SoftwareOne logo

6.5 min to readDigital WorkplaceCloud Services

Passwordless strategy: benefits, challenges, and more

Ravi Bindra
Ravi BindraCISO
A woman's finger is pointing at a colorful screen.

The move to the cloud makes Identity and Access Management (IAM) even more important to security than ever before. Malicious actors keep looking for ways to steal credentials, and password hygiene is increasingly important.

One way to mitigate the risk of attacks at the access perimeter is to move toward a passwordless authentication strategy. After all, when there is no password to guess or hack, security heightens.

Let’s take a closer look at how your organization can benefit from a passwordless authentication strategy, and the steps you can take to get started.

"Passwordless" – A step in a more secure future?

As organizations increasingly adopt cloud strategies, traditional methods of authentication may not provide the security needed. Threat actors already know that a lot of people reuse passwords, and security teams need to consistently fight the uphill battle of password hygiene.

While passwords have a long history of use, best practices have evolved along the way. Keep reading as we break down the history of password strategies, and what has come from each milestone.

The birth of the password

In the early days of computing, passwords were primarily used to provide access to internally networked systems. Computers were often located behind closed, locked doors because they took up an entire room. There, the passwords were used to track the amount of time someone spent using the mainframe, but the key to the room was the authentication process itself.

The evolution of the authentication process

As desktop computers became the norm for business processes, passwords and authentication needed to evolve. At this point in time, passwords provided access to both a physical device and the organization’s internal networks. This is due to the fact that computers were still physically connected to the local area network (LAN) using an ethernet cable. Without wireless connectivity or the ability to access the LAN from offsite, authenticating into the device using the password operated as a secure connection.

The internet (and the cloud) changes everything

In more recent years, wireless connectivity and cloud adoption has changed everything about passwords. Passwords and authentication created new attack vectors for threat actors. With a password, they could access corporate resources from anywhere in the world.

Password strategies became increasingly complex. Now, organizations needed to establish and enforce policies including:

  • Password length
  • A combination of uppercase and lowercase letters
  • Numbers
  • Special characters
  • Password rotation periods

With these new requirements, many people used passwords that were easy to remember, often reusing the same password across multiple locations. In doing this, they undermined the password policies’ purpose, giving threat actors a way to steal credentials or engage in dictionary attacks.

In an attempt to mitigate these new risks, organizations started to adopt multi-factor authentication (MFA), which means that users will need to use a combination of two or more of the following:

  • Something they know (password)
  • Something they have (token, smartphone)
  • Something they are (biometrics)

Unfortunately, malicious actors are still able to find ways around these controls. For example, malicious actors often use social engineering attacks to intercept, phish, and spoof text messages. In the end, even security best practices become problematic and inherently risky.

The move to passwordless

As threat actors evolve their strategies, businesses need to keep pace and protect digital assets. Thus, the move to passwordless was born. Although it’s easy to confuse passwordless with MFA, multi-factor authentication is just one part of a passwordless strategy. Passwordless makes the "something you own" factor in the process, the primary way to authenticate into an environment.

Some examples of passwordless authentication strategies include:

  • One-time password (OTP)
  • One-time link sent via email
  • Persistent cookie
  • Secret PIN
  • SMS or application-generated code
  • Public Key Infrastructure (PKI) personal authentication certificate
  • Biometric authentication

Introducing passwordless authentication in Microsoft 365

As MFA no longer provides the security assurance that organizations need, Microsoft introduced passwordless authentication into their suite of services. Let’s take a closer look at how passwordless authentication will be integrated into Microsoft 365, and how your organization can leverage it.

Windows Hello for Business (WHfB)

With WHfB, the IT department can tie biometrics and PIN credentials directly to a user's laptop. This means that no one other than the device owner can access the device or network. WHfB uses Public Key Infrastructure (PKI) with built-in support for single sign-on (SSO) to create a passwordless experience.

Microsoft Authenticator App

While many organizations already use the Authenticator App for MFA, they can also use it for passwordless authentication. Although using the Authenticator App follows a similar infrastructure to WHfB, it’s a little more complicated for the users because Azure Active Directory (AD) needs to find the version of the Authenticator App being used.

Fast Identity Online (FIDO2) keys

With FIDO2 security keys, users can use any type of authentication form they want. Once they register, they select the FIDO2 security key when they sign in. FIDO2 key devices can be:

  • USBs
  • Bluetooth
  • Near-Field Communication (NFC)

How to go passwordless

Watch this video

Benefits and challenges of passwordless authentication strategies

While passwordless strategies offer enhanced security and other great benefits, it is not to say it doesn’t come with end-user challenges. Let’s examine some popular strategies and the pros and cons of each.

Email

Email is probably the easiest passwordless strategy to implement. Additionally, it is the least expensive. All the IT department needs to do is set a requirement that end-users need to receive a verification email, and the strategy is implemented.

Despite these benefits, a passwordless email strategy comes at a cost. End-users are often resistant to it because they need to open an additional application and wait for the email. Moreover, if cyber criminals successfully compromise the email account using a phishing attack, the passwordless deployment is not secure anymore.

Mobile token

Mobile tokens are possibly the most popular option. Like using the Microsoft Authenticator App, mobile tokens provide robust security and remain cost-effective. Organizations incur no additional technology or maintenance costs.

However, for end-users, this requires adding another application to their mobile phone. Additionally, some users find that picking up their device when they need to log in to a resource impacts their daily business activities.

Hardware token

Hardware tokens, like using WHfB or FIDO2 keys, are the most secure of all the options. End-users either already need to use the device, like with WHfB, or they find carrying the token a low-security barrier.

On the other hand, these are the most expensive passwordless strategies to implement. Not only do organizations need to purchase the hardware, but the IT department also needs to manage administration and continued maintenance. Also, if the end-user loses the device or it gets stolen, that creates a security risk.

What to avoid when rolling out a passwordless strategy

Although passwordless authentication is rapidly becoming the gold standard, organizations need to take into account several concerns as part of their planning process. For example, every passwordless strategy comes with a direct cost of deployment, but it’s also important to consider the hidden costs. These include:

  • Administration
  • Asset inventory
  • Maintenance

Also, it is important to remember that security solutions only work if end-users adopt them. An organization that fails during the adoption process may quickly find itself back at square one. Pay attention to what your employees need and want from passwordless authentication. Any strong passwordless strategy must include:

  • Ease of use
  • Ability to build into workflows
  • End-user responsibilities

Conclusion: "passwordless" is more secure than it sounds

Security, and more importantly securing access, is increasingly important to a company’s financial and reputational stability. As remote employees use different devices, including personal ones, and with more data moving to the cloud, protecting access and implementing passwordless is a primary security objective.

SoftwareOne’s Managed 365 Security offering enables organizations to design, implement, and maintain best practices for passwordless security. With SoftwareOne’s end-to-end service, organizations can proactively protect and monitor data to protect their Microsoft 365 environment.

A blue and purple background with waves on it.

Discover passwordless through Microsoft 365

Without a password to hack, employees can enjoy a much safer environment. Learn how your organization can benefit from M365’s latest passwordless features and capabilities, and how SoftwareOne can support.

Discover passwordless through Microsoft 365

Without a password to hack, employees can enjoy a much safer environment. Learn how your organization can benefit from M365’s latest passwordless features and capabilities, and how SoftwareOne can support.

Author

Ravi Bindra

Ravi Bindra
CISO

Ravi holds over 20 years’ experience as a cyber security evangelist, holding multiple leadership roles in the Swiss pharmaceutical industry, such as Global Head of Risk Management, Global Head of Architecture and Global Head of Security Operations.