Strong and unique passwords are necessary to stop attackers from infiltrating systems. But creating a new password that meets all the requirements to make it truly secure can be a real struggle, so users tend to neglect these requirements. In fact, 71% of accounts are protected by passwords used on multiple websites. But the security risks of not adhering to all the requirements should not be overlooked, as passwords are some of the most vulnerable targets for hackers.

By stealing valid password credentials, attackers can easily access systems, elevate their privileges to an administrator or a superuser level and cause significant harm to a company’s security and reputation, potentially leading to significant financial damage.

To address the security issue linked to passwords, businesses have increasingly adopted multi-factor authentication (MFA) to help prevent unauthorised access. MFA means users need to provide an additional form of verification such as a code received via email, approval of their login request through an app on their phone or tapping a smart card to log into applications, corporate networks and resources.

However, threat actors have developed numerous techniques to bypass MFA protections, including stealing cookies, employing social engineering, or conducting MFA fatigue-based attacks, making MFA, while still a must-have, less of a silver bullet than originally thought.

Businesses must go one step further and find a way to eliminate the risk of attackers stealing weak passwords and protecting against social engineering and other such attacks that may undermine MFA. While having no password in the first place might seem counterintuitive, it might actually be the most secure approach.

Improving user experience and security with passwordless authentication

While the concept of passwordless authentication is not new, organisations have just recently started moving away from traditional passwords and towards passwordless approaches. Passwordless authentication can use any means of validating the user except for a memorised secret, including a QR code displayed at login or an SMS message with a one-time code. And since these private keys are unique and only accessible from the user’s local device after confirming the person’s identity, password-related risks are vastly reduced, and identity security is bolstered.

Passwordless authentication also offers a better user experience and improved productivity by providing a more seamless sign-in experience. Additionally, it reduces IT overhead by freeing up resources used to assist end users with account unlocks and password resets.

The key to achieving a passwordless environment

The reality is that no organisation can go passwordless from day one, and many companies won’t even be able to go completely passwordless ever: there are just too many legacy systems deeply entrenched in IT infrastructure that require passwords. So, it’s about finding the balance of what makes sense for each enterprise from a security, effort, and cost point of view.

Going passwordless is a big commitment, especially when companies must deal with thousands of users, countless applications, hybrid and multi-cloud environments and complex login flows. With technology constantly evolving and user adoption increasing, successfully achieving an entirely passwordless environment involves a phased approach.

While passwordless technology brings significant benefits, organisations must understand that the journey to passwordless authentication is unique to the requirements of every business, and the same approach cannot be applied to every company. In fact, a successful transition depends upon selecting the best authentication factors that align with each business and user needs.

Considering IAM solutions to successfully move towards passwordless

Although eliminating passwords entirely might be difficult for certain businesses, reducing reliance on them is feasible by implementing the right identity and access management (IAM) solutions that support passwordless use cases. When considering IAM solutions, there are some specific capabilities that businesses must look for.

1. Zero sign-on (ZSO) is the first pillar of a true passwordless solution. It uses strong cryptographic standards such as certificates and combines user identities with contextual information such as device fingerprints and security posture. The key benefit of ZSO is that it enables users to seamlessly log in to their assigned applications and services without additional authentication once their devices are verified and meet security posture requirements. Combining ZSO with other passwordless authentication factors best suited to the business requirements is a great way to enhance usability and security.
2. Almost every identity vendor supports FIDO2 Web Authentication (WebAuthn), and this standard is critical to enabling passwordless authentication for typical end users. Along with FIDO2, FIDO’s passkeys are a new way to have passwordless access on multiple devices. They rely on users’ devices’ security capabilities, further improving individuals’ experience. Additionally, these passkeys are highly phishing-proof, meaning they can eliminate attack vectors with factors like MFA which require human interaction.
3. In today’s multi-device world, it’s essential to approach authentication to endpoints in the same way as applications and internal resources. Passwordless endpoint authentication can provide a better user experience and stronger security without negatively impacting user productivity.
4. As working remotely has now become the trend, secure VPN access for remote and hybrid user authentication is critical. In particular, it’s recommended that users use adaptive MFA when accessing a corporate network through a VPN. This adds an extra layer of security to remote access, protecting the company’s corporate network and on-site apps and resources, while ensuring a smooth login experience that continuously evaluates and steps up with passwordless factors – as needed – based on contextual and risk analytics. Adaptive MFA as an approach is important and effective because it gives high-risk users or authorisation requests additional steps before access is granted and vice versa.
5. For a true passwordless experience, it’s crucial to implement a solution that offers users the ability to self-enrol, replace, and delete passwordless authenticators with the appropriate security controls, along with a wide variety of alternative passwordless authenticators to choose from. For instance, if a user were to lose their mobile phone, they should be able to replace the passwordless authenticator factor from various factors with the appropriate security controls.

Going passwordless to securely embrace the future

Traditional passwords come with important challenges, including the high risk of attackers stealing them to infiltrate networks. While multi-factor authentication (MFA) has been adopted, it seems it is not secure enough, and passwordless authentication is the ultimate way to improve security, user experience and organisational resilience against cyber threats.

But going passwordless requires strategy, planning, partnership with trusted vendors and a disciplined move toward organisational adoption and continued education. Receiving support from leadership, as well as collaborating with an experienced and well-established vendor are also essential to successfully drive this initiative. When engaging with an IAM provider, businesses must make sure they can support the organisation’s security needs – only then will companies be able to combat current and future threats.