Passwordless Authentication: Benefits, Challenges and Deployment Options
Poor password hygiene remains a key security weakness for many businesses. All employees know that a password should be long, complex, unique and never shared with anyone. Although this is simple in theory, in practice it can be difficult to remember a new complex password for every application or system. For this reason, it is common for employees to re-use passwords, or opt for a simple, easy to remember password. This is worrying, as a single user with a simple password may be the cause of a major cyberattack.
The introduction of multi-factor authentication has greatly reduced this risk, however it has come at the cost of convenience for users. The adoption of passwordless authentication aims to increase security, whilst providing a better user experience. In this article we will discuss the benefits, challenges and use cases for passwordless authentication.
What is Passwordless Authentication?
Passwordless authentication is a method of multi-factor authentication that negates the need for passwords. This is achieved through systems that verify a user’s identity using something they are (such as biometrics), or something they have (such as a mobile device or security key). When the user requests access to an application or system, a new authentication request is generated. Therefore, the user does not need to enter a password, and no password is stored within the platform, therefore there is nothing for a cybercriminal to steal or phish.
Improved User Experience
For employees, having to remember multiple long, complex passwords can be a frustrating experience. Similarly, a poorly implemented multi-factor authentication solution can feel like a waste of time, especially if it is required for all applications. With passwordless authentication, the user experience is greatly improved, with no need to remember passwords. If passwordless authentication is implemented in Azure Active Directory with Single Sign On enabled, employees can log into once to have access to all the applications and services they use on a daily basis.
If a cybercriminal gains access to an employee’s password, they can use the compromised account to access company data or launch another attack. With this form of authentication, this is not possible as it is not possible for a cybercriminal to steal biometrics from an individual. Similarly, as there is no password, phishing attacks are no longer a viable method of account compromise.
Save Time and Money
IT teams spend a significant amount of time resetting employee’s forgotten passwords. With passwordless authentication, it is not possible to forget a password, or need it reset. This allows IT teams to spend more time focusing on optimising current use of technology within a business and ensures that employees do not lose access to critical IT systems whilst working.
Ultimately, businesses will benefit from implementing a passwordless authentication solution, however they may run into some challenges along the way. The main challenge of passwordless authentication is the deployment process, if a business does not have experience with the technology, or visibility of all the applications and services employees use, deployment can become difficult and complex. This can be solved by using a trusted IT provider to deploy the solution within a business. Some businesses may also run into issues with providing a solution that suits all employees, thankfully with Azure AD there are multiple deployment options to suit a variety of use cases.
Windows Hello for Business
Windows Hello for Business is an option that utilises two-factor authentication with a PIN and biometric authentication. The biometric authentication works by using pre-existing hardware on an employee’s work device. This may include either a fingerprint scanner, or facial recognition using the in-built camera. This method is more secure and convenient than a traditional password as it uses multi-factor authentication, and the biometric authentication only requires the user to touch a sensor or look into their camera. However, this method will not work if the employee’s device does not have a fingerprint scanner or in-built camera.
Microsoft Authenticator App
The Microsoft Authenticator app is another method of passwordless authentication that uses either biometrics or a PIN, similar to Windows Hello for Business. This option requires users to have the Microsoft Authenticator app installed on in their Android or IOS device. When the user reaches the login screen and enters their username a push notification will be sent to their phone, opening the Microsoft Authenticator app. They then enter either a PIN or use their phone’s native biometric features. This method works particularly well for businesses that already use the app for multi-factor authentication.
FIDO2 Security Keys
FIDO2 security keys are physical devices that work similarly to a key for a car or house. The keys come in many form factors, including USB devices, an NFC chip or a Bluetooth device. With this option, an employee must connect the device and they will be automatically logged in. This method is typically used by businesses that are particularly security sensitive or have employees that would rather not use biometrics or their phone for authentication.
Passwordless authentication is becoming more commonplace in businesses looking to improve their security posture, whilst creating a better experience for their employees.