Organizations that are eliminating passwords are in good company. Microsoft is phasing out password authentication for its employees (and expects other businesses to do the same) and Gartner has noted that more enterprises are interested in going passwordless. But the identity and access management market is crowded with vendors offering some type of passwordless technology. Based on our conversations with IT and security professionals, there’s confusion on what exactly to look for in a product.
To help organizations on their journey to passwordless authentication, here are three key features that your passwordless product should have. While other factors will influence what product an organization purchases (such as ease of use and customer support), considering the ones listed here is a good starting point.
Learn if passwords are really being eliminated
Some passwordless authentication products actually don’t eliminate passwords. Instead, they offer what can be called passwordfree authentication. While the phrases passwordless and passwordfree authentication are often used interchangeably, they’re very different from a technical perspective.
Passwordfree authentication is more about user convenience and less about security. This method doesn’t remove passwords from the authentication process. With passwordfree authentication, people use a biometric to authenticate instead of a password. However, that action just replays a password that’s stored on a smartphone or in a password management tool. Since passwordfree authentication doesn’t get rid of passwords, threat actors can still use them as an attack vector.
Passwordless authentication completely removes the password from the authentication process. People never create a password when they setup an account or enter a password to access that account. In fact, if companies are using true passwordless authentication, there’s no way for people to enter a password because the log-in screen lacks a password field. Passwordless authentication eliminates passwords, along with the risk of passwords being exposed in a data breach or stolen in a phishing attack.
Look for a passwordless authentication platform that works in complex IT environments
Organizations operate diverse IT ecosystems. There are Mac users. There are PC users. There are some people who prefer Firefox and others who only use Chrome. Even if one OS dominates a company, odds are not all employees are using the most current version. Companies need a passwordless authentication platform that works with a variety of hardware and software from different vendors, not a handful tied to a specific company.
This question of compatibility is especially relevant to companies that are considering using Windows Hello for authentication. While Windows Hello offers passwordless authentication, it only works on Windows 10 and on Microsoft’s Edge browser. For employees who use older versions of Windows, browsers besides Edge and macOS, passwordless authentication with Windows Hello isn’t an option.
With a platform, companies can use passwordless authentication to access a range of applications. While Windows Hello authenticates into some non-Microsoft apps, the list lacks ones commonly used in enterprises, like Salesforce, Citrix and G Suite. Microsoft said it’s increasing the number of applications that Windows Hello works with, but that doesn’t help companies that want passwordless authentication for their diverse IT environment now. Those organizations need a passwordless authentication platform that’s flexible and can meet their business needs.
Look into how the biometric data is stored
Biometrics play a key role in many passwordless authentication products, which use what you are instead of what you know to authenticate. Biometrics are more secure than passwords for authentication. The key is to properly store the biometric data.
Properly securing biometrics starts with encrypting the data. Additionally, the data should be divided and stored in different locations, like on a person’s smartphone and in an organization’s server. Storing the data separately makes accessing it much more challenging for threat attackers. To obtain the biometric, they have to attack the server in addition to the person’s smartphone.
Storing the entire biometric in one place has prompted concerns about the security fallout if the location is breached. While biometrics are difficult to spoof and use in presentation attacks, security professionals should reduce the chances that attackers could access that data. Storing biometric data in multiple locations is part of that strategy.
Only a passwordless authentication platform can eliminate passwords
Referencing these points can help companies determine if the passwordless product they’re considering can benefit them. Getting rid of passwords can improve security, lower password management costs and provide a better user experience. But that’s only possible by using a passwordless authentication platform that truly eliminates passwords, works in diverse IT ecosystems and protects biometric data.