Secret Double Octopus Named “Best in Class” | Read Aite's 2021 Passwordless Report
Aite Group Passwordless Matrix Report 2021

Transitioning from passwords to passwordless

Transitioning to
Passwordless

Octocampus

Once a company crosses the chasm and decides to go passwordless, then the goal should be passwordless for everything. But dropping passwords from legacy systems and apps can be tricky, as they are hardcoded to require a password and there is no easy way to upgrade or fix them to take a different authentication credential.

Some passwordless authentication vendors tout a ‘truly passwordless’ solution that has no passwords, down to the application code that performs authentication. While this is undoubtedly the endgame, a truly no-passwords solution will work only for modern apps that were designed to authenticate users without a password. Most older systems and apps are hardcoded to require a password as part of the user authentication process, whether entered by the user or by software on behalf of the user by an Single Sign On (SSO) system. As a result, ‘truly passwordless’ quickly degrades from passwordless everything to passwordless for apps that support it and passwords for those that don’t.

A rip-and-replace approach that gets rid of the older systems and apps that won’t work with passwordless authentication is not a solution. Undoing years of IT investments is too expensive and complicated. For passwordless authentication to deliver on the promise of a passwordless workplace, it needs to work across legacy and new applications. 

This is where technology can help. 

Eliminating passwords from code versus passwordless experience

Eliminating passwords from the application code that requests them from the users is where passwords are headed. It is a matter of time and money until all systems and apps get there. Once there, passwords are never used to authenticate a user; they are not set during initial enrollment; not used as a fallback means of authentication; not used ever. Instead, setting up a passwordless account requires the user to register an alternative authenticator. Most commonly used today are registered mobile devices. Once the identity of the registered device is established, an authenticator app can be deployed to the device, or an on-device biometric sensor can be registered (i.e. fingerprint sensor, face ID, voice ID, etc.). After the setup process is complete, all authentications are performed using the mobile device instead of a password.

‘Truly Passwordless’

Authentication solutions claiming to be ‘truly passwordless’ work only for modern systems and apps. As of today (2021), passwordless authentication is supported for web applications, some cloud services, and only the very latest versions of workstation operating systems.

Businesses with existing investments in IT will require time to be able to deploy passwordless across all of their systems and apps. They will need time to retire legacy apps that won’t work without a password, upgrade all the workstations to the latest and greatest versions of operating systems, and upgrade or retire any app that is hardcoded to require a password.

Until all legacy apps are retired or upgraded, businesses will need technology to help them deploy passwordless across all their business systems and apps, old and new. In other words, they will need technology to deploy ‘truly passwordless’ for apps that will support it and a secure alternative for apps that are hardcoded to require a password.   

Passwordless Experience

Passwordless experience refers to user authentication that is passwordless from the users’ perspective, but under the hood continues to supply legacy apps the passwords they expect. 

From a security perspective, users are never exposed to their account passwords and the passwords are frequently reset – sometimes as frequently as after a single use – to ensure that they are never cached and always protected. Without user intervention, passwords are provided on behalf of the user to legacy apps that are hardcoded to require them.

Unlike passwords that are recalled and entered by users, a well-designed passwordless experience provides dramatic security improvements. Passwords are never in the hands of users, so they cannot be compromised by social engineering attacks. Users simply don’t know the passwords. And the passwords themselves are machine-generated and frequently rotated to ensure they are practically impossible to crack or steal.    

From a user experience perspective, passwordless experience offers the full benefits of passwordless. Users never have to recall, reset, recover or enter a password.

And most importantly, for many real-world businesses passwordless experience is the only practical way to become a passwordless workplace from day one.  To achieve the goal of a completely passwordless workplace, it is necessary to adopt a hybrid approach to passwordless – no passwords for systems and apps that support it, and passwordless experience for the rest. Over time, as legacy systems and apps that are hardcoded to require a password are retired, passwords can also be removed from the software that handles user authentication.