Passwordless authentication is here and there, but not everywhere
Passwords are a ubiquitous authentication method, but they are vulnerable to a wide variety of attacks, including social engineering, phishing, password-stuffing and malware. Although adopting multifactor authentication or MFA reduces risk, the password remains the weak link.
Passwords can also create friction in login workflows, degrading user and customer experience. Taking steps to increase security, such as requiring long and complex passwords and forcing periodic password changes, exacerbates people’s frustration.
Gartner predicts that, by 2023, 30% of organizations will leverage at least one form of passwordless authentication, eliminating static, stored passwords – a major increase from just 5% that do so today. However, technology constraints make a universal approach to passwordless authentication elusive.
Here are the three main approaches to passwordless authentication used in enterprises today. Identity and access management or IAM leaders must examine each method, the value it adds and its applicability to different use cases to determine the best fit for their organizations.
Replacing a legacy password as the sole authentication factor
One option for passwordless authentication is single-factor authentication based on other types of knowledge – for example, a picture or pattern. Academic studies show that these are easier for people to remember and provide better overall user experience than passwords. However, these techniques have seen slow market traction.
Typically considered as an element in MFA, tokens can also be used as a single-factor authentication method. Smartphones or Fast IDentity Online security keys known as FIDO2 are two options for token authentication.
Finally, biometric authentication – using a fingerprint, face or other biometric trait for security – is the most well-established class of passwordless authentication. Currently, biometric methods are widely used in smartphones and Windows personal computers.
Replacing a legacy password as one factor in MFA
MFA is most often thought of as a combination of a password and some other form of authentication, such as an SMS code or hardware token. However, PIN-protected or biometric-enabled smart cards can eliminate the password as an element of MFA. PIN-protected smart cards are fairly common for Windows PCs, used for network login among large enterprises, but support for other devices remains patchy. Biometric-enabled smart cards, which use a biometric method instead of a PIN to enable use of credentials on the card or token, are still quite rare.
Mobile push is a more popular MFA option that uses app-based, phone-as-a-token authentication. Integrating a local PIN or biometric method with the mobile push creates single-step passwordless MFA.
Finally, FIDO2 offers an alternative approach to mobile MFA. In combination with a local “gesture,” a FIDO2 Authenticator is effectively a multifactor software cryptographic token. FIDO2 security keys can be used as an external authenticator with a local PIN or device-native biometric method for passwordless MFA. This method is still emerging.
Eliminating authentication factors altogether
A third option is to eliminate authentication factors altogether, also known as “zero-factor authentication.” In this scenario, authentication and access management tools can evaluate multiple familiarity recognition signals to elevate trust in an identity.
Some tools support rule-based evaluation of network, location and device signals to provide passwordless login. Others implement analytics consuming a range of familiarity signals, including passive behavioral biometric modes, providing a more flexible and resilient approach. Both options are still seeing limited enterprise use, and both must be used within a continuous adaptive risk and trust assessment or CARTA approach. Negative signals must be evaluated along with familiarity signals.
Deciding on a passwordless authentication method
IAM leaders must evaluate a variety of considerations, such as total cost of ownership, before investing in any passwordless authentication tool. Do the additional security and UX benefits justify the difference?
Additionally, people may not be comfortable going passwordless. Biometric methods might prompt privacy concerns, while zero-factor authentication methods could be perceived as “creepy.” Passwordless methods can improve UX, but UX is not just about usability; it includes credibility and reliability. If people don’t see the familiar challenges, they might worry that their online assets aren’t properly protected.
The more an enterprise leans into the cloud, the easier true passwordless authentication will be, enabled by access management tools or native FIDO2 support. However, more complex enterprise technology environments and more diverse users will make it more difficult to adopt a single passwordless authentication approach.
In fact, even in moderately complex computing environments, it’s not yet feasible to eliminate passwords everywhere. However, IAM leaders should accept that perfection is not necessary to make headway. Craft a cohesive strategy with the fewest moving parts to implement passwordless authentication across key use cases. Focus on what provides the most business value.
As Voltaire famously said, “The perfect is the enemy of the good.” Just because you can’t roll out passwordless authentication everywhere doesn’t mean you shouldn’t do it anywhere.
Ant Allan is a vice president analyst at Gartner. He is a core member of the Identity and Access Management research community and the IT Leaders’ IAM practice, specializing in user authentication and other identity corroboration technologies, along with supporting processes, policies and best practices. He wrote this piece for SiliconANGLE.
Featured image: TBIT/Pixabay
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.