Passwordless (In)Security: A Self-Help Guide for IT Leaders

Despite their ubiquity, passwords have become – at best – an anachronism and, at worst – a gaping security blindspot for organizations and individuals alike. To put it simply, passwords are bad. They represent one of the weakest links in security, are a leading cause of breaches, and are both difficult and frustrating to manage.

I’ll say it again. Passwords are bad. Bad for security and bad for user experience. Bad across the board. Bad bad bad. One can even argue that they are the most prevalent and broadly accepted (albeit irrationally) global vulnerability. They offer practically zero redeeming qualities whatsoever and you should stop using them immediately.

To summarize, passwords suck.

But, since you are on the Ping Identity website, I’m likely preaching to the choir on the shortcomings of password security. Most of us already know this all too well. We also know that adopting passwordless authentication can solve all these problems through enhanced security, better user experience, and streamlined access management:

• For customers, passwordless authentication improves engagement while also lowering abandonment rates. These seamless experiences ultimately drive higher revenues.

   

• For employees, passwordless authentication results in less time entering and resetting login credentials. In turn, this equals higher productivity and less strain on helpdesks.

While increased profits should be motivation enough to embrace passwordless, the security benefits are also glaringly obvious. Case in point, 80% of breaches involve brute force attacks or the use of lost or stolen credentials.

Clearly, the pros of going passwordless drastically exceed the cons of sticking with the status quo. So – this begs the question – why the heck are we still using passwords?!?!

If it were only that simple…

The truth is most cybersecurity teams realize passwords offer weak security. However, passwords remain prevalent due to adoption roadblocks.

The three most common blockers to going passwordless are:

Technical debt

Several of today’s enterprises still depend on legacy systems, applications, and registration flows that were originally built around passwords. Many of these systems and applications were never built to use open standards, and therefore don’t support the standards that are needed for passwordless authentication.

Additionally, many critical day-to-day operations run on these legacy systems, and reverse engineering them for passwordless would be technically difficult. Furthermore, the process of re-wiring legacy infrastructure can lead to a host of other problems given the potential for downtime. This can make transitioning to passwordless an extremely high-risk endeavor – not only for organizations’ bottom lines – but also for IT practitioners who may inadvertently face backlash for bringing down a manufacturing line or stalling other critical business operations, simply for trying to do their job. This is a significant obstacle that feeds into the next hurdle to adopting passwordless authentication.

Fear of change

This has a lot to do with education. Passwords have been ingrained in our mindsets for decades - they are part of our daily routines and they give us a false sense of comfort. They are also relatively easy for organizations to implement and old habits die hard; more often than not, reliance on passwords persists simply because it is the path of least resistance.

Furthermore, confusion also stems from the term “passwordless” itself. It turns out that some people actually interpret this as meaning less secure even though going passwordless in fact offers more secure authentication. This too ties back to education. Kicking off an initiative to go passwordless often requires multiple different relevant stakeholders at an organization to be educated on its benefits so that everyone is on the same page about pursuing it.

Various User Scenarios

Every organization is different with unique technology investments, bespoke, industry-specific regulations, geographically-defined organizational structures, and different types of users spread across different departments.

Naturally, different users often must authenticate in different ways. As such, there is no “one-size-fits-all” approach to going passwordless. A wide range of use cases must be considered and organizations need to be flexible enough to support multiple different user scenarios.

To illustrate, picture a manufacturer with different types of workers in both offices and factories. These workers have different requirements that result in different login experiences. An office worker may log in via a thumbprint on a FIDO security key or via Windows Hello facial recognition, while a user’s identity in a factory may be authenticated via a retina scan because they are wearing gloves and using a shared device.

The scenario described above is just one single hypothetical example; however, it drives home an important point:

Passwordless is not a single solution per se, but rather one that requires customized integrations of multiple different products and technologies. There is no such thing as a turnkey passwordless solution. Every organization has its own unique technology and various user scenario requirements that must be addressed.

For many businesses, the lack of out-of-the-box, plug-and-play solutions, combined with the need to accommodate diverse user scenarios and the various use cases they require is a major deterrent to going passwordless. This commonly blocks adoption efforts.

To illustrate, a recent Passwordless Survey, in which 600 IT leaders were interviewed found that:

• 97% of those who haven't adopted passwordless believe they will face challenges in doing so.

   

• 83% with no plans for passwordless admitted that they were unsure about how to implement it.

   

• 33% of those who haven't adopted passwordless cited a lack of expertise as a barrier to adopting passwordless authentication methods.

Interestingly, however, the following statistics were also generated from the same exact survey:

• 100% of the respondents acknowledged the benefits of passwordless authentication, with:

   

  • 52% citing opportunities in reduced security costs and enhanced security.

     

  • 48% saying that less support would be needed.

Taken together, all of these statistics paint an interesting picture, implying that IT leaders at most organizations want to pursue passwordless and are well-aware that it would strengthen their organizations’ security postures, reduce strain on helpdesks through fewer password resets, and offer other benefits – yet even though the passwordless technology needed to do so is readily available today – adoption still remains low simply because they just don’t know where to start.

And who can blame them? The inconvenient reality is that most organizations simply lack the in-house experience and resources to go about it alone. With 82% of last year’s breaches resulting from stolen passwords, phishing attacks, and overall poor credential-management hygiene, and the average global cost of a data breach being $4.35 million, they cannot ignore the importance of strong password management. It turns out that for many organizations, the best approach to defending against credential-based attacks is by hiring some outside help to guide them on their passwordless journeys.

As described above, every organization is different, with its own unique industry-specific layouts, user scenarios, and required use cases. As a result, there is no single standardized blueprint for going passwordless, as every organization will require its own uniquely customized approach. There are, however, common themes and best practices that should be adhered to.

Selecting the right passwordless solution provider to partner with is critical to successfully implementing a robust and sustainable passwordless program. Best-in-class passwordless solution providers should offer a minimum of the below 5 capabilities – everything else will fail sooner or later.

5 Key Passwordless Vendor Capabilities to Look For:

1. Identity Verification (Identity Proofing)

    

   Although eliminating the need for passwords offers a more secure way to authenticate, a common drawback is account recovery. Specifically, the challenge that arises when users lose the only device that their identity is paired to to authenticate. Whereas many providers enable recovery solely via less secure mediums such as SMS OTPs, vendors that offer identity proofing as a capability can more quickly and securely perform account recovery through a selfie and/or other identity-supporting documentation.

    

    

2. Central Adaptive Authentication

    

   Pairing multi-factor authentication (MFA) with single sign-on (SSO) and risk signals offers more security by making adaptive authentication even more adaptive and flexible. With risk scoring continuously being done in the background, users experience minimal interruption. Second factors like push notifications on users’ mobile devices are only triggered when absolutely necessary (i.e., when an alarm fires due to an increased risk score, an unusual policy violation, etc.). Leading Passwordless solution providers should offer risk signals in addition to SSO and passwordless MFA as complementary capabilities that can be integrated to deliver robust and holistic passwordless solutions.

    

3. Hybrid Requirements

    

   A hybrid passwordless solution that offers both SaaS and traditional on-premises capabilities is more flexible, can accommodate hybrid environments and will better position organizations to embrace passwordless technology, and scale over time versus those that offer only on-premises.

    

4. Coverage Across All Identities

    

   Identity types are diverse and can include employees, customers, partners and more. The same goes for use cases. For example, picture an organization with retail workers with different devices that might not be FIDO enabled, as well as corporate workers who need FIDO security keys. Passwordless solution providers that can accommodate a diverse array of user and use case scenarios will be better suited to ensure that secure access is achieved across all your organization’s needs.

    

5. Orchestration

    

   You need the ability to create different passwordless journeys across various applications and services. Orchestration allows you to easily create and optimize passwordless authentication flows in a no-code manner. Most importantly, it lets you test out the actual user experience in quick succession.

Fortunately, at Ping Identity, we saw this paradigm shift coming years ago and decided to build the PingOne Cloud Platform, a seamlessly integrated suite of best-in-class identity solutions that spans identity verification, active directory profile management, identification, and authorization. The PingOne Cloud Platform can accommodate all identity types across hybrid environments. Risk signals are also available to combat modern threats with minimal user friction via more flexible adaptive authentication.

Figure 1. The PingOne Cloud Platform combines best-in-class solutions across all identity control-points to support going passwordless, preventing fraud, zero trust initiatives, or anything in between. Through a simple drag-and-drop identity orchestration canvas organizations can build, test, and optimize end-to-end user journeys that secure digital interactions while making experiences frictionless.

Additionally, the PingOne Cloud Platform is backed by PingOne DaVinci, our identity orchestration platform. With PingOne DaVinci practitioners can create and optimize passwordless workflows across numerous applications and services in a no-code manner. Identity orchestration via PingOne DaVinci enables organizations to continuously iterate on the passwordless experiences that they deliver by testing different risk signals, authentication factors, and even passwordless MFA solutions from different providers.

Figure 2. PingOne DaVinci enables organizations to rapidly integrate and create passwordless workflows across numerous applications and services in a no-code/low-code manner from an intuitive, drag and drop interface to build, test, and optimize secure and frictionless user experiences.

Going passwordless is critical to ensuring that customers have secure, fast and frictionless digital experiences that drive engagement instead of frustration and abandonment. Likewise, going passwordless is also crucial to optimizing employee productivity, lowering password reset related expenses and protecting your organization against costly data breaches.

Choosing which passwordless authentication methods are best for your organization will vary based on your own unique user scenarios. Passwordless use cases and requirements can also be incredibly complex and most organizations lack sufficient in-house expertise to successfully implement them on their own.

As such, electing the right passwordless solution provider as a partner and trusted advisor needs to be a strategic priority for organizations that are serious about improving security posture as well as the customer and employee user experience.

Vendors that provide coverage across all identity types and that also offer both SaaS and traditional on-premises capabilities will optimize the chances of successfully implementing a robust and sustainable passwordless program that can evolve in lock-step with your needs.

Lastly, organizations should strongly consider only working with solution providers that offer identity orchestration capabilities. The bottom line is that designing, testing, and optimizing the passwordless user experiences that you want your stakeholders to have requires the ability to iterate quickly and test various options. Identity providers that empower you to continuously experiment with different passwordless flows through orchestration capabilities will deliver the fastest realization of time-to-value.

If you lack sufficient in-house expertise to implement passwordless authentication, don’t worry, Ping Identity has you covered. Ping Identity’s Passwordless Authentication Solutions can accommodate all identity types, at scale, for various scenarios across all stages of your passwordless journey. From centralizing SSO and MFA on an authentication authority with risk signals to reducing the use of passwords via biometrics, email magic links, QR codes, authenticator apps, and other authentication factors as the primary login experience, through implementing FIDO2 (Fast Identity Online) - the passwordless open standard that leverages public key cryptography - to enable your users to authenticate biometrically on FIDO2 security keys or other FIDO-compatible devices.

Additionally, PingOne DaVinci can further accelerate your passwordless goals through the ability to test and optimize end-user experiences with a vendor-agnostic, simple, low-code/no-code, drag-and-drop orchestration platform.

To learn more about best practices for getting started on your passwordless journey, check out Ping Identity’s Passwordless Solution.

Even better, you can try out passwordless for yourself with a free 30-day trial from Ping Identity.

Lastly, to learn more about leveraging identity orchestration to create, test, and optimize your own passwordless workflows check out PingOne DaVinci.