Are you prioritizing passwordless access right now? If so, what are the main reasons behind the initiative, and what's the biggest challenge you've faced?
Sort by:
Interesting point about not prioritizing based on where we're at now. Do you have a time-frame in mind for when passwordless might be ready for prime time adoption? 2021 or longer term?
Not really. Given the priorities of the business and all the things that we have to do to enable those, I can't imagine us even really thinking about this until 2nd half of 2021, and then it would be more checking in to see what is the state of technology then and the ease of integrating it with our existing solutions.
We offer Passwordless already, but the gaining user trust is the biggest challenge to overcome. From post-it notes covering cameras, to unwillingness to use some/any apps, to 'cringing' at the idea of the "computer knowing my fingerprint"; the user feedback isn't all positive. Its difficult to garner deep adoption across a large/diverse userbase before trust [in HR, IT, Technology in general) is established. Espcially since we encourage (and train) moderate skepticism & security awareness.
On the list
Myself and others within my network are searching for a 'no password' solution that will work across the enterprise (SaaS/AD/device). We are exploring vendors such as BeyondIdentity, Secret Double Octopus, and others. It also looks like Okta and OnePassword already have this available through their SSO/MFA solution and Microsoft is talking a lot about this as well. The challenge is making one of these solutions work across all enterprise applications both SaaS, on-prem and device logins. It looks like these companies are getting closer to a complete solution so I am hopeful.
If your apps support SAML, SSO with Azure + Microsoft Authenticator will deliver Passwordless authentication natively. We use it already, works fine.
Anything to encourage good password management is a boon. Provide users with password managers, encourage OTP MFA, discourage password re-use or password rotation.
We haven't gone to completely passwordless authentication, however for some systems we use it as an extra MFA verification. That is, you have something that you had before and still have and have the ability to access it because you know the unlock pin / faceID / fingerprint for that device. This is easier to use than a MFA OTP but doesn't completely replace the need for a password. Without them, its a single point of failure. When the security of our infrastructure and customers data is at stake, we need more, not less. For non-privileged accounts where the damage is minimal then yes. Long term we can move to it, but we are still going to insist on multiple authentication, even if each one is passwordless for many situations.
Thanks Yorick, this question came up as a few CIOs we're working with were wondering about the benefits of doing so relative to the traditional approach. <mention id="5a6cc2e0d36e1d5bc4265fa2" displayname="Todd Dekkinga"></mention> can share more.
This isn't something we are prioritizing right now as we don't think it is ready for prime time. Scaling it out over thousands of users across multiple geographies and worrying about what happens when the biometric reader breaks or someone's email or phone gets hacked isn't something we have the time to focus on right now. However we are moving forward with things that would make this possible in the future. Eg. single sign on across the majority of our apps, allowing people to use biometric for local access on their phones and laptops, etc...