Nicole IbarraJuly 18, 2019
As we get closer to the 60th anniversary of the digital password, the calls to ditch the antiquated technology are getting louder and more widespread.
There is an industry-wide consensus that it is time to move away from passwords and on to more convenient, secure, and modern authentication options. However, few organizations are actually taking the plunge due to the perception that making the transition to passwordless is nearly impossible. Though we agree that the process can be difficult at times, we have laid it out an easy-to-follow, step-by-step process to help your organization leave the password behind and embrace a passwordless world.
Step 1: Evangelization
Every organization has its unique culture and complexity, and often the first hurdle to making any significant change—like moving to passwordless authentication—is cultural. As such, it is critical to send the correct message about the transition to stakeholders, keeping in mind that some users will be interested in technical and security issues, while the majority will be looking for convenience and efficiency.
Some of the main benefits of passwordless authentication that can help sell it to stakeholders are:
- Faster sign-in times.
- No need to remember passwords for logins or transactions.
- Increased security.
The most important thing to remember is that this is a cultural change, and you must evangelize the benefits that can come from leaving the password behind.
Step 2: Evaluation
The next step in the passwordless process is arguably the most important: deciding how the implementation will look once it is complete. When evaluating which authentication factors and methods work best for your organization, think about the workflow and user experience that you want to offer. Ask yourself these questions:
- Do my end users have smartphones? If so, think about mobile authentication methods such as push notifications and biometrics.
- Do my end users have constant access to the internet? If not, consider factors such as Soft OTPs.
- Do my end users’ mobile phones support biometrics? If so, biometrics can serve as a built-in factor.
- Do my end users use passwordless authentication for other applications? If they are familiar with QR code authentication from WhatsApp Web, Push notifications from Google, or many others, it can help ease end user adoption of the technology.
- What user experience do I want to offer? Will I always ask for second-factor authentication or will I use another technology to identify risky logins and transactions?
Experience in this context refers to the flow that users must go through as well as the external environmental factors that are present. Getting to know your end users is critical and necessary before moving on to the next step.
Step 3: Define a Strategy
Passwordless authentication does not mean abandoning your multi-factor strategy; in fact, it is an evolution of that strategy based on decades of proof that the password is simply insecure. Realigning your authentication to ensure that no passwords are involved requires a deep dive into the pros and cons of alternate authentication factors, such as push, biometrics, QR codes, and more. In our next post for The Unofficial Guide series, we will lay out the benefits and downsides for a variety of factors.
Step 4: Start Small
Start off with a small, defined population to serve as the first adopters of a passwordless authentication strategy. Work closely with this group to identify and possible problems or inconveniences.
Step 5: Measure
As with any new technology initiative, it is important to track change and progress to ensure that you are immediately aware of any user adoption issues. Some of the most useful metrics include:
- Number of authentications
- Factors used
- Failed authentications
For example, if your authentication failure rate dramatically increases after implementing a new passwordless strategy, there may be something awry on the technical side or more user training may be necessary. Take advantage of the initial small, controlled user populations to communicate closely and take any necessary mitigating actions.
Step 6: Receive Feedback
Create a designated channel through which users can easily send feedback on the authentication experience.
Step 7: Go to Production
After you have received sufficient feedback from the population defined in step 4 and are confident that they are satisfied with the authentication methods, you are ready to add more populations or go into full, organization-wide production. Continue with steps 5 and 6, measuring and receiving feedback, to continuously ensure that your end users are happy and secure.
In part two of The Unofficial Guide to Passwordless Authentication series, we will discuss a variety of authentication factors and which use cases they are able to serve best.