Passwords are one of the top attack vectors, with a large percentage of cyber attacks enabled through password compromise.
Password-based authentication is no longer fit for purpose. Passwords are costly and difficult to manage, they result in poor user experiences, and they are easily compromised.
This has been widely recognized for some time, but we are finally at the point at which going passwordless is becoming easier due to the development of new authentication standards and personal computing devices capable of creating and storing biometric data locally in secure enclaves such as Trusted Platform Modules (TPMs).
To eliminate passwords, the world must move to passwordless authentication, which is a verification process that determines whether a person or entity is who or what they claim to be without requiring the exchange of a string of characters that can be stolen and abused.
Passwordless authentication is the future because it enables organizations to increase security without adding additional or unnecessary friction to the user experience. In fact, passwordless authentication offers a way of increasing convenience without compromising security and vice versa.
The modern enterprise now has ways of making it easy for employees to authenticate to systems and services by combining the convenience of logging into their devices using facial or fingerprint scanning, and then authenticating to other systems and services using the cryptographic keys securely stored on the device without the need to create passwords, maintain huge databases of passwords or password hashes, and without any password having to travel over any network.
In this way, passwordless authentication is much more secure because it includes multiple factors of authentication, such as biometrics and possession of the device, and there is nothing that can be stolen to enable attackers to hijack legitimate credentials.
The added advantage is ease of use, which is important in improving the end user experience, whether it is for employees or customers. For these reasons, organizations should be investigating what they need to do to go passwordless as soon as possible to offer end users alternative, easier to use, and more secure ways to authenticate.
Passwordless authentication – if you do it right – combines security and convenience, which means you can achieve a higher level of security with a higher level of convenience
— Martin Kuppinger, Principal Analyst at KuppingerCole
Because we understand how important it is to increase security and convenience without compromise, and because we are committed to helping your business succeed, KuppingerCole has a great deal of content in a variety of formats available.
Research
Several Leadership Compass reports touch on passwordless authentication. For an overview of passwordless authentication options, have a look at the recent Leadership Compass on Identity as a Service (IDaaS) - IGA. Passwordless authentication options for consumers, in particular, are covered in the Leadership Compass on Consumer Authentication.
For a wider perspective, with particular reference to the enterprise, have a look at the Leadership Compass on Enterprise Authentication Solutions and the one on Access Management.
If you are looking for some suggestions and recommendations for starting on your passwordless journey as quickly as possible, look at this Leadership Brief on How to Get Rid of Passwords - Today.
Advisories
A key enabler of passwordless authentication is mobile biometrics. For more information on this topic, read this advisory on Mobile Biometrics for Authentication and Authorization.
Audio/video
If you would prefer to listen to what our analysts and other experts have to say on this topic, listen to this conversation recorded at the recent EIC in Munich on How to Combine Security And Convenience or these analyst chats on Getting Rid of the Password and Enterprise Authentication.
In further content about eliminating passwords from this year’s recent EIC, have a look at this session that highlights possible pitfalls and necessary considerations when implementing passwordless FIDO and WebAuthn protocols entitled: FIDO for Developers - How Developers Can Master FIDO and Passwordless Authentication Without Adding Unnecessary Complexity.
Strong and continuous authentication is a fundamental building block of Zero Trust. To find out how you can make it happen without making the user experience miserable, have a look at this EIC session on Going Passwordless and Beyond - The Future of Strong Authentication.
Blogs
As already mentioned, the development of new authentication standards and new products, devices, and services built on those standards is essential to enable enterprises to move away from password-based authentication. For some keen observations on Microsoft’s introduction of passwordless sign-in support for Azure Active Directory suing FIDO2 authentication devices, read this blog post entitled: Passwordless for the Masses.
Webinars
Several webinars have been dedicated to ways of eliminating passwords, such as the webinar entitled: We Need to Talk About Passwords – Urgently! Have a look at the recording of this webinar to see how your passwordless strategy needs to be carefully considered and integrated into existing architecture.
To help you on your journey towards eliminating passwords, have a look at this webinar on The Path to Going Passwordless, and for more insights on how to use Azure Active Directory in these efforts, have a look at: Managing Azure AD – Regardless of How You Use It.
Eliminating passwords is about improving security, but it is also about identity. Both of these things are at the hear of the Zero Trust approach to security. If you would like to find out more about the relationship between passwordless authentication and Zero Trust, have a look at these webinars:
- What Does the Future Hold for Passwordless Authentication and Zero Trust?
- The Passwordless Enterprise: Building A Long-Term Zero Trust Strategy
Whitepapers
Eliminating passwords is also touched on in several whitepapers. For recommendations on how to go about planning to go passwordless, have a look at this whitepaper entitled: Planning for a "Passwordless" future.
For a useful perspective on Identity API Platforms and an overview of the key capabilities of the AuthO platform in terms of going passwordless, have a look at this whitepaper entitled: Do Identity Right - So Your Digital Business Strategy Succeeds.
Tech Investment
Organizations investing in technologies to support going passwordless, can have a look at some of the related technology standard and solutions that we have evaluated: