As you are no doubt aware, passwords are not a great solution for protecting your data, applications and services. From a user’s perspective, either lots of different and complex passwords need to be memorised, which is pretty much impossible, or they are written down or stored somewhere, which is clearly undesirable.
From a hacker’s perspective, passwords can be cracked by sophisticated tools, by obtaining them from users through phishing emails (specially crafted, legitimate-looking emails that ask users to change their password on a website) or the databases they are stored in can be captured and disseminated – an action that happens all the time.
Of course, there have been numerous solutions trying to protect passwords, from multi-factor authentication to password managers but they are all ultimately papering over the cracks.
So, if we accept that passwords have had their day, what’s the alternative? How about a passwordless solution?
A passwordless solution? That sounds intriguing
Instead of relying on traditional passwords, then, passwordless solutions use alternative methods for validating user actions, such as biometrics (like a fingerprint or facial recognition), hardware tokens (like those that some banks provide), cryptographic keys, or one-time codes sent to a registered email or mobile phone. These are also normally combined with single sign-on solutions for cloud applications or services, using modern authentication capabilities (such as OIDC/OAuth and SAML2, if you’re into alphabet-soup technology terms).
How does a passwordless solution help?
- Passwordless solutions eliminate the traditional risks of passwords by replacing them with more secure authentication methods, reducing the likelihood of unauthorised access.
- Passwordless authentication simplifies the login process for users. Any passwordless solution should begin at the desktop login, so that complex passwords are no longer required. This can reduce friction and improve user satisfaction during the login process, whilst also providing significantly improved security.
- By eliminating passwords, passwordless solutions can effectively mitigate the threat of password loss caused by malicious activity, as there would simply be no passwords for attackers to get hold of.
- Passwordless solutions can be easily scaled across different systems and platforms, providing a consistent authentication experience across applications. They can integrate with existing identity and access management (IAM) systems such as Entra ID (previously known as Azure AD), Okta and others, enabling you to adopt passwordless authentication without major infrastructure changes.
What passwordless authentication solutions are available?
Passwordless authentication is not something that you need to wait for – it’s here, now.
Several companies have created passwordless capabilities including Microsoft’s Windows Hello for Business, Okta’s FastPass and Ping Identity’s Passwordless, and we’ve implemented both Windows Hello and FastPass for some of our customers.
Sounds great but is there a catch?
Hopefully, you can see that passwordless solutions offer significant benefits and are the way forward but it’s worth noting that they are not without challenges. For example, you will need to carefully consider factors such as user privacy, the implementation of robust security protection for the alternative authentication methods, and the potential need for fallback options in case of authentication failures or devices being unavailable.
The user experience is also a critical consideration, which should be convenient and intuitive for users. It shouldn’t create unnecessary friction or inconvenience during the login process.
One of the most overlooked areas of a passwordless solution is a consideration for the compatibility of existing systems and applications. Ensuring that the solution can integrate smoothly with different platforms, architectures, identity providers, and identity and access management (IAM) systems should be carefully considered. You wouldn’t want a solution where 60% is passwordless and 40% still uses passwords, since the weakest link in the chain would remain in place.
Another consideration is the ease of deployment and adoption, as changing the way your users logon, even if it is ultimately better, may cause disruption during implementation. No one likes change, after all.
It’s also important to have contingency plans in place in case the chosen authentication method fails or becomes unavailable. Implementing alternative authentication mechanisms or backup options, such as temporary passwords or recovery codes, can help users regain access to their accounts.
Passwordless looks like the way to go, but how do we get there?
The journey to a passwordless future usually begins with an assessment of your environment, needs, and goals to ensure that the solution provides the comprehensive coverage required to be successful.
During this process, a discovery activity examines your current platforms, including authentication methods and their alignment with your business systems and services. This discovery also evaluates your IT administration practices and considers how they will be influenced by the implementation of a password less solution.
Based on the discovery and assessment, a solution design is created to outline the specific areas the passwordless solution will focus on.
After finalising the design, the passwordless solution is implemented using a phased approach alongside functional testing and updating any process definitions. Initially, a limited number of users are selected for a controlled deployment. This allows for careful monitoring and gathering of feedback to address any issues before expanding the solution to a larger audience.
An important part of the implementation is to enable ongoing monitoring to track the usage, performance, and security of the passwordless solution. It is essential to continuously evaluate its effectiveness and make any necessary improvements during and after the deployment activity.
What does Silversands provide?
We offer consultancy services to provide a customised and comprehensive approach to your passwordless implementation. We consider all relevant aspects of your organisation or business to design and deliver a solution that fits seamlessly and securely within your environment.
Our consultants will assess your requirements and objectives and ensure that any existing environment changes or technical and operational factors are considered as part of the design or validation process.
Some of the areas where we have helped our customers with passwordless solutions include:
- General review of passwordless goals and considerations in a heterogeneous environment
- Integration of authentication protocols and methods within with Active Directory/Azure Active Directory
- Consideration for any accessibility – do any users have diverse accessibility requirements, including any with disabilities
- Onboarding processes – how will users onboard and offboard and how does this impact existing manual or automated processes
- Integration of authentication protocols within with line of business systems
- Design, deployment and adoption of Windows Hello for Business
- Review of third-party identity providers (IDP) and passwordless offerings, such as ‘PingID’
- Design and implementation of Okta FastPass
- Consideration for WebAuthN and FIDO2, both of which support authentication into online services using passwordless technologies such as Windows Hello and Apple TouchID
- Consideration for the types of user personas within an environment to ensure that all are considered alongside password-less requirements
With our deep expertise, you can have confidence that your passwordless solution is designed appropriately, implemented correctly and that it will provide the enhanced security you are looking for.
