a laundry list of use cases to cover and methods that will work," Mahdi said. "Think about banks. They have a whole raft of different tools -- some that overlap. They're doing this because maybe one method works well when you go into a branch and one works better for mobile."
4. Accounting for the cost of passwordless adoption
Once decision-makers know what they need for passwordless deployment, it's time to figure out how much it will cost. Both technology and IT admin costs must be accounted for.
Some initial questions to ask are the following:
- How much new technology and software are needed?
- Can costs be alleviated by having employees use their own devices?
- Do employee devices need to be managed, or can they be unmanaged? What does that entail?
- How will the new technology and software be managed? Who will be in charge of managing it?
The last two questions are especially important given that no deployment works flawlessly, and employees will need help learning the software, as well as how to handle lost or broken devices.
5. Keeping UX top of mind
A seamless, positive UX is critical when considering passwordless adoption. Ensure the rollout doesn't create too much friction or add too much complexity to the login process. Users should be able to enroll and learn a new authentication method without it being an arduous effort.
"If it's not a better experience than remembering a password, users are going to get annoyed," Goettl said.
Before adopting passwordless, companies need to figure out how to handle situations where a device is lost or broken and how reenrollment works.
6. Focusing on employee data privacy
Privacy is another aspect that must be addressed. Some workers may be willing to adopt passwordless, but that's not always the case.
"Mobile devices are part of our daily experience, but those experiences are largely unmanaged," Goettl said. "As you go outside the U.S., the barrier for allowing the authentication mechanisms increases. The EMEA [Europe, Middle East and Africa] market especially has a privacy mentality right now."
Employees do not want companies to have access to their personal devices, worried about what personal data employers can see or interact with. Privacy also extends beyond device management to how captured biometric data is stored and used by employers and organizations with apps on that device.
Regulatory issues come into play, too. "From a privacy standpoint -- outside the user identity aspect -- how does, for example, Verizon or AT&T capture information?" said Tauseef Ghazi, principal and national leader for security and privacy risk services at RSM US. "What about every single application running on the phone? Do they have access to your location services or health information?"
Companies must figure out how to keep business data secure on corporate-owned and employee-owned devices without being intrusive.
"It's less of a technical problem," Ghazi said. On Android, for example, work profiles keep corporate and personal apps separate. For single apps, companies can use containers to improve security without needing to manage entire devices. Mobile app management and device attestation are other available options.
Managing privacy involves determining what's reasonable when collecting employee and user data, especially around biometrics. Have conversations with employees about what they would have to accept in exchange for passwordless.
7. Managing employee expectations
Companies must stay on top of passwordless expectations and hype.
"One risk is having overinflated expectations of what passwordless can do and then maybe spending too much and rolling it out too fast," Mahdi said. "We get into that trough of disillusionment."
Ditching passwords is an exciting prospect, but don't overpromise the experience to employees. Passwordless is the end goal, but ensure employees understand it will be a slow rollout and to expect issues as everyone adapts. Keep users informed about the rollout process and what user groups will be included in the deployment, as well as when and how.