Passwordless Authentication factors SHALL be utilized on all platforms providing them, and employees SHALL be trained on their configuration and usage.
The username and password combo is the classic authenticator utilized by most individuals for their online assets. However, passwords are one of the most heavily targeted digital resources. Dozens of attacks exist for targeting passwords, from brute forcing to rainbow tables to password spraying. Many of these attacks have a track record of being very successful and causing tremendous hurt for individuals and businesses alike. Oftentimes, compromised passwords are the key to gaining a foothold into an organization's digital infrastructure and pivoting to sensitive assets for further compromise.
Multifactor Authentication (MFA) exists is a mitigation against password attacks. It strengthens the barrier to a user’s digital identity by requiring multiple unique factors to be provided for authentication. Passwordless Authentication is a further mitigation and is often paired with MFA for extra security. Passwordless authentication eliminates the entire burden of using passwords in favor of more secure primary authentication factors.
Passwordless authentication options are becoming more popular. Many identity provider solutions, such as Microsoft Entra ID (Azure) and Google Workspace, offer admins the opportunity to mandate passwordless authentication organization-wide. Passwordless authentication can also be enabled on devices through tools such as Windows Hello.
Biometrics are a popular method for passwordless authentication. Many mobile phones allow users to unlock their devices by scanning their fingerprints. Windows Hello allows Windows users to use facial recognition to unlock their PCs. If they are available, biometrics are highly recommended for authentication, as they are extremely difficult to spoof.
Another common method of passwordless authentication is the passkey. You will often be encouraged to use one of these on supplier websites such as Amazon and eBay. Google has also made a significant push towards switching to passkey authentication on its services.
A passkey utilizes public key cryptography to authenticate a user's identity. When a user registers their identity with a website or service, they are prompted to create the passkey, resulting in two separate pieces being created: a public key, which is stored by the website/service, and a private key, which is stored on the user’s device. Users can usually store the private part of their passkey in a password manager.
From here on, whenever the user authenticates to the website/service, they simply provide their passkey to register the private key with the public key. As long as the two match, the user will be authenticated. Using passkeys may sound complicated when explained, but it is actually quite simple. Users may even find managing a passkey to be easier than managing passwords.
Passwordless authentication is quickly becoming a staple security control. Its resistance against spoofing and phishing makes it desirable for organizations with a lot of online user account activity. In a business environment, it is a lot easier to deploy and manage passwordless authentication mechanisms than it is to enforce secure creation and management of hundreds of passwords. For example, if your business utilizes Windows PCs on a workgroup or domain network, you should configure them to use Windows Hello for authentication rather than passwords. If you have business accounts on major e-commerce or financial websites, switch to passkey authentication if offered. For an even more secure authentication strategy, utilize MFA with passwordless authentication. For example, you could require your employees to authenticate with both biometrics and a One Time Passcode (OTP) sent to a mobile device. This combination is far more secure than a simple username and password strategy.
Before switching to passwordless authentication, consult with senior management and IT staff to discuss options for implementation. Weigh the pros and cons of different passwordless options and narrow down the one best suited for your business. Ensure that a smooth implementation plan is followed and that users are well educated in how to manage their authentication factors.
