Five Steps to Passwordless Authentication

Passwords are on the way out, and organizations should be acting now to move to more modern authentication platforms. A steady stream of phishing and ransomware attacks over the past year clearly demonstrated that passwords simply aren’t secure enough to protect the modern enterprise, and users are demanding an improved experience that doesn’t depend upon remembering clunky passwords.

Passwordless authentication technology increases security, improves the user experience and provides administrators with deeper insight into user activity. Deploying this powerful technology requires more than just removing passwords, however. Secure passwordless authentication platforms require strong device-based or biometric authentication presented as a component of a larger security strategy that incorporates zero-trust architecture and a secure access service edge (SASE) approach.

Let’s take a look at five steps organizations should take on their journey to passwordless authentication.

1. Develop a password replacement offering: Before you can move away from passwords, you’ll need to have the strong authentication technology in place that will securely replace them. Microsoft Windows Hello for Business is a good option for organizations that rely upon Active Directory, as it incorporates a strong, hardware-protected credential that allows single sign-on to Active Directory, both on-premises and in the cloud.
2. Complete a risk assessment: Analyze the risk associated with each one of the information systems used in your environment to determine both the probability and the impact of a potential breach. This will help you develop authentication requirements for each system commensurate with the level of risk they present. It will also provide the means to prioritize your work, focusing first on the highest risk systems.
3. Reduce the user-visible password surface area: Users are conditioned to enter their passwords dozens of times per day. The next step in moving to a passwordless environment is removing as many of those barriers as possible. This helps train users to understand that, while they have a password, they shouldn’t be using it routinely. It also dramatically improves the user experience by allowing them to seamlessly move from system to system.
4. Transition to a passwordless deployment: Once you’ve minimized the number of times that users encounter password prompts, you can transition over to a truly passwordless environment. In an ideal world, the user might sign into Active Directory using Windows Hello for Business and then never encounter another authentication prompt. If they must sign into another system, they are not prompted for a password but instead are redirected to Hello for Business.
5. Eliminate passwords from the identity directory: The last step in achieving a passwordless environment is actually removing passwords from your identity store. This is the ultimate goal of a passwordless strategy, but you won’t be able to take this final step until you’ve modernized every legacy system that relied on password authentication. Once you’ve removed the passwords entirely, you’re safe from password theft attacks because there simply are no passwords to steal.

Organizations that follow this five-step process will find that this methodical approach allows them to deploy passwordless authentication while gaining the benefits of an improved user experience, increased security and better insight into user activity.