2FA

3 steps to drive passwordless authentication and obliterate passwords forever - Part 2

8min

All articles 2FA
#2FA  ·  #Authentication  ·  #User Experience
Simone Divakova

3 Steps To Implement Passwordless Authentication

Introducing passwordless authentication does not have to be costly or require significant extra effort. In fact, existing net investments can be re-adjusted to encompass passwordless authentication in an efficient way. Below, these first three steps will help you understand where efforts should be focused.

1. Understand your customers, their needs, behaviours, and security risk profiles

The first step is to outline your objectives and identify the drivers - mainly, your users. Do they use laptops, desktop devices, mobile phones, etc.? Depending on your users’ behaviours and needs, they may require different levels of security and user experience.

According to Gartner, security and user experience (UX) are the primary needs of customers for a superior login experience. To address these, consider the following primary goals for strategic authentication implementation and how these resonate with the needs of your customers.

Key Security goals

  • Eliminate passwords completely from use and from the infrastructure
  • Reduce risks of account takeover (ATO) and digital-identity theft

Key User Experience goals

  • Remove passwords from the customer journey
  • Avoid additional friction due to forgotten passwords

2. Evaluate your current system and resources

Passwordless authentication does not necessarily mean investing in new technology. Improving or adapting the current authentication methods to not require passwords may suffice to address your customers needs (see figure below). In this example, authentication can be achieved using any combination of signals and credentials without the use of a password. For example, one could implement Biometrics to achieve passwordless authentication.

Another more advanced method for passwordless authentication that enhances frictionless user experience is using recognition and risk signals (see figure below). These are used in conjunction with more traditional MFA solutions. Here the passwordless authentication depends primarily on signals and specific conditions. If these meet certain criteria, then the user can login via ‘zero-factor authentication’ (0FA) or also known as adaptive authentication. If the criteria are not met, then the user is asked to perform a more traditional MFA step to login.

To evaluate your current systems, you may use the following questions to guide you:

Key Questions to evaluate your current security and user experience setup

  • Are you already using any type of passwordless methods?
  • Are you currently using authentication or Identity Access Management (IAM) solutions?
  • Are your current solutions on-premise or in the cloud?
  • Can you modify existing customer authentication flows to refrain from using passwords?
  • Can already planned investments be used to help migration?
  • Are there any urgent needs that demand new net investments?

By answering these questions you can already start to understand what kind of passwordless authentication would be easiest to implement. The best way to address this further is to work directly with your authentication vendor.

3. Minimize time to value

Explore how you can enhance your current systems to go passwordless.

There are two mainstream methods for directly replacing password authentication. The first is to use the phone-as-a-token (phaat) method. Secondly, both single-factor and multi-factor authentication (MFA) can be modelled to authenticate without the use of passwords. For example, using single-factor authentication such as mobile push, one-time password (OTP), or out-of-band (OOB) SMS (although there is increasing criticism for using SMS for authentication). For multi-factor authentication, passwordless methods include using PIN or biometric authentication. A graph below illustrates how these two passwordless methods can be applied.

The first part illustrates implementing phone-as-a-token to a single-factor authentication model. The second part provides an example of phone-as-a-token with multi-factor authentication (MFA). In the MFA example, a password can be replaced simply by adding a PIN or biometric authentication on top of the mobile push or OTP.

In cases where customers do not use mobile phones, OTP hardware tokens are the most common alternative.

Prepare for adoption

Based on Gartner projections, phone-as-a-token authentication is catching significant traction in the market, and will most likely be the most popular form of passwordless authentication in customer use cases. This includes passwordless authentication in the form of mobile MFA, biometric authentication, pattern or picture methods, and adaptive authentication. These solutions are all already available as passwordless MFA authentication by design and are the most easy and straightforward to adopt.

As long as passwords remain in login flows, both organizations and customers will carry the burden of managing passwords, as well as enforcing and complying with effective password policies. Thus the burden of passwords will weigh on both the security and user experience of customers. However, it is evident that organizations across industries are tackling these goals head on. To discover how you can address passwordless authentication for your end-users, you can learn more here.

This is a guest post from Futurae.

To the original article

Blognews directly in your mailbox

The Airlock Newsletter informs you continuously about new blog articles.

Subscribe blognews

Information for you

-Our whitepapers-

Executive View: KuppingerCole - Airlock Secure Access Hub for applications and APIs

This KuppingerCole Executive View report provides an architectural and functional overview of the Airlock Secure Access Hub, an integrated platform for secure access management - a multicloud-native security tool for web applications, APIs and beyond.

 

Fill out the form now and receive Executive View!

Whitepaper: Security for cloud-native applications

You can read about how companies can ensure the security of web applications and APIs in Kubernetes in the white paper "Security for cloud-native applications", which was created in collaboration between heise and Airlock.

 

Request whitepaper

Whitepaper: Zero Trust is a journey

The ongoing digital transformation of the world is progressing and having a profound impact on our personal and professional lives in ways that were difficult to imagine just a few years ago.


This white paper discusses the effects of continuous digitalization and its impact.

Request free of charge

Off to DevSecOps

In this white paper, you will learn the most important insights into how you can implement DevSecOps successfully and efficiently, which security components are required for this and the advantages of a microgateway architecture.

 

Request free of charge

Airlock 2FA - Strong authentication. Simple.

Double security - this is what two-factor authentication offers in the field of IT security.


Find out more about strong authentication and the possibilities offered by Airlock in our white paper.

Download for free

Further whitepapers

We provide you with free white papers on these and other topics:

 

  • Successful IAM projects
  • compliance
  • Data protection (DSGVO)
  • Introduction of PSD2
  • PCI DSS requirementsPCI DSS requirements
Request free of charge