Many organizations that are moving towards Zero Trust Architecture, are heavily considering going passwordless. For a while now, one of the weakest points of security for an organization has been passwords. They are often considered error-prone, because they rely on human effort and in doing so they often make the same mistakes such as:
Users often reuse the same passwords, both for work and for personal accounts, meaning if a hacker gains access to an employee’s Netflix account, they have a good chance of gaining access to their employer’s company apps with the same password.
Using passwords that are easy to hack, because of multiple accounts and apps, users may use simple passwords like password, letmein, 123456, because it’s easier for them to remember.
Passwords aren’t kept safe, if password policies are made to have users change passwords often or create longer, more complex passwords, there’s a higher chance that users will store passwords in non-secure places such as on easily visible post-it notes, in a plain text spreadsheet, or in browser autocompletes. These passwords are also shared fairly often or can be compromised through malicious browser extensions and websites.
Passwords not only create vulnerabilities for IT and security teams, they also create a lot of overhead in the form of complex password policies, password management and user lockouts. These teams often have to spend a lot of time figuring out the best ways to store passwords, have users create more complex and secure passwords, and prevent users from getting locked out which has a big drawback on productivity. They also have to do this while making it easy for users to access these systems.
For a lot of organizations, it seems like the answer is fairly simple: if you get rid of passwords, you eliminate a huge weakness in your security posture, hence why they want to go passwordless. Passwordless is a great solution, it’s a no-brainer why you’d want to move away from passwords. But there’s a reason why organizations haven’t made the switch to passwordless yet, it’s hard. Simply put, going passwordless involves a lot more than simply getting new software and no longer using passwords. There’s a lot of work that needs to be done before going passwordless. Some of the obstacles of going passwordless include but are not limited to:
Multiple IdPs and legacy applications may not be compatible with a passwordless solution. Therefore users may have to revert back to passwords anyways and you’re right back at step one. IT and Security teams may have to find a way to upgrade legacy systems or consolidate IdPs so that their investment in a passwordless solution is not wasted.
Use of hardware tokens or biometric hardware required for passwordless solutions requires that orgs purchase expensive hardware for each of their users that enable them to go passwordless. This can involve devices such as YubiKeys or laptops and smartphones with biometric features enabled. Not only would orgs have to purchase these devices, they would be responsible for the upkeep and maintenance while ensuring each user has one, which may prove difficult when a majority are working remotely. These hidden costs can pile up tremendously.
Convincing users to use their own devices, or BYOD, is tricky. While companies may offer to reimburse users for use of their personal devices, many users still feel reluctant using their personal devices for work-related purposes, let alone installing software on their devices. For a lot of users, this is a big privacy concern.
Broken or lost passwordless tokens is one of the biggest reasons why going passwordless is so hard. If a user breaks or loses the device that they use for their passwordless solution, they often have a hard time regaining access, causing a huge drop in productivity. Not only that, but in order to securely regain access, users often have to contact IT and Security teams, wasting time that could be used for more important tasks.
While going passwordless may be difficult, it’s still worth it for organizations to try and make the leap, and there’s a way for them to make it easier: continuous authentication. With continuous authentication, organizations can make a more seamless transition to passwordless and here’s how.
Continuous authentication invisibly authenticates users throughout a session which means authentication, and therefore human error, is automated out of identity security. If your users manage to make a mistake (which happens, let’s face it) unauthorized access will still be caught. Continuous authentication is based on behavioral biometrics, the study of how users interact with systems and using those interactions to uniquely identify them. Because this is easily observable behavior based on your users’ behaviors and systems already in use, this means that no additional hardware or user training is required to use continuous authentication. Additionally, since this natural and innate behavior is based on how users interact with your systems and not what they do, there is no personally identifiable information (PII).
Here at TWOSENSE, we created continuous authentication software that actually integrates with your current IAM/SSO stack and can be easily deployed on all endpoints in 30 minutes, so even if you have multiple IdPs or legacy applications, we can automate authentication across all of them. This also means that even if a user loses, breaks or switches devices, they can still be securely authenticated without having to contact IT and Security teams, resulting in no disruption in user workflows or wasted time for IT.
TWOSENSE developed continuous authentication that makes the leap to passwordless easier. We believe passwordless is the future and we’re excited to help you get there. If you’re thinking about going passwordless, but having a hard time thinking about where to start, reach out to TWOSENSE today to see how we can help.