By Kiersten Putnam | Trace3 Senior Innovation Researcher
A major trend our Innovation Team is tracking this year is passwordless. While passwordless techniques may have been around for some time, recent identity cyber-attacks are fueling enterprise adoption of passwordless solutions. Unlike traditional approaches that rely on passwords, passwordless is leveraging different techniques to improve both security and user experience. However, while the name passwordless may be intuitive to mean "without the password", the market can be confusing as there are many different options and questions to ask yourself before committing to go without the password.
This blog will walk through how to narrow in your use cases for passwordless and where solutions in the market are differentiating in their key capabilities.
There are two major incentives for making the switch to passwordless- improving security, or enhancing user experience. Organizations with a security-first objective turn to passwordless for eliminating centralized password stores, reducing account takeover and other digital-identity risks, and/or removing the password completely from the infrastructure. In comparison, organizations with a user experience-centric objective are focused more on reducing friction created in the user authentication journey. When going passwordless it is likely that both motives will play in your decision but the lens you are looking through will help guide which solutions are right for you.
After narrowing in on the objectives behind the authentication change, it is time to define what passwordless will mean for your organization. There are solutions in the market that are creating an entirely passwordless flow from the beginning of the user experience and there are also solutions that are creating an MFA approach. While the passwordless approach is removing the password entirely from the experience, the MFA approach builds on the authentication experience you already have while adding passwordless as an additional factor. This spectrum isn’t as black and white as it may seem- there are a lot of options in between and the right approach will depend on the other factors listed below.
There are three major options when deciding your target consumer: customers, workforce, or both. Determining your target consumer is very important because each consumer group will require different best practices and considerations.
Solutions range from supporting solely customers or workforces to those that have built platforms flexible enough to handle the requirements of both user groups.
The passwordless market can be broken into authenticating based on: something a user has, something a user holds, or something a user does. The chart below lists sample passwordless options in the market.
The incentive behind adopting passwordless (security vs user experience), along with the consumer (customer vs workforce) will help determine which method(s) is right for your use case.
Deployment methods are wholly dependent on the type of passwordless method that is selected. Methods for deploying passwordless include: end user workstations such as a laptop, leveraging a mobile device to authenticate, or relying on a physical hardware component. Within end user workstations and mobile options, there are specific approaches that are tailored to authenticating through the device itself (ex. WindowsHello), authentication applications, email systems (ex. Magic Links), browsers (ex. Out of band authentication), and other methods. As the market continues to mature, it is likely that these methods will continue to expand and integrate across the user journey in new ways.
Each solution is creating its offering to be crafted to the use cases their target clients are looking to solve. Outside of the passwordless-specific capabilities, some solutions are beginning to expand their offerings to capabilities that complement a passwordless authentication strategy.
Our Innovation team is tracking developments in identity proofing for verifying a user is who they say they are from the start, account management, and signal-first authentication to tailor the user flow based on session risk signals.
Passwordless is a challenging topic, as there are a lot of different considerations and questions to ask before jumping into the conversation around deployment. To get started, our Innovation team recommends leveraging the questions asked above to determine which use case(s) you are looking to tackle and which capabilities may be important to you. If you are interested in having a more in-depth conversation, our Innovation team would be happy to dive into the specifics with you.
Kiersten Putnam is a Senior Innovation Researcher at Trace3. She is passionate about new innovative approaches that challenge traditional processes across the enterprise. As a member of the Innovation Team, she delivers research content on emerging trends and solutions across enterprise cloud, security, data, and infrastructure. When she's not researching, she is either exploring the surrounding areas of Denver, Colorado where she lives, or planning her next trip abroad.