By Nic Sarginson, Principal Solutions Engineer at Yubico
For too long, passwords have been the primary authentication factor. However, we know that usernames and passwords alone do not offer the most secure form of cybersecurity protection, and still leave users vulnerable to attacks. In fact, breach analysis in the NCSC’s UK Cyber Survey revealed that 23.2 million victim accounts worldwide used the password 123456.
To ensure stronger security, the focus has since shifted to two or multi-factor authentication, especially one that employs phishing-resistant technology. Strong two-factor authentication (2FA) requires that a user provides two verification factors to confirm a user’s identity. Multi-factor authentication (MFA) requires that a user present at least two or more forms of verification to grant access to an application or website. These can be in the form of a tangible product such as a security key, or a biometric identifier such as a fingerprint.
Passwordless is the next level of security, as it removes the reliance on passwords and delivers a more secure and frictionless login experience. To achieve strong passwordless authentication, organisations should explore the following seven key steps to enhance their security.
- Find the right solution
The first step is an overall evaluation of the existing technical environment as each organisation’s approach will be slightly different due to different needs. For example, organisations that have already shifted to a cloud-first environment will find applying FIDO2 passwordless to be a simple process. This is because such environments can run in either an Azure Active Directory (AAD) environment or a hybrid environment, which can use applications such as Office365 and additional SaaS applications. Hybrid AD and AAD environments are also compatible with both FIDO2 and smart card solutions.
For organisations operating an on-premises active directory environment, a smart card passwordless implementation will be a better option since FIDO2 or WebAuthn passwordless strategies are not always viable with a fully on premises focused authentication environment. Those currently with an IAM provider will need to confirm if they are cloud-first or on-premises, then pick their solution accordingly.
- Lean on an expert
The journey to passwordless implementation is not always straightforward and may come with several unexpected delays. Drawing on expertise from an external professional services (PS) expert can help to minimise surprises, speed up the implementation process, and ensure its long-term success. Expert insight can provide organisations with an honest evaluation of their internal resources and the most suitable passwordless solution.
To prepare for this step, a timeline must be established first to consider where within the business a PS expert can be most helpful. The PS expert can then help an organisation develop strategies and integration plans, create internal training programmes, and consult on best practices.
- Establish a proof of concept
Establishing a proof of concept (POC) is the foundation to initial testing with smaller user groups and is the next step for developing a passwordless strategy. There are three main considerations before beginning this process.
Firstly, an environment needs to be set up to show the end-to-end connectivity between the existing systems and current authentication technology amongst key users or user groups. Secondly, the intended passwordless solution should prove its ability to run with use cases, users, and essential systems at its earliest phase. Thirdly, the defined success criteria must confirm that it can be achieved.
- Identify your user’s needs
A full assessment of an organisation’s user environment provides a detailed understanding of its behaviours, needs, access points, and devices. At this stage there should be a clear understanding of the workforce locations, users and use cases, and cross-functional alignment.
Where remote users are located and how they can safely access the technology should always be considered when developing any strategy plan. The needs of every user, their current behaviours, experience metrics, and risk profiles within the environment must be assessed. Administrators can create a better passwordless experience by reviewing what devices users have and how they are used. For example, whether users access the system through mobile devices or shared workstations. Finally, organisations must identify all key stakeholders and evaluate the development plans together. Only when all parties agree will these plans be successful.
Organisations with a large remote workforce should consider hardware-based security keys to securely authenticate such users while minimising user friction as much as possible. Whereas organisations running a mixed device or bring-your-own-device (BYOD) environment, may find hybrid or smart card passwordless implementation to be more suitable.
- Focus on the user journey
This step is important when deciding how a passwordless strategy fits into an organisation’s already established technical processes. Technology decisions, planning, and operational readiness are all factors to be aware of. To help with this, organisations need to create a plan for how a security key fits into the existing HR processes surrounding on-boarding, off boarding, and what to do in the case of missing electronic devices.
Furthermore, creating a training plan is essential to help ensure a smoother transition to adopting new authentication tools and policies. This should be developed with HR, IT, and any other key stakeholders as they can provide the high-level support needed to prevent productivity from being compromised while users take time to learn these new practices.
Communication with users as to why and how these new processes help protect not only the business but them as individuals is important. For example, users must be informed of how FIDO and smart cards can benefit them. If not, there can be some resistance to these changes as OTP solutions are generally regarded as being easier to use. Whereas, understanding the increased risk of OTPs will make users more appreciative of alternate strategies.
- The test – deploying the solution
It is important to monitor how all aspects of the solution are working together before its official launch. Bring users on-board to test how the passwordless solution is running by deploying one or more pilot schemes to indicate the programme’s level of readiness ahead of a business-wide rollout.
If a short timeline is absolutely necessary, skipping the launch of a pilot can be substituted with an earlier established “proof of concept.” However, it should only be considered during situations where the urgency of action must take priority over a comprehensive pilot assessment.
Once the solution is ready, educating users on the benefits of the solution is key for ensuring a smoother transition at launch. Building business-wide excitement leading up to the launch encourages users to want to learn more about the passwordless technology, rather than viewing it as something to be burdened by. Scheduling exciting activities, celebrations, or workshops ahead of the final launch are ways organisations can introduce their users to the change in a positive way.
- Determine and gauge success metrics
In the weeks or months following the deployment of the solution, metrics need to be determined to gauge the passwordless solution’s level of success. Depending on the organisation, success metrics may include how users are receiving the solution, assessing the financial impact, reviewing the number of IT staff requests surrounding password-related tickets, or the increase in authentications through the passwordless solution throughout the organisation.
Each enterprise may have a different road to making this passwordless transition, depending on factors that include current user environment, existing authentication processes and staff readiness. However, the passwordless world where users secure their devices – not with what they know but with something they have – is the future of security.