Common questions and misconceptions about passwordless
Most new technologies require businesses to tradeoff benefits and disadvantages. Passwordless authentication is one of those rare cases where there is no tradeoff. There are no pros and cons – it is simply a superior alternative to passwords. It offers better security, better user experience and is cheaper to own and operate.
But like any new technology, there are doubts and misconceptions that hinder adoption, especially when things look “too good to be true” like with passwordless authentication.
Passwordless works only for web applications
Passwordless authentication is generally easy to implement for web applications. In fact, web applications typically rely on identity providers (IdP) to authenticate users on their behalf, so if the IdP supports passwordless, then so does the web app. That said, there is nothing preventing a non-web app from working with an IdP. Alternatively, it is possible for some passwordless authentication solutions to expose a passwordless experience to users, while continuing to manage and provide applications the passwords they expect behind the scenes. This is by no means an ideal solution, but it is certainly more secure than having users (mis)managing passwords or supplying them to real or malicious apps that ask for them. And more importantly, it is a necessary evil to enable a completely passwordless workplace.
Will not work for a real-world enterprise
Passwordless authentication can be challenging for legacy systems that expect a password. Therefore deploying passwordless authentication in a real-world enterprise, with a mix of modern and legacy systems and apps is not always easy. That said, selecting the right passwordless authentication solution can make it possible to deploy passwordless on systems that support it and create a passwordless experience for systems that depend on passwords. This way users don’t need to use or manage passwords while allowing everything to work.
Passwordless is not secure
Passwordless authentication is generally more secure than password-based solutions, but this depends on the authentication methods used. If using a single factor of passwordless authentication like an SMS code sent to a registered mobile device, then security might be inferior to passwords, because SMS messages are relatively easy to intercept. But if using a combination of two or more secure passwordless authentication factors like a fingerprint sensor (first factor) on a registered mobile device (second factor), then security is much improved.
Another authentication fad
Passwordless is not another technology fad. Passwords are going away – it is just a matter of time until they are retired from all systems. The FIDO alliance, an industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords, is 8 years old and supported by influential giants like Amazon, Apple, Facebook, and Google.
It’s a long journey….we’ll get there someday
In an ideal world, an organization has one centralized authentication system that supports all systems and apps requiring user authentication. Passwordless authentication is no different, but reality for most organizations is that not all relying apps will be able to operate without passwords. So deploying passwordless boils down to choosing a solution that will support both modern and legacy applications, and help you manage a gradual migration all the way to passwordless, because creating a passwordless workplace is really an all or nothing effort. You either get rid of passwords in the workplace or you don’t. Leaving some passwords on the hands of employees leaves you exposed and leaves them with the headache of recalling and managing their passwords.
What can’t I do with passwordless authentication
The limitations of passwordless authentication are generally dependent on two factors – what do the authentication server and relying systems support, and what does the passwordless authentication solution vendor enable.
Legacy authentication servers, including for example the on-prem version of Microsoft Active Directory, or an older print server, require a password to authenticate users. It is therefore not possible to directly work with these systems using a passwordless authentication. That said, some passwordless authentication solutions have implemented technology to enable a passwordless experience, while securely managing passwords behind the scenes. So users never use passwords, even to authenticate to systems that require them.
Passwordless solutions are not all the same. Many were designed to work with modern applications – i.e. web apps, etc. – and will therefore not work with older, legacy applications commonly found in more established enterprises. But the more enterprise oriented passwordless authentication solutions designed a passwordless experience option that allows employees and IT teams to benefit from passwordless authentication, and still enable legacy apps to get the passwords they need. SEE SECTION FOR HOW THAT’S DONE