Login details are criminals’ favorite type of data, as they allow complete impersonation of a legitimate user on your system. By successfully compromising an account, an attacker becomes a wolf in sheep’s clothing, appearing completely innocuous until they launch their attack.
One of the most common consequences of cracked credentials is a data breach, the average cost of which has skyrocketed to $4.24 million. This threat is amplified by an overreliance on just email and password for accessing hundreds of apps – and the fact that 81% of people reuse their passwords. Password prominence in your organization makes phishing attacks a flowing source of illicit income, and there’s even a flourishing market for their resale. For cybercriminals, your credentials are truly the gift that keeps on giving. The biggest risk to your organization’s bottom line is the very feature designed to keep you safe.
Even without the added pressure of cybercrime, passwords represent a major headache for productivity and customer satisfaction – 25% to 40% of internal IT help desk calls are attributed to password issues, swallowing up millions in paid time per year. This is precisely why passwords are irrevocably becoming obsolete – they represent a major security vulnerability.
Today, in order to break the vicious cycle of inconvenience and security risks, organizations need to completely restructure their account verification architecture. This is achieved through Passwordless Authentication. More and more companies are realizing that access to their services need no longer be shackled to a system of password theft, reuse, mismanagement and frustration.
However, while passwordless is the way to go, you might want answers to a few key issues before committing to this new type of approach, along with a simple 5-step guide to implement password authentication.
The 3 Main Considerations for Passwordless Protection
#1. What Should I Look for in a Passwordless Provider?
Passwordless may be revolutionary – but there’s already a staggering number of solution providers to choose from. Your passwordless provider should combine the three major necessities of modern authentication: security, convenience, and flexibility.
- Security: Storing passwords is inherently risky: one data leak could severely compromise the safety and security of swathes of customers, irreparably damaging your brand. By removing the necessity to store passwords, credential theft becomes nigh impossible – they can’t steal what you don’t have. Instead, Fast Identity Online (FIDO) represents the standard for passwordless authentication methods. FIDO2 certified solutions, such as Microsoft Windows, rely on cryptographic authentication. The login process requires an asymmetrical key pair. These credentials—and the login token created in the passwordless login process —are encrypted, bound to the user’s device, and are not shared across any network.
- Convenience: Security may be the core focus of identity access management, but convenience defines the user experience. Consumers are increasingly frustrated with having to create endless online accounts, for good reason – there’s nothing more annoying than managing endless password replacements. An effortless and adaptable verification process – whether that’s with your webcam, fingerprint sensor, or mobile – removes a major source of churn in your customer purchase funnel. For your colleagues, passwordless allows for sleek navigation throughout your tech stack, improving productivity and reducing the workload on your IT team.
- Flexibility: Finally, your passwordless solution must be as flexible and adaptable as your brand. The solution needs to integrate smoothly and hassle-free with your current assets, alongside adapting to your own proof-of-concepts and reconfigurations in your journey toward total password freedom.
#2. How Does This Whole Passwordless Thing Work?
Passwords are for a few months at a time; biometrics are for life. Whereas traditional verification forms allow for anyone to be hiding behind their screen, biometrics prove who you say you are without the hassle.
Let’s say your customer wants to login to a public-facing application with an iris scan. The application, set up with passwordless authentication, will present its public key via the Client to Authenticator Protocol (CTAP). Think of this public key as a padlock. A quick scan of their eyes is converted to numerical data – this is the private key. The WebAuthN process then compares this local key to the one associated with the customer’s account: if the cryptographic pair is matched, they’re allowed in. Both CTAP and WebAuthN are core components to FIDO2.
During registration, a User ID is created and logged to at least one of the user’s devices. This means that the end user doesn’t even need to input a username when authenticating. The authenticator simply recognizes the match of device and biometric input.
Some users may not have devices that facilitate face or iris recognition, or may not be comfortable doing so. That’s no issue – passwordless access should be made as accessible as possible, so even mobile device-based access is possible; no third-party app required.
#3. How Do I Overcome User Reluctance?
Change is always difficult – especially when you’re shaking up a process that everyone has engaged with multiple times a day for decades. To facilitate user adoption, you’ll need to visualize how individuals go about their day-to-day activities. This is why it’s vital to have a flexible solution that can adapt to your developing understanding of user reluctance. An agile solution can be rapidly reconfigured to reflect your user’s preferences, allowing for a 100% adoption rate.
Alongside implementing the most user-friendly configuration as possible, your users may also need to be educated on the risks of the traditional password. 193 billion credential stuffing attacks took place in 2020, most of which were automated. Those programs will simply mix and match email and password combinations across every relevant website, brute-forcing their way into your personal data.
FIDO2 passwordless solutions also remove the rising threat of phishing attacks, as the physical keys are limited only to your local device, and FIDO2 tokens do not authenticate with websites not identified as trustworthy.
The 5-Step Implementation Process
Passwords are heavily outdated, and it’s time to reinforce your company’s security and productivity with a modern solution. Getting started can be the hardest step, so we’ve broken down the passwordless authentication implementation process into 5 manageable steps.
Step 1. Develop a Replacement Use Case
Before taking the leap to passwordless authentication, you need to know what solution this new login process will be based on. Defining your requirements greatly rewards those who dedicate the time and effort at this stage.
The best starting point is to develop a comprehensive overview of the departments in your organization, and the apps that they interact with. This must be thorough and accurate, and it’s wise to develop an understanding of the stakeholders within each department that will aid you on the road to password freedom. Realistically, it’s easy to lose sight of how your organization has grown or shrunk over time, so this step is vital in clarifying your own scale.
A typical company runs hundreds of applications. Attempting to develop a thorough understanding of each application’s authentication methods and security practices rapidly becomes a nightmare at this scale. Rather than attempting to map out and replicate the security of each individual application, it’s more efficient to focus on consolidating authentication workflows into one central management structure. This means you can follow roughly similar authentication paths, streamlining your own understanding of your passwordless solution must-haves.
One example of a central management system is single sign-on (SSO), or managed portals through protocols such as Security Assertion Markup Language (SAML). Not only does consolidating as many apps as possible into manageable workflows make your IT teams’ lives easier, but it can also facilitate making non web-based apps go passwordless. Remote desktop software, for example, may not be web-based, but it’s possible to implement a proxy and client software, which then opens a passwordless prompt. There are a number of passwordless solutions that can support this, which may seem overwhelming; GlobalDots is trusted by global companies such as Swiss, IBM and PayPal to focus on a brand’s individual requirements and concerns, guiding you to your best solutions.
Step 2. Complete a Risk Assessment and Prioritize
Once you’ve developed an understanding of your own requirements and found a suitable passwordless solution provider, it’s time to start prioritizing. Analyze the risk associated with each information system in your organization. The goal here is to determine both the probability and the effects of a potential breach.
This helps to clarify the authentication requirements for each system, relative to the level of risk they present. It will also allow you to prioritize your work, with a faster rollout focused on the highest risk systems. A provider that allows a piece-by-piece implementation process really helps in this step; if a mature organization is suddenly switched to passwordless overnight, the IT team risks becoming swamped in a flood of ensuing support tickets.
Step 3. Reduce the User-Visible Password Surface Area
The main barrier to user adoption is habit. Users are conditioned to rely on their passwords dozens of times per day. This third transitional step towards a totally passwordless environment is removing as many password login prompts as possible. Even at this transitional phase, you can already expect to see benefits. In allowing users to seamlessly move from system to system, they begin to experience the ease of passwordless authentication. Another major benefit at this step is, by eroding the habit to input a password at any credential screen, your company’s defenses against phishing are already beginning to strengthen.
Your users will be comfortable with passwordless in no time, but the first time encountering an unfamiliar prompt to scan a fingerprint or face can be unnerving. If a user expects to enter their password, then suddenly being asked to enter a PIN or scan their face can be confusing – or suspicious. You’ll need to use the information from step 1 to evaluate each department’s passwordless login flow and work out a strategy for educating and assisting users through their first passwordless logins.
Step 4. Transition to Full Passwordless Deployment
Once you’ve minimized the number of times that users encounter password prompts, you can transition over to a truly passwordless environment. In an ideal world, the user could sign up to the solution and never encounter an authentication prompt again; even if they need access to a legacy system, a passwordless proxy simply redirects them. However, the real world is never quite that easy.
Let’s say you’re a few weeks into passwordless deployment and one of your users loses their first authentication device. Even though their personally identifiable information should still be protected by a PIN or biometric feature, it’s important to remove that credential from your system as soon as possible. Your passwordless provider should include an admin control panel which allows you to view your users and change which devices they have enrolled. You should have a quick and easy way to invalidate the lost device and credentials through this interface, then add a new device.
Keep a close eye on user complaints and concerns during this time; a flexible passwordless solution will allow you to modify your approach on the fly.
Step 5. Eliminate Passwords from the Identity Directory
The final shift to a truly passwordless environment is – once your users are fully weaned off the password process – removing these passwords from your storage. This is the ultimate goal of a passwordless strategy, and it’s tempting to put it off until every single application is modernized and implemented with direct passwordless access. However, sometimes passwordless can simply be unsuitable for a particularly old or bespoke app. Sometimes you may have to retain the odd password here and there; this is not as big of a flaw as you may feel. For every user that is shifted over to passwordless, the attack surface shrinks that bit more.
How GlobalDots Can Help
Innovation is vital to security. That’s why we’ve collated powerful solutions for brands such as PayPal, IBM and Wix that solve the decade-long password problem. Working toward a successful passwordless rollout requires a cohesive view of your organization that accounts for the user experience at every level. In return, the bloated threat of ever-evolving phishing attacks is eliminated, and your users are rewarded with a smoother login process than ever before.