Appgate SDP
SDP Overview
Learn how Appgate SDP reduces risk and complexity, and why it's the industry's most comprehensive Zero Trust network access solution.
How Appgate SDP Works
Find out about the inner-workings of the most flexible and adaptable Zero Trust Network Access solution available today.
SDP Integrations
Explore security, IT and business-system integrations that can enhance and help you adapt Appgate SDP to your existing workflows
SDP for Developers
Access developer tools and resources to maximize the value of your Appgate SDP deployment.
Zero Trust Network Access for:
Risk-Based Authentication
Learn how Risk-Based Authentication provides a frictionless, intelligent and data-informed approach to user authentication.
Strong Authentication
Find out how you can provide secure, frictionless access with the right multi-factor authentication method.
Transaction Monitoring
Explore the tools you can use to intelligently identify and prevent online fraud.
Behavioral Biometrics Service
Learn how behavioral analysis and machine learning stop fraudulent online web activity in real-time.
Secure Consumer Access for:
Digital Threat Protection
Discover how you can gain unparalleled threat visibility and the risk management tools that enable early identification and elimination of potential attacks.
Key Features
Take a deep dive into the features and tools contained within our industry-leading Digital Threat Protection (DTP) solution.

Nicole IbarraJuly 18, 2019

Passwordless Authentication

Part 1


As we get closer to the 60th anniversary of the digital password, the calls to ditch the antiquated technology are getting louder and more widespread.

There is an industry-wide consensus that it is time to move away from passwords and on to more convenient, secure, and modern authentication options. However, few organizations are actually taking the plunge due to the perception that making the transition to passwordless is nearly impossible. Though we agree that the process can be difficult at times, we have laid it out an easy-to-follow, step-by-step process to help your organization leave the password behind and embrace a passwordless world.

Step 1: Evangelization

Every organization has its unique culture and complexity, and often the first hurdle to making any significant change—like moving to passwordless authentication—is cultural. As such, it is critical to send the correct message about the transition to stakeholders, keeping in mind that some users will be interested in technical and security issues, while the majority will be looking for convenience and efficiency.

Some of the main benefits of passwordless authentication that can help sell it to stakeholders are:

  • Faster sign-in times.
  • No need to remember passwords for logins or transactions.
  • Increased security.

The most important thing to remember is that this is a cultural change, and you must evangelize the benefits that can come from leaving the password behind.

Step 2: Evaluation

The next step in the passwordless process is arguably the most important: deciding how the implementation will look once it is complete. When evaluating which authentication factors and methods work best for your organization, think about the workflow and user experience that you want to offer. Ask yourself these questions:

  • Do my end users have smartphones? If so, think about mobile authentication methods such as push notifications and biometrics.
  • Do my end users have constant access to the internet? If not, consider factors such as Soft OTPs.
  • Do my end users’ mobile phones support biometrics? If so, biometrics can serve as a built-in factor.
  • Do my end users use passwordless authentication for other applications? If they are familiar with QR code authentication from WhatsApp Web, Push notifications from Google, or many others, it can help ease end user adoption of the technology.
  • What user experience do I want to offer? Will I always ask for second-factor authentication or will I use another technology to identify risky logins and transactions?

Experience in this context refers to the flow that users must go through as well as the external environmental factors that are present. Getting to know your end users is critical and necessary before moving on to the next step.

Step 3: Define a Strategy

Passwordless authentication does not mean abandoning your multi-factor strategy; in fact, it is an evolution of that strategy based on decades of proof that the password is simply insecure. Realigning your authentication to ensure that no passwords are involved requires a deep dive into the pros and cons of alternate authentication factors, such as push, biometrics, QR codes, and more. In our next post for The Unofficial Guide series, we will lay out the benefits and downsides for a variety of factors.

Step 4: Start Small

Start off with a small, defined population to serve as the first adopters of a passwordless authentication strategy. Work closely with this group to identify and possible problems or inconveniences.

Step 5: Measure

As with any new technology initiative, it is important to track change and progress to ensure that you are immediately aware of any user adoption issues. Some of the most useful metrics include:

  • Number of authentications
  • Factors used
  • Failed authentications

For example, if your authentication failure rate dramatically increases after implementing a new passwordless strategy, there may be something awry on the technical side or more user training may be necessary. Take advantage of the initial small, controlled user populations to communicate closely and take any necessary mitigating actions.

Step 6: Receive Feedback

Create a designated channel through which users can easily send feedback on the authentication experience.

Step 7: Go to Production

After you have received sufficient feedback from the population defined in step 4 and are confident that they are satisfied with the authentication methods, you are ready to add more populations or go into full, organization-wide production. Continue with steps 5 and 6, measuring and receiving feedback, to continuously ensure that your end users are happy and secure.

In part two of The Unofficial Guide to Passwordless Authentication series, we will discuss a variety of authentication factors and which use cases they are able to serve best.

Receive News and Updates From Appgate