How many times have you clicked the “Forgot Password” link this month? Or received a ticket from an end user who needed help doing this? How many times did you reset your password to one you’ve used before (or had to scold an end user for wanting to do the same thing)?
If your numbers are high, we don’t blame you for being fatigued by passwords. More and more applications require passwords, making it harder and harder to create and memorize unique ones. The problem is, once a cybercriminal discovers the password you like to use, they have the keys to your information 一 and potentially your company’s and customers’ information, too.
Verizon’s 2021 Data Breach Investigations Report revealed that 61% of breaches involved credential data. So it’s no surprise that organizations are turning to other password solutions, namely, passwordless authentication. In this piece, we’ll explain what passwordless authentication means, how passwordless authentication works, and how to implement passwordless authentication to safeguard your business.
What Is Passwordless Authentication?
As its name indicates, passwordless authentication is a method of verifying identity without using a password. Instead, users authenticate with safer (and more convenient) factors like secure tokens and magic links, delivered via email, text message, or an authenticator app.
Other popular passwordless authentication methods are facial recognition or fingerprint scanning. With passwordless authentication, employees aren’t forced to make up and remember hundreds of passwords, which can have a huge impact on productivity and decrease the likelihood of password misuse.
Without passwords to steal, bad actors can no longer leverage credential stuffing, a technique by which they try logging into multiple sites at once with hijacked credentials, waiting for a hit.
Besides these additional protections, passwordless authentication also helps companies enforce their Zero Trust policy with more specific access control. And further, passwordless protection reduces the overhead and cost of ensuring that employees change their passwords every few weeks or months.
How Passwordless Authentication Works
So, how can you log into something without a password? Well, when you break it down, a password is simply a “knowledge factor,” meaning something you know. But, as we’ve seen, this type of factor is prone to sharing, misuse, and theft. Passwordless authentication replaces that knowledge factor with something harder to steal or replicate, such as a possession or biometric factor.
- Possession factor – This is something you own or have. A possession factor could be an email address, phone, FIDO (Fast IDentity Online) authenticator, or RSA key (digital signature). These things don’t require memorization and are difficult for someone to hack.
Use case: Receiving an email with a magic link or receiving a push notification via an authenticator app.
- Biometric factor (also called “inherence factor”) – This is something you are or is intrinsic and unique to you. A biometric factor could be an iris scan, voiceprint, or facial recognition. These are extremely tough to replicate and cannot be forgotten, as they are a part of you.
Use case: Signing into your phone with Face ID or using your fingerprint to access an application containing sensitive material.
How Do You Implement Passwordless Authentication?
Passwordless authentication sounds ideal in theory 一 you get extra protection along with an enhanced user experience and reduced IT costs. But going fully passwordless isn’t so simple in practice. Take a moment to think about how many applications employees use at a business (Hint: it’s a lot). And for each application that requires a password, you’ll need to implement new forms of authentication using a possession or biometric factor. All in all, it’s a huge project.
To make implementation less daunting, many companies split this process into several phases:
- Centralize authentication. By consolidating logins to various applications, you immediately decrease the number of passwords users need to remember. A good example of this is single sign-on (SSO).
- Enforce multi-factor authentication (MFA). MFA takes the security enhancement of SSO a step further in that someone attempting to authenticate is now faced with multiple factors they must verify. Once those are verified successfully, users are granted access to the application. MFA is a fantastic precursor to passwordless authentication because it still has a stored password, and users grow accustomed to the verification factors typically used in passwordless authentication at the same time.
- Implement a FIDO login structure and scale it across the business. Because this is a complex, costly process, many companies opt to implement passwordless authentication one element at a time (i.e., first SSO, then MFA, and so on), gathering feedback from developers and end users along the way. This step-by-step approach allows them to pay more attention to change management and plan for future passwordless authentication maintenance.
Get Started with Passwordless Authentication
Forcing employees to remember multiple complicated passwords and hoping they don’t reuse or accidentally share them is essentially asking for a breach. And breaches are costly. Although most small to midsize enterprises (SMEs) estimate the cost of a breach to be less than $10,000, the true average cost of a breach for these companies is $149,000.
In this day and age, you need a convenient, cost-effective, secure method of protecting your information without overburdening your employees, clients, or IT department. The answer is passwordless authentication. Gartner predicts that 60% of large and global enterprises and 90% of midsize companies will implement passwordless methods by 2022. But, as we’ve discussed, implementing passwordless authentication is no small feat.
Assuming you already have a robust SSO solution in place to centralize authentication, layering MFA everywhere is the next step toward a passwordless future. JumpCloud’s frictionless authentication can prevent unauthorized access and bring you closer to a Zero Trust security model. Even better, you can consolidate your identity management, SSO, and MFA tools into our comprehensive cloud directory platform and free up your IT resources.
To learn more, sign up for JumpCloud Free today to test out the full functionality of our platform in your own IT environment. Manage up to 10 users and 10 devices for free as long as you need until you scale to more.