There’s general agreement among IT and security professionals that passwords are one of the weakest links in security. They’re a leading cause of breaches, with 82% of incidents last year resulting from stolen passwords, phishing attacks, and overall poor credential-management hygiene.
In addition, passwords are simply frustrating to manage: support desks still spend too much time resetting employee credentials, and – on some counts – more than one in ten people require password resets several times a week.
It’s well accepted that an appropriate future state to work towards from an authentication perspective is one that’s passwordless.
In a recent survey of IT professionals, all respondents acknowledged the benefits of passwordless authentication. Of those surveyed, 52% said going passwordless would reduce costs and enhance security, while 48% believed less support attention would ultimately be needed.
The logical follow-on question then is, why is passwordless authentication yet to be widely adopted? The answer is complex, but essentially comes down to the ability of organisations to overcome four key roadblocks.
Why passwordless is hard
The first potential roadblock is the difficulty in conceptualising how to implement passwordless authentication. Passwordless is not a single solution per se, but rather one that requires custom integrations of multiple different products and technologies. There is no such thing as a turnkey passwordless solution. Every organisation has its own unique technology and various user scenario requirements that must be addressed.
Related to this – and indeed the second potential roadblock – is that every organisation has evolved differently over time, with unique technology investments; bespoke, industry-specific regulations; geographically-defined organisational structures; and different types of users spread across different departments. Different users authenticate in different ways. As such, there is no “one-size-fits-all” approach to going passwordless. A wide range of use cases must be considered and organisations need to be flexible enough to support multiple different user scenarios.
Consider a manufacturer with different types of workers in both offices and factories. These workers have different requirements that result in different login experiences. An office worker may log in via a thumbprint on a FIDO security key, while a user’s identity in a factory may be authenticated via a retina scan because they are wearing gloves and using a shared device.
For many businesses, the lack of out-of-the-box, plug-and-play solutions, combined with the need to accommodate diverse user scenarios and the various use cases they require is a major deterrent to going passwordless. This commonly blocks adoption efforts.
A third roadblock organisations face is technical debt. Legacy systems, applications, and registration flows were built around password-based login and authentication. Many of these systems and applications were never built to use open standards, and therefore don’t support the standards that are needed for passwordless authentication.
Businesses often have critical dependency on these systems for day-to-day operations. Reverse engineering them for passwordless would be technically difficult. Furthermore, the process of re-wiring legacy infrastructure can lead to a host of other problems given the potential for downtime. This can make transitioning to passwordless an extremely high-risk endeavour – with the risk of downtime in any redesign and switchover an ever-present threat.
The final roadblock organisations face is fear of change. This, of course, is not exclusive to passwordless adoption, and can impact any technology program.
Passwords have been ingrained into our mindsets for decades – they are part of our daily routines and they give us a false sense of comfort. They are also relatively easy for organisations to implement and old habits die hard; more often than not, reliance on passwords persists simply because it is the path of least resistance. Kicking off an initiative to go passwordless often requires multiple different relevant stakeholders at an organisation to be educated on its benefits so that everyone is on the same page about pursuing it.
Creating a path to passwordless adoption
While these are very real roadblocks to progress, they’re not insurmountable.
Partnering with the right passwordless solution provider is a critical first step to moving away from password-based authentication. With every organisation being different, and no out-of-the-box solution able to cater to all of these differences, organisations will ultimately require their own uniquely customised approach, and an experienced provider can offer valuable assistance in removing roadblocks to successful adoption.
There are also common themes and best practices that should be adhered to in the design of any passwordless solution.
Vendors that provide coverage across all identity types and that also offer both SaaS and traditional on-premises capabilities will optimise the chances of successfully implementing a robust and sustainable passwordless program that can evolve in lock-step with your needs. In addition, organisations should strongly consider only working with solution providers that offer identity orchestration capabilities.
The bottom line is that designing, testing, and optimising the passwordless user experiences that you want your stakeholders to have requires the ability to iterate quickly and test various options. Identity providers that empower you to continuously experiment with different passwordless flows through orchestration capabilities will deliver the fastest realisation of time-to-value.