Authenticating digital access without using a password has been promoted since 2014. In the ensuing nine years, however, no one has yet pulled it off. A big reason: Going completely passwordless is likely, not feasible.
But the idea is catching fire today in the business world. Several Big Tech companies including Microsoft committed last May, on World Password Day, to eliminate password authentication in accordance with the Fast Identity Online Alliance (FIDO) protocols.
To make a graceful transition to password-“less” — less, not zero, password use — organizations should lay the groundwork, then proceed carefully and deliberately, step by step. They can then avoid the common cause for project stall in the past decade: authentication tools that are incompatible with their operating system or computing devices.
We now have a number of more secure and convenient — and often less costly — ways to guard our digital gates. But those who say we can do away with password authentication entirely are mistaken.
Most organizations use a preponderance of directories, applications and services that require passwords. The only way to bypass the password completely would be prohibitively expensive. You’d need to swap or revise these older apps and services to accommodate other forms of authentication.
And passwords aren’t all bad. They provide a useful backup in the event of authentication software glitches or the loss of online access that prevents authenticator codes from coming through.
While we’d be hard pressed to name a single organization that is password-free, we know several entities that have reduced password use for employees and customers. These enterprises, with our help, have generally seen costs go down and productivity rise.
These clients answered five key questions before the transition — questions that grounded them in reality, helped them prioritize and laid the groundwork for success.
Why do you want to eliminate passwords? Knowing the reasons can help you set key performance indicators (KPI) to tell you how you’re progressing toward your goals, and when you’ve arrived. Examples include:
User improvement KPI. Humans tend to choose the path of least resistance. We want to do our work and make our transactions easily and quickly — and that doesn’t include creating and managing numerous complex passwords or resetting forgotten ones.
Neither do busy workers want to spend time with help desk staff trying to recover lost passwords or resolve a site lockout because of too many failed attempts. Touching a finger to our device or simply showing our face is so much easier.
Productivity improvement KPI. An employee in a typical large enterprise needs to keep track of multiple passwords. Enterprises reportedly lose 2.5 months in worker productivity per year to time-consuming password resets. Business users who need to authenticate many times in a day might benefit hugely from passwordless authentication.
Cost savings KPI. Our clients report a cost of $21 for each help desk call. At least one report asserts that as many as 40% of help desk calls involve password resets. For a multinational company with 100,000 or more employees, those costs add up.
Security KPI. “Stolen or compromised credentials” tops the list of ways hackers get access to systems, and costs more time and money than all other breach methods.
Alternatives such as one-time passcodes and biometrics can prevent these types of breaches and help protect you against phishing attacks.
This question can help you decide where to start: Which processes and applications will benefit most from password-free authentication? You can also determine where it’s not yet feasible to make this change.
Does your enterprise operate behind a firewall? Or are you in the cloud with a large remote workforce and a strong online presence?
A hospital, where caregivers need digital access to health records, might use biometrics such as fingerprint or face recognition to allow them to quickly log on, and to do so just once as they move around in the network. In an urgent situation, no one wants to have to recall and type in a password. If this all happens behind a firewall, the threats might not be as numerous.
A retail store might have cashiers working in-store, inventory clerks in the warehouse or storeroom, and employees working remotely providing customer service, updating the website with new products and promotions, coordinating distribution and delivery, and so on. Each point of entry, including customer portals, can be a threat vector.
Where frontline workers use shared credentials, you may opt to keep the password, for now. Otherwise, understanding threat vectors can help you determine where to apply passwordless authentication and to anticipate the levels of access you’ll need to accommodate, and which types of authentication will best serve your company.
Can your devices accommodate passwordless technologies such as biometrics or FIDO-compliant tokens?
Many of our clients use Microsoft asymmetric authentication, which offers fully integrated biometric authentication, because it works well with Active Directory and other products on the Windows operating system.
But if you’re using legacy hardware that can’t accommodate newer versions of Windows, you might not be able to employ this type of passwordless technology. The same holds true if you’re using specialized hardware made just for your sector, such as factory-floor tablets.
Your hardware may not accommodate passwordless technologies at all. In this case, you might consider upgrading to more modern equipment, or choosing software with authentication flows that can integrate smoothly with passwordless tools.
Are there users, apps, operating systems and hardware in your enterprise that can handle passwordless authentication? Perhaps your organization can reap at least some of the benefits.
One good thing about passwords: When someone’s trying to guess yours, they’re often locked out after a certain number of failed attempts. But what about a falsified fingerprint or token?
If there’s a way to get in, cybercriminals will find it. And multi-factor authentication (MFA) may not be an ideal solution.
Having to verify every time you want to use an application means spending a lot of time typing in passcodes or verifying in some other way. Cybercriminals know this, and are often resorting to “MFA bombing” as a way to get in, flooding a user’s phone with access requests until the annoyed user verifies.
How will your system sort out true MFA requests from false ones? How can you be warned of threats to these new authentication mechanisms?
Some workers resist biometric authentication. If the user is putting their fingerprint, face or voice on a device, how will you make sure and confirm to your employees that these can’t be stolen?
How can they know that, once they’ve returned their company laptop, their biometric data won’t be downloaded and used elsewhere? Can you provide them with the opportunity to wipe their biometric data from company devices?
The claims for passwordless authentication have created pie-in-the-sky hopes for business. In reality, we likely won’t be able to achieve this goal for quite some time. That’s not all bad: The much-maligned password offers some benefits.
But modern technologies and know-how can take an organization quite far toward a password-free future. Microsoft and PwC have combined our experiences to help many companies modernize their identity and access management and authentication processes. As with so much else in life, “passwordless” isn’t just a destination, but a journey.