You’ve seen the stats, and one thing is clear: passwords have to go.
- 80% of hacking-related breaches that “leverage stolen and/or weak passwords” are caused by compromised passwords, per the 2019 Verizon Data Breach Incident Report.
- Google found that 65% of people reuse passwords across accounts.
- 2.7B email/password pairs were exposed in the Collection 1 breach alone – and that was just the start.
Which is why it seems like every tech company in the authentication business is talking about passwordless – present company included.
But despite the hype, only a few vendors have a passwordless solution available for deployment today, and even fewer have a truly secure passwordless solution.
So, if deploying passwordless authentication is on your to-do list – and we strongly suggest it is – here’s what you need to know:
- First and foremost, focus on security. Look for a PKI-based passwordless solution that securely verifies the credential holder is the credential owner.
- Avoid vendor lock-in. Ensure your passwordless SSO solution works not only with Macs and PCs supporting BYOD, but also with cloud and on-prem applications. This will help you avoid costly hardware upgrades and replacements, not to mention user frustration.
- Go mobile, just like your users. For most vendors, ‘mobile’ means simply sending push notifications to users’ mobile devices. Look for a solution that embraces mobile as the new desktop with a broad range of authentication options, such as the ability to use NFC or Bluetooth to automatically unlock/lock workstations based on proximity, and a mobile smart credential that transforms a user’s mobile phone into a virtual smart card for authentication, encryption, digital signing, and enterprise mobility management (EMM) integration purposes.
- Deliver secure access anywhere, anytime – a must in today’s workplace. Limiting employee access to a few pre-approved devices will adversely impact employee productivity, frustrate users, and compromise compliance.
- Create a frictionless experience for all workers – remote, mobile, and in-office. Look for a passwordless solution that authenticates the user, not just the device, with one-time user registration. This eliminates the time-consuming process of registering credentials device-by-device and app-by-app – which will improve productivity and satisfaction for all users.
- Select a platform that can support all of your use cases today and tomorrow – file encryption, digital document signing, hot desking and more. Similarly, you don’t want one passwordless solution for email and another for document signing.
- Cloud or on-prem? Make the right choice for you. Cloud is hot, but does it meet your needs? Make the right passwordless decision for your organization.
- Choose a vendor with no hidden agenda. When a vendor offers to toss in a few free passwordless licenses if you move your data to their cloud, beware! There’s no such thing as a free lunch.
- Check your vendor’s credentials. Are their derived PIV solutions approved for use by government authorities, like the US federal government? Do they comply with FIDO2?
Simply put, there is more to passwordless authentication than just removing the password – from security and configuration to the experience you deliver your users. Do your homework and choose the right solution for your organization.
Learn more about passwordless authentication solutions from Entrust.