According to Gartner, by 2025, more than half of the workforce and more than 20% of customer authentication transactions will be entirely passwordless – up from under 10% today. So whether they are ready to or not, organizations must start considering passwordless authentication as a serious option for their login and authentication flows, regardless of use case.
This blog will give a brief overview on what passwordless is and what organizations can look out for when considering passwordless authentication solutions. First of all, passwordless authentication methods are available in a few wrappers:
For example, a user could be asked to authenticate as part of a multi-factor process, where they are asked to enter a pattern (something they know) and then enter a one-time pin, delivered most often through their phone (something they have). And even if a password is baked into the first step, the addition of a passwordless second authenticator greatly increases security. That said, while security is increased, it is still compromised by the fact that a password is involved.
Furthermore, there is still the matter of user experience (UX), even if the security box is checked. Multiple authentication methods, across different devices, is hardly the frictionless UX organizations hope to offer their customers.
Biometric authentication is also a great passwordless option, and adoption of this is on the rise. This is in part, thanks to Face ID and Touch, who embed biometric authentication into their devices. Additionally, some biometric authentication solutions also lean on devices, by storing biometric data on the device. While this is certainly a great way to get user buy-in, it still presents organizations with some challenges, most notably, in a couple of areas:
Security: on-device biometrics means that a person’s biometric data is stored on that device. If the device were to be compromised, so too is the person’s biometric data and secondly, this method only authenticates the device, not the person. That leaves room for issues such as credential sharing, which in turn can contribute to revenue leakage in some industries (think streaming services).
Interoperability: on-device biometrics will naturally only work on-device. For organizations, this means they still need to work out the login and authentication method for other points of access and workflows, such as step-up authentication. However, different login and authentication experiences again disrupt the user experience and create more work for development teams as they need to accommodate for those differing access points.
However, passwordless biometric authentication is already moving beyond on-device and it’s challenges. Keyless is a next-gen biometric authentication solution that does not rely on a particular device and eliminates the need to process and store biometric data. This enables passwordless authentication for users in a way that exceeds GDPR and is PSD2 ready. With device-agnostic software, organizations have the ability to provide a consistent and intuitive user experience, that is user friendly, private and secure. It works either as a single factor authenticator or as part of a multi-factor authentication experience, integrating with an existing identity provider (IDP).
Can you achieve a quick win, by finding out if your incumbent IDP provides or partners with a passwordless authentication vendor? Or if not, what does the migration path look like?
Where exactly do you want to start using passwordless authentication? Will you roll it out to employees first? Customers? Or try it out in a control group, for e.g. with R&D? Unless there is a unique situation where you can roll it out everywhere, a phased approach will help you prove it out and increase time to value.
The rise of FIDO-approved authenticators will play an increasingly bigger role, as companies go passwordless. In order to ensure security and compliance levels are met, certification for standards, such as those FIDO provides, will give organizations the assurance they need.
At Keyless, we’re proud to be the first vendor in the world to have certification for both FIDO2 and FIDO biometrics - which means that our passwordless biometric authentication is approved for both employee and customer use cases. Additionally, if you want to read more from Gartner on this subject, we can also recommend Gartner’s paper, Take 3 Steps to Passwordless (in which we’re also cited).