What’s the Deal with Passwordless Authentication?


Passwords are plagued with problems, which make them an insecure factor for identity verification. Tech and security analysts predict enterprises will shift to passwordless authentication for users to enable modern digital transformation. This is mainly prompted by the problems that have arisen with passwords: they’re costly and burdensome to manage, they cause poor user experiences and they are easily compromised.

There are several other password-related threats and attacks that are commonly used by attackers, mainly because they are simple, and they work. A few examples include credential stuffing (large-scale, automated login attempts using stolen credentials); phishing (an attempt to deceive users and illegally acquire sensitive information, like passwords); brute-force attacks (password guessing), etc.

Passwordless authentication eliminates reliance on passwords and delivers a host of business benefits, including a better user experience, reduced IT time and costs and a stronger security posture.

What is Passwordless Authentication?

Passwordless authentication establishes a strong assurance of a user’s identity without relying on passwords, allowing users to authenticate using biometrics, security keys or a mobile device. Cisco Duo is innovating toward a passwordless future that balances usability with stronger authentication. Passwordless gives users a frictionless login experience, while reducing administrative burden and overall security risks for the enterprise. As a result, enterprises can realize the following benefits:

Better User Experience

By eliminating reliance on passwords, users benefit from a reduction in login fatigue and frustration, as well as an increase in user productivity.

Reduced IT Time and Costs

Similarly, administrators and enterprises can benefit from reduced burden due to password-related help desk tickets and password resets.

Stronger Security Posture

Eliminating system reliance on passwords can result in the elimination of related threats and vulnerabilities, including phishing, stolen or weak passwords, password reuse, brute-force attacks, etc.

4 Steps to Passwordless Authentication

Where to start your passwordless journey? Take a phased approach to providing secure access for the workforce, with each step bringing you closer to a fully passwordless future:

1. Identify passwordless use cases and enable strong authentication

Reduce your reliance on passwords and lower the risk of credential theft by identifying and selecting specific enterprise use cases. Group the use cases by applicable passwordless solutions, as to not end up with a series of point solutions. Create implementation plans for areas that have the biggest impact with the shortest time to value. Reduce your reliance on passwords as the only form of user authentication, and open up additional factors to later provide primary authentication. Protect cloud and on-premises applications with Duo’s MFA. This enables you to lower the risk of credential theft by requiring a second method of identity verification that cannot be easily stolen remotely by an attacker.

2. Streamline and consolidate authentication workflows

Rationalize authentication for a set of use cases as part of the implementation plan. For cloud apps, achieve fewer passwords by using SSO for SAML-based applications. For on-premises services, integrate the workflows using access proxies and authentication proxies. With MFA in place and a consolidated login experience, you can change password policies that require stringent and complex password characters, as well as policies around password reset frequency. This lowers the user frustration related to password security and reduces your reliance on password complexity as your primary authentication.

3. Increase trust in authentication

An often-raised concern about passwordless is the potential for increasing security risk when reducing the steps people take to authenticate. Address that head-on by increasing control based on the context of the user’s authentication. Is the authentication coming from a trusted device? Does the access device’s security posture meet the organization’s security hygiene standards? Finally, check for suspicious behaviour like unusual authentication factors, unusual locations, strange times of day or access attempts by high-risk users or against high-risk applications. Apply adaptive access policies based on the context of the user, device, location, behaviour and more to ensure the authentication is trusted.

4. Provide a passwordless experience

If MFA is a password with one or more authentication factors, passwordless is best described as two or more authentication factors without passwords. People can log in using a biometric authenticator and possession of a trusted device to access applications. This would be something they have and something they are, instead of relying on something they know (a password). In this step of the journey, implement standard technology to remove passwords as the primary authentication factor for the use cases and areas with the biggest impact on user experience, cost and security. For example, consider using passwordless authentication to securely log on to your SSO solution. In this way, all of the applications federated behind the solution receive the benefit of passwordless.

Pairing passwordless technology with strong Duo mult-factor authentication (MFA) to protect access across cloud and on-prem is a practical way to provide the broadest security coverage today. With MFA in place, you can reduce your reliance on passwords and modify password policies to require less frequent resets, alleviating help desk burden and reducing user frustration.

For more information on Duo’s passwordless journey and MFA solution, please visit CDW.ca/Cisco-security