Three Key Factors to Assess Before Adopting Passwordless Security

This guest blog was contributed by Shimrit Tzur-David, CSO and Co-Founder of Secret Double Octopus.

The days of having to remember passwords may soon be over. With tech giants including Microsoft announcing steps towards passwordless authentication, it’s only a matter of time until billions of users start logging into their accounts using alternative authentication methods such as biometrics and pubic-key cryptography. Some 66% of organizations are expected to go passwordless in the next two years, according to a recent survey of IT professionals by the Ponemon Institute.


What’s more, many businesses have already adopted passwordless authentication to heighten their cybersecurity standards and completely remove one of the most vulnerable areas that hackers can exploit.


With passwordless authentication also comes an improved user experience, since users no longer have to remember multiple passwords and enter them every time they log in. Passwordless authentication also results in dramatic cost savings for businesses that are tired of losing worker and IT productivity to downtime caused by lost passwords.


The most commonly cited considerations for companies that are thinking of adopting passwordless processes are security, user experience, and cost. However, there are some other key factors that businesses need to take into account when deciding whether to go passwordless.


Here are some of the lesser mentioned —- but no less important — factors that companies should consider.


Countering organizational resistance

When you’re deciding whether to take your company passwordless, employees are bound to express some questions and concerns. They may be skeptical, especially when it comes to the use of biometrics, such as fingerprints and facial scans.


When companies implement biometric systems, it’s not uncommon for some employees to feel uneasy or to object outright. The transition is something that management needs to handle carefully, from initial communication to system rollout to final data-security policy. Educate your employees about how the system uses and stores the data, emphasizing any encryption or data decentralization that the system may employ.


Businesses may also receive pushback regarding the use of personal devices like smartphones for multiple-factor authentication (MFA). Thankfully, with the rise of remote work and the bring your own device (BYOD) to work trend, employees are now much more accustomed to using their devices to fulfill parts of their job role. In a recent survey by Gartner, 55% of workers said they use their own devices while performing company duties.


Beyond such pushback, companies may also confront organizational inertia, a general reluctance to change. Employees who are accustomed to traditional passwords, or even standard MFA models, may drag their feet when adopting a new login method. IT departments need to be as transparent as possible about changes, carefully explaining what is expected of workers, showing them why the shift may not be as drastic as they think, and why the change benefits the company as a whole.


You may be able to turn this resistance to your favor by showing employees that passwordless authentication is more convenient and more secure than traditional methods. Employees may actually welcome the convenience of passwordless systems, which eliminate the need to remember multiple passwords or to type in passcodes from an MFA authenticator.


Assessing cross-platform readiness


Another issue when considering a passwordless system is how ready your computer systems are to adopt it immediately. For smaller organizations that don’t have abundant IT resources or companies lagging behind in their digital transformation, the transition may be difficult.


Most often, the true roadblock will be legacy systems that are hardwired to require a password. Unfortunately, there aren’t many options for companies with such outdated systems. One possible approach is password rotation, which achieves the goals of passwordless authentication, but does so without the annoyance of requiring employees to continually change and track passwords. According to the abovementioned Ponemon Institute survey, more than half of enterprises in the U.S. are currently unable to go passwordless due to obsolete systems.


Once such organizations update their technology, they’ll be able to make the passwordless switch. Companies that are currently transitioning to more up-to-date software can start with MFA systems before diving fully into passwordless authentication. However, these companies should be careful not to fall into a trap called “MFA splinter,” when companies need to use multiple MFA authenticators because their computer systems aren’t entirely compatible with just one universal MFA solution.


Integrating remote work security standards


The shift to work-from-home operations has brought about new security challenges for organizations, even entire industries, and cybersecurity needs to be top-of-mind. Workers are the most vulnerable part of a remote-work ecosystem, as they’re not necessarily protected by the security safeguards that exist at their workplace offices. Some 36% of remote workers say their cybersecurity habits have worsened since working from home, according to a recent study by Tessian.


Passwordless authentication can help ensure greater levels of remote security in a number of ways. First, these systems completely remove the risk of lost or stolen passwords, which can result in breaches. What’s more, passwordless systems are designed to work seamlessly with with VPNs, VDIs, and cloud resources, the most common ways that employees can log into company accounts from home. Passwordless systems are flexible enough to provide authentication for virtually any modern work-from-home system.


Clearly, the shift to passwordless authentication is not without its challenges, but companies who make the switch will see — almost immediately — significant benefits in improved security, lower costs, and improved user experience.


###