Identity, Distributed Workforce, Decentralized identity and verifiable credentials

Passwordless Authentication: Getting Started on Your Passwordless Journey: Part 2

Physical security keys are among the safest methods of authentication.

Making the transition from a password-based authentication system to a passwordless one isn't a quick process. There are several steps your organization must take to complete the journey. Yet in the end, the efforts will be worthwhile, because you will have happier customers, happier employees and a more secure environment.

See Part 1 of the passwordless journey here.

How to prepare for passwordless authentication

We've already gone over the benefits of transitioning to passwordless authentication, but let's reiterate that going passwordless results in lower shopping-cart abandonment rates, higher employee productivity, fewer headaches for IT staffers and much lower risk of data breaches or network penetration.

The problem is how to get from here to there. Password-based authentication is something that every customer and employee knows how to use, and every IT department knows how to set up. It just works, despite its obvious shortcomings, and moving past it requires a lot of effort.

"Using passwords is the path of least resistance for many organizations," as Ping Identity pointed out in a recent white paper. "In contrast, pursuing passwordless authentication may require some near-term user adoption and education challenges."

The first thing you need to do is assess all the different scenarios in which your customers and employees might log into their accounts, and then figure out what they might use instead of passwords.

"You need to be educating people on the benefits of going passwordless," Ping Identity Solutions Marketing Manager Sam Brown told us. "Take inventory of your user scenarios and interfaces, and your employee roles. Talk to an expert. You need an advisor."

We'll go into detail about possible authentication alternatives a bit later, but you might consider sending push notifications to the phones of customers trying to log into online accounts and handing out USB security keys for employees who need to log into the company network.

Microsoft uses push notifications with registered users who have the Microsoft Authenticator app installed on their smartphones. Google uses USB security keys for its employees and boasts of having never suffered a data breach since the keys were deployed.

However, your organization's case might be very different. As Ping's white paper noted, an office worker may be able to use the fingerprint reader built into a company laptop, but a factory worker wearing work gloves may instead need to use a retina scan.

"There is no one-size-fits-all approach for passwordless, and there are a wide range [of] use cases that must be considered," the Ping white paper says. "The key is to take inventory of all your existing technologies and define the various authentication use cases you have. Then start small and expand."

Going passwordless is such a major shift that it will require the full commitment of your organization's executives. There will be resistance to the move from various sectors of your company, because few people will immediately understand the need for such disruptive change. You'd better make sure your C-suite has your back.

"You need buy-in across all relevant stakeholders from multiple different groups to get started," said Brown. "If it's your workforce, you can just mandate the transition. Customers are always a different scenario. In terms of getting buy-in from customers … I don't know what you can do other than to make it an option."

Understanding the different authentication categories

Alternatives to passwords range from weak to strong, from familiar to esoteric. There's one general rule, though: The more secure an authentication method is, the more it may cost to implement.

Weakest of all are text-based and numerical knowledge items, which are not much more secure than passwords. These can include PINs and identity-challenge questions such as "What was your mother's maiden name?" Four-digit PINs can be trivial to brute-force, which is why both Apple and Android phones now require six-digit versions for lockscreens.

As for identity-challenge questions, a quick study of a person's Facebook account can often yield not only their mother's maiden name, but also where they went to high school, their date of birth and so on. And like passwords, both PINs and identity-challenge questions can be easily phished.

A bit stronger are temporary bits of knowledge, such as one-time-passcodes (OTPs) or push notifications. OTPs have been in use for decades; older readers may recall the RSA keyfobs that generated a new six-digit PIN every 30 seconds and let you remotely log into corporate networks. Today, authenticator apps can generate OTPs on your smartphone, and companies also send out OTPs via SMS text message or voice messages as part of multi-factor authentication (MFA) schemes.

Push notifications and emailed "magic links" fall into the same category of strength. As mentioned earlier, Microsoft sends out push notifications when one of its registered users tries to log into their account. The system works very well, although the user needs to have the Microsoft Authenticator app installed.

Magic links are easier to implement because no new software is needed. When the user tries to log in, a message is sent to the user's registered email address with an embedded web link that grants access when it is clicked.

Temporary-knowledge solutions such as OTPs and magic links are better than their permanent kindred, as they have rather short viable lifespans. But like all knowledge-based authentication systems, they can be phished.

Stronger still is authentication based not on something you know, but something you have such as a smartphone or a hardware security key. Unlike knowledge-based methods, it's difficult or even impossible to phish these forms of authentication.

For example, Google Workforce lets users employ their Android or iOS smartphones as a login method. After login on a PC, another request pops up on the phone for the user to confirm that they are trying to log in.

This is a bit different from a push notification that may require the user to enter a number; instead, the possession of the phone is what counts. Google, Microsoft and Apple are expanding this method to consumers over the next couple of years to provide widely compatible passwordless authentication.

Deploying this method doesn't cost much, as long as all users have compatible smartphones, and is quite secure. Even more secure are hardware security keys of the sort made by Yubico, Google and Feitian. These use USB, NFC or Bluetooth to interface with PCs and smartphones and provide an extremely secure form of user authentication.

The downside is that these security keys cost from $12 to $90 apiece at retail outlets, depending on their capabilities. The most basic keys use the old FIDO standard and the USB-A interface; more expensive models use FIDO2, may conform to U.S. goverment security standards and can interface using Bluetooth, USB-C, NFC or even Apple's Lightning connector.

"FIDO is certainly the best defense against phishing attacks," said Brown. "FIDO2 forces you to pair devices with websites and can't be phished."

Perhaps strongest of all are not things you know or things you have, but something you "are" — in other words, biometric devices that analyze your fingerprint, face, iris, retina, handprint, typing patterns or even walking gait. These are very easy to use when implemented properly, but deploying biometric scanners can be expensive, ranging from upgrading employee laptops to include Windows Hello to installing retina scanners on industrial equipment.

As noted already, what your organization chooses should be determined at the very beginning of your transition to passwordless, by assessing your company's needs and its customers' and employees' use cases.

Four stages to going passwordless

Ping Identity has identified a four-stage process by which organizations can move from password-based to truly passwordless authentication.

Stage 1 is what Ping calls "central adaptive authentication." You need to implement single-sign-on (SSO) and multi-factor authentication (MFA) solutions for employees and customers alike. That will reduce the use of passwords overall and familiarize users with the "second" authentication factors that will eventually replace passwords.

After SSO and MFA are well established and utilized by most users, then implement extended sign-in sessions users need to log in with passwords first only every few days, then every week, then finally every month or so. This is how Facebook, Twitter and other social-media services have been operating for years — unless you log out of your Facebook account on your PC, you'll stay logged in for months at a time.

If your IT department objects to not having employees log in every day, then make that daily authentication factor one of the alternatives that you're already using with MFA — a phone-based push notification, perhaps. Again, you want to wean users off passwords.

Build a "risk signal" analyzer into your authentication software. You want to make it easy for users to log in, unless there's something strange — perhaps the user is logging in from a new machine or a new geographic location, or in the middle of the night. If so, there's a greater risk that someone is trying to break into an account, and your authentication scheme should demand the full MFA, password and second factor included.

Stage 2 is when you want to begin phasing out the use of passwords. Instead of requiring a password during the login process, require something else — another MFA factor such as a code generated by an authenticator app or a fingerprint scan, a click on an emailed magic link, or a scan of an on-screen QR code using a smartphone camera.

In this way, you'll get users and staffers alike accustomed to the notion of logging in without passwords, and you'll show your IT department that passwordless authentication is safe and easy to use.

Stage 3 is a bit more complicated and a bit more expensive. You want to make your external-facing websites and your internal employee interfaces fully compatible with the FIDO2 standards. This means making them work with FIDO2 security keys such as Yubikeys, some of which can even store biometric data like fingerprints. Because security keys need to be registered with specific websites, phishing attacks won't work — the security key simply won't verify a bogus site.

Other FIDO2-compliant authentication methods include Windows Hello and Apple Face ID, both of which also store biometric details on the device, not in the cloud. Because of FIDO2, both methods can now be used to log into websites as well as local devices.

You'll also want to implement orchestration in your identity and access management systems so that updates can be quickly and easily implemented across your organization.

Stage 4 is when you want to stop using passwords altogether. Until this point, new users and employees will have had to create a password when registering, even if that password was not used upon every login. From here on, however, you want to make it possible for new registrants to skip creating passwords altogether.

This may seem like a radical step. Who's ever heard of a user account without an associated password? But it's perfectly feasible. During the registration process, the account holder creates a username, but then may be asked to verify their identity another way, perhaps by taking a selfie and a photo of a drivers' license or passport using a smartphone or laptop, which can itself then be registered as a trusted device.

Logging into an account can be done using a trusted device — an account can have more than one — along with a biometric scan on the device, or perhaps a QR code. Trusted devices can be used to log into online accounts using other devices.

As Ping Identity explains one scenario, "after initial registration, users never have to login at all. Instead, the user's phone leverages Bluetooth to project their identity wherever they go."

Once your passwordless journey is complete, your organization will be better off overall.

"Going passwordless is critical to ensuring that customers have secure, fast and frictionless digital experiences that drive engagement," says the Ping white paper, adding that passwordless solutions are "crucial to optimizing employee productivity, lowering password-reset related expenses and protecting your organization against a costly data breach."

Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, and

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.