Here's what it will take to (nearly) eliminate passwords

Nobody likes passwords. That's especially true for enterprise security professionals, since most successful attacks on companies involve a credential—most likely a password that is too easily guessed, cracked, or phished. The problem is compounded by the fact that everyone has well over 100 passwords that must be remembered and managed, often leading to complacency.

For decades, vendors have promised us the ability to eliminate passwords. If a software certificate, hardware token, biometric, proximity card, or other form of passwordless authentication could rid users of all their pesky passwords, both security and the user experience would improve. And yet, the password endures.

To be sure, passwords are unlikely to approach extinction for some time, especially in low-risk business-to-consumer transactions. But the enterprise technology is ready today that makes it possible for many enterprises to give passwordless authentication serious consideration. In fact, this future is well on its way.

At the Forrester Security & Risk 2021 conference, senior analyst Sean Ryan said in a presentation called A Traveler's Guide to a Passwordless Enterprise that two-thirds of 1,000 respondents to a recent Forrester survey described themselves as already in the process of adopting passwordless technologies.

Please read: Two truths and a lie about corporate password policies

That broad market movement may be due, at least in part, to Google, Salesforce, and other technology heavyweights announcing in recent years their intentions to either adopt passwordless logins internally or provide authentication services that will help their enterprise customers embrace the strategy. Earlier this year, Microsoft announced the general availability of passwordless authentication that allows enterprises to replace traditional passwords with the Microsoft Authenticator app, a security key, or verification code sent to a phone or email address, among other authentication methods.

Is passwordless ideal for every organization?

Organizations with mature identity and access management programs in place may be able to move to passwordless relatively smoothly. Those without a strong identity program or the available talent and resources in place to deploy and manage passwordless authentication throughout their business will likely have a much harder path forward. This could explain why enterprises, security service providers, and analysts we contacted indicated the status for passwordless deployments remains limited. Most organizations are currently conducting proofs of concept or deploying the technology to solve specific use cases. "Overall, I think passwordless is a good step forward for security, but we aren't heading quickly to a passwordless world," says Wim Remes, founder of security consultancy Wire Security.

While young startups running their business entirely on modern cloud applications may have little challenge moving to passwordless, larger enterprises with legacy commercial applications, many different types of endpoint form factors and operating systems, homegrown software applications, and varying worker use cases may find themselves challenged in their road to passwordless. Atypical tech companies, like Google, can throw vast resources at the problem and achieve passwordlessness, but for others, it may be impractical to eliminate passwords completely.

Michael Farnum, chief technology officer at Set Solutions, says there's quite a bit that can go awry when moving toward passwordless. Much of the danger stems from not looking closely enough throughout the organization before standardizing on passwordless authentication methods. "A lot of this depends on who is making the tooling implementation decision and whether they included other business units that could benefit from passwordless," he says. "You can end up stuck with a single solution that doesn't fit all of your scenarios, and then you end up implementing multiple solutions because management wants passwordless everywhere."

Please read: Password policy recommendations: Here's what you need to know.

"The challenge for some companies, especially small to midsized companies, is whether or not they have the money and resources to move to passwordless," explains Garrett Bekker, principal analyst for information security at 451 Research. Aside from upfront costs, enterprises will need to budget for integration with existing applications and investments in user education. "There's certainly going to be an ongoing cost factor," adds Bekker.

One of the reasons the world may be heading to "password less" rather than a "passwordless" future, at least intermediately, is the reality that passwords—as much as they are hated—are a known quantity for all parties. All businesses small and large know how to deploy and use passwords, even if they don't always do so very effectively. In addition, every user knows and understands them, and the tools to manage passwords are well known and relatively inexpensive. And, should a password be lost, forgotten, or stolen, it can be reset easily.

That's a tough setup for any burgeoning technology to overcome, no matter how appealing its benefits.

Five key considerations for going passwordless

Want to give passwordless a try in your enterprise? In addition to having the resources to afford the implementation, as well as the staff to implement it, here are five steps enterprises should take when moving to passwordless technology:

1. Define the use cases throughout the organization

This is perhaps the most crucial step. Remes explains that in many use cases, passwordless isn't optimal or doesn't work well. This includes systems where multiple people share a system or work in highly dynamic environments.

Remes recalls a multifactor implementation he worked on at a hospital that wanted to move toward passwordless. After interviewing staff, including nurses and doctors, about how they used their technology, he learned that the use cases varied tremendously from one section to another, such as between the maternity ward and intensive care unit or surgery rooms and general offices. "Can you imagine a computer locking up during an operation and a nurse having to whip out her phone to authenticate using whatever passwordless method they choose? It's not going to happen," he says. There are better solutions available, such as with proximity sensors worn on a bracelet or necklace. But even for these, you need a plan to deal with a failure quickly.

2. Identify the long-term budget needs

Going passwordless isn't a single project. It needs to be planned to be managed for the long term. Forrester's Ryan explains that security and identity leaders need to make a strong business case to their CIO and CISO and make a case for the budget that's going to be required for unplanned costs.

And as is always the case with any identity management effort, unplanned yet necessary integrations will be required. Ongoing training, user testing, and additional hardware and software will also likely be required. "Make sure that you understand all of these costs upfront so that you can be transparent with your CIO about them," says Ryan.

3. Beware vendor and architecture lock-in

Whether it's because of the architecture or hardware an organization standardizes on, there's always the chance of vendor lock-in with hardware or limits in the environment's architectural design. "You certainly don't want to make a choice that is going to limit your ability to do other things down the road," says Bekker.

Please read: With WebAuthn, web authentication is finally getting smart

After coming to an understanding of the various use cases throughout the organization, Bekker advises that enterprises closely examine how the passwordless systems of choice will work with existing applications and systems. "You have to understand what dependencies you have and what legacy applications and planned future applications will or won't work with the system," he says.

A number of specifications and standards are underway that aim to make passwordless authentication easier to adopt. Notably, the Fast Identity Online Alliance's FIDO Universal Authentication Framework supports passwordless authentication with websites or within enterprise environments. With UAF, users can register their devices and authenticate with the device's authentication options, whether fingerprint, facial scan, PIN, voice, or other method.

Two newer specifications include the W3C's Web Authentication (WebAuthn) specification and FIDO Alliance's Client-to-Authenticator Protocol (CTAP). WebAuthn is supported by Windows 10 and Android, as well as most major web browsers. CTAP provides backward capability with older FIDO passwordless standards so that smartphones and security keys are compatible with browsers that support WebAuthn. CTAP can also facilitate desktop application and web service authentication.

4. Monitor user friction

While passwordless is designed to reduce user friction, it doesn't always work out that way. Consider timed logouts. After a forced logout with passwords, the user will just need to recall their password. However, requiring a user to have a hardware token or their mobile phone handy to authenticate makes it likely that the user will fail from time to time. "Such systems increase user friction," says Remes.

Bekker agrees. "Passwordless can be a pain in the neck, and it can be expensive. If it's a hardware key, it can be lost or the battery may die. If it's a phone, it may need to be charged. People don't always want to have to deal with this stuff," he says.

Ensuring that negative user experience is avoided is critical to success, adds Forrester's Ryan. "If it's a poor passwordless user experience out of the gate, users are going to walk away. They're going to go back to the password. They're going to create problems for you, and it's going to make it that much more difficult later when you try and implement passwordless again. It's vital that the right upfront testing is completed, that the user education is done upfront, and that passwordless is rolled out in the right way," he says.

5. Ensure timely authentication recovery

Another consideration is how users will regain their ability to authenticate if they lose access to their phone or other authentication device, such as a hardware token. "If you forget your password, or it needs to be changed because it was compromised, that can be done within minutes," says Remes. "It can take 24 hours or more to replace a hardware token if the right kind of planning ahead of time isn't completed."

That planning must provide for a quick way for users to get quickly productive with a new device or access credentials, advises Ryan. "It's very important to think through all those aspects of the user experience and to be prepared for that ahead of time, rather than getting caught off guard," he says.

Finally, for any organization moving to passwordless today, it's unlikely—especially in large enterprises with legacy systems and many different types of workers—to move to 100 percent passwordless. "This is where you want to think about it as a journey," says Ryan. Organizations can identify where they can start to deploy passwordless today and then, for those use cases where the technology just isn't ready, wait for vendor and partner advances to fill those gaps. "Vendors and their partners are going to keep working to develop SDKs, toolkits, and APIs to make this stuff easier," he says.