Getty Images/iStockphoto

Guest Post

Migrate to passwordless to enhance security and UX

Transitioning to passwordless authentication enables organizations to strengthen user account and sensitive data security without adding UX friction for end users.

Passwords are a weak and frustrating yet commonplace element of workforce and customer authentication. Migrating to passwordless authentication enables organizations to get an easy cybersecurity win by strengthening protection of end-user accounts, which are a top target of cybercriminals.

Adding a token or biometrics alongside legacy passwords to implement MFA can reduce account takeover risks, but organizations that continue to rely on passwords -- even as part of MFA -- are less secure than those that migrate to passwordless methods.

A variety of passwordless methods and flows are widely available and can be readily implemented across a range of use cases for both workforce and customer authentication. However, other use cases -- particularly for the workforce -- can be challenging and demand additional investment.

Security leaders should migrate to passwordless authentication wherever they can -- and as soon as they can -- to enhance security and optimize UX. This migration should also take into account other needs, such as phishing-resistant MFA and strong customer authentication.

Following is a three-phase approach to help organizations maximize improvements in security and UX in the near term.

1. Plan a phased migration to passwordless

The initial phase involves planning the migration with other stakeholders in cybersecurity and across the business. Planning should include the following steps:

  1. Identify use cases, starting with an inventory of where passwords are used.
  2. Agree on the target states based on security and UX goals.
  3. Identify preferences among different methods and flows.
  4. Create a roadmap for workforce and customer use cases.

An example for step two is that the current state could be a lower-risk use case that relies on passwords, but the target state is to migrate to passwordless single-factor authentication.

2. Embrace out-of-the-box options and focus on supported use cases

Security leaders considering passwordless authentication often ask about heavily marketed third-party tools, overlooking the capabilities in their existing infrastructure that can more quickly yield benefits. This includes endpoint devices, especially smartphones, but also tablets and PCs. It also includes existing identity and access management tooling.

Because of this, security leaders should exploit these options as widely as possible initially to minimize time to value without additional technology investments. Customer and workforce use cases have different needs and constraints that must be considered, such as the following:

  • Customer authentication. UX optimization is heavily weighted in these use cases, as poor authentication UX has a known-negative impact on customer experience and retention. Security cannot be discounted, however, especially where there are regulatory requirements for strong customer authentication that demand multiple authentication factors.
  • Workforce authentication. Improved security is an important consideration in this use case, where there is an increasing emphasis on phishing-resistant MFA. UX optimization is still significant, however, and account management tools play a significant role here. Major account management tools support FIDO2 and Web Authn, and most vendors also have their own proprietary passwordless methods and flows. However, account management tools enable passwordless authentication only for SaaS, web and those legacy apps that support federation.

Security leaders should always start with a diverse pilot program, including different business roles and a wide variety of demographics among accounts chosen to test. Subsequent waves should be based on the size and diversity of the organization and the number of in-scope use cases. Broadly, the larger and more varied these are, the more waves are needed. Security leaders should weigh time to value against possible business disruption and consider service desk capacity.

3. Invest further when existing tools cannot solve all use cases

In this phase, determine the different scenarios where needs cannot immediately be met using current out-of-the-box options.

One such scenario is where the target systems are out of scope for out-of-the-box options, such as for legacy data center applications -- including mainframe -- or operational technology assets, not directly supported by incumbent account management or user authentication tools. This leads to either investment in bridging tools or exploiting incumbent tools to extend the scope of out-of-the-box options or investment in additional methods.

Another scenario is where out-of-the-box options can't provide the preferred approach for one or more use cases. This might be because out-of-the-box options can't be used or because the preferred methods, such as third-party biometrics, aren't available out of the box. This leads to investment in additional methods.

The last scenarios are where it is technically infeasible to implement passwordless methods or flows or to eliminate passwords, or where implementing passwordless methods is contraindicated -- e.g., due to high implementation overheads or limited application lifetime. This leads to investment in new tools -- or exploiting incumbent tools -- to ease the use of remaining passwords to optimize UX or investment in compensating controls to address residual risks.

Ant Allan is a vice president analyst in Gartner Research. He is a core member of the Identity and Access Management research community and the IT Leaders' IAM practice. Allan specializes in user authentication and other identity corroboration technologies, along with supporting processes, policies and best practices. He presented on these topics at the Gartner Identity & Access Management Summit, which took place December 9-11, 2024, in Grapevine, Texas.

Dig Deeper on Identity and access management