Overcoming user resistance to passwordless authentication

Many organizations agree in theory that passwordless authentication is the future, but getting there represents a significant change management challenge.

The migration to passwordless requires forethought and planning. For example, an organization needs to establish strategic imperatives around security, the user experience, privacy, and compliance. This includes addressing technical requirements and specifications to execute the migration and determining how to measure the project’s success.

But first, the process requires buy-in from all stakeholders—the C-suite, line of business heads and ultimately end users, including customers and partners such as vendors, contractors, and system integrators. One way to accomplish this is by communicating the benefits of passwordless authentication to stakeholders with use cases that illustrate how the friction they currently experience in their day-to-day workflows will be eliminated.

These benefits include:

Single point of authentication: Most enterprises require workers to authenticate themselves in several ways depending on the applications they want to access, which can include logging in via a web browser, federated app, a cloud-based SSO platform—or a legacy SSO—or simply via an on-premises workstation or legacy VPN.

A passwordless platform can replace these siloed mechanisms with a single experience that encompasses both biometric-based identity verification and authentication. During initial on-boarding, the system validates the integrity of the device, captures biometric data (selfie, live selfie, fingerprint, etc.) and can even verify government documents (driver’s license, passport, etc.), which creates a private, reusable digital wallet that is stored in the device TPM / secure enclave.

Easy recovery of credentials: If an access device is lost or stolen, a passwordless platform could provide digital wallet recovery options that minimize the impact on both the user and help desk staff. These can include a 12-word mnemonic phrase, user-provided secret pin, or biometric match.

For legacy systems that an organization can’t or won’t migrate to passwordless, some passwordless platforms use facial matching to reset or change passwords. This eliminates the friction associated with legacy password reset tools that are often targeted by cybercriminals.

Some passwordless authentication platforms even support offline access when internet access is not available or during a server outage. They can also replace physical access tokens – such as building access cards – by allowing users to authenticate via the same digital wallet that provides access to the IT network.

Phishing resistance: Some passwordless platforms bind a user’s identity to their credential, so they are not simply tied to a device. Instead, their authentication is based on a verified identity, which cannot be stolen via phishing attacks. Meanwhile, platforms that offer capabilities such as QR code scanning, push notifications to mobile, FIDO-certified authentication and device biometrics can make phishing-resistance a reality.

Know before you go

When planning a transition to passwordless authentication, several important factors need to be considered:

• Integrating technologies that keep the organization in compliance with privacy regulations such as GDPR need to be part of the planning process, not an afterthought
• The devices used for authentication also need to be validated (to prevent spoofing attacks using counterfeit devices)
• Passwordless should go hand in hand with the adoption of a zero trust framework.

By authenticating users at multiple points of access (rather than just at login) zero trust solutions can establish a stronger security posture and prevent attackers with stolen credentials from moving laterally within the network to access sensitive systems and data. To avoid account compromise attacks using stolen or shared one-time security codes, biometrics that match a live facial expression or voice should be incorporated into the plan for transitioning to passwordless.

The move to passwordless involves a lot of change for both end users and the IT team. By communicating the use cases for passwordless authentication to stakeholders ahead of a migration project as well as the benefits they will provide, an organization can overcome reluctance among users, address their concerns and convince them that it will make their lives easier.