Innovations in cybersecurity have typically taken hold on the business side before making their way to consumers as controls gained broad acceptance. However, with passwordless multi-factor authentication, or MFA, the script is flipped.
Consumers have grown accustomed to logging in to the latest Apple device and web application using biometrics — fingerprint, voice, or facial scanners — instead of typing in passwords that can be lost, forgotten, or stolen. They have embraced the idea of stronger security and a more seamless digital experience by ditching the password and using passwordless authentication.
"Where's my passwordless MFA?"
Now, internal employees, contractors, and stakeholders (collectively known as workforce users) are asking the same question: "Where's my passwordless MFA?"
We recently met with Secret Double Octopus (SDO), a leader in workforce passwordless MFA and a collaboration partner in the ForgeRock Enterprise Connect Passwordless solution. We set out to explore this question and outline a realistic path to secure, frictionless passwordless MFA for the workforce. Our discussion revealed that the roadblocks for workforce users have stemmed from three common perceptions — or misperceptions — about passwordless MFA:
- The password policy/2FA/MFA we already have is "good enough"
- Passwordless MFA isn't ready for the workforce
- The change to get there won't be worth the effort
The "good enough" paradox
Many organizations operate with passwords and some MFA for high-value applications. However, Verizon estimates that phishing and compromised credentials still factor into 85% of security breaches. These attacks include modern, highly automated ransomware, account takeover (ATO), and business email compromise (BEC), and often target crown-jewel assets. In other words, the password approach is not even close to "good enough."
New regulations, security frameworks, and cyber insurance all place a premium on stopping phishing. Businesses continue to invest in education, monitoring and detection, endpoint protection, and cloud security. But most look to MFA and user education to stop the relentless exploitation of user credentials.
While MFA supplements vulnerable passwords, cybercriminals continue to develop sophisticated workarounds like advanced man-in-the-middle (MiTM) and MFA prompt bombing or "MFA fatigue" attacks that target authentication itself. Modern passwordless methods solve the problem at the source by taking away attackers' ability to exploit passwords or phish users.
But stronger security is just one part of passwordless MFA's compelling value proposition. Many organizations are lulled into thinking their current MFA is good enough, but it won't pass security or regulatory muster, and it will continue to frustrate and perplex users.
Securing a better user experience
At the top of many executives' priority list is improving their organizations' security posture, but some place equal or greater importance on improving user experience (UX). Passwords represent a huge hassle for all involved, as employees and help desk technicians waste cycles setting, resetting, and rotating passwords, and improving cyber hygiene.
Horacio Zambrano, CMO at Secret Double Octopus (SDO), says passwordless MFA delivers greater speed and flexibility. "Ideally, you want to deliver a simple, universal login experience that strengthens security and takes the burden of managing passwords away from users," Zambrano says. He noted that "MFA sprawl" — using multiple login screens, devices, and workflows — compounds user frustration. "We all have our phones with us all the time, so using them to authenticate makes great sense. If you can use the same app for everything and eliminate having to remember different passwords for the desktop, VPN access, and web applications, it's a big win. A universal experience with biometrics, and fast, ubiquitous connectivity from a mobile device is as modern as it gets."
Though there may be resistance at first, consumers and employees will flock to solutions that secure their digital identity and data — so long as it's easy. "Change is hard and there's always concern about user inertia," Zambrano says. "But once users experience passwordless and see how it makes their lives easier, they typically love the simplicity."
Passwordless offers exponentially greater business value
ForgeRock Enterprise Connect Passwordless integrates SDO's Octopus platform for passwordless MFA to deliver a greater return on investment (ROI) than traditional MFA methods that rely on passwords. "Organizations can 'buy down' cyber-risk by stopping phishing — and the disruptive breaches that follow — while meeting new compliance mandates and possibly lowering cyber insurance premiums," says Fred Kost, VP of Product and Solutions Marketing at ForgeRock.
Getting rid of passwords eliminates a huge portion of annual help desk calls, each of which costs companies $70 or more on average. When all is said and done, SDO estimates the transition saves organizations nearly $2M within two years of implementing passwordless MFA.
It has the added benefit of reducing administration costs and relieving the burden on IT.
Passwordless MFA delivers the rare trifecta — less risk, less cost, less effort — so why isn't every business doing it already? Where the budget is already earmarked for MFA, the hesitation centers around the second misconception about modern MFA.
"Is passwordless ready for workforce primetime?"
Doing away with passwords effectively takes the phish out of the sea by replacing shared secrets with cryptographically strong authentication. But in order to achieve phishing resistance, organizations must be able to upgrade all or most applications to support passwordless, something those in IT generally don't consider feasible. Skeptics continue to question whether passwordless MFA can prove to be robust enough for workforce authentication.
To keep semantics from clouding the benefits, SDO defines passwordless MFA as:
Authentication that works for all workforce applications — on-premises, remote, and in the cloud — without requiring users to set, remember, or reset passwords ever again.
The Octopus platform decouples user authentication from backend identity management to enable comprehensive coverage for workforce use cases. The decoupling allows companies to extend a safe passwordless authentication experience to users of any application, including password-centric legacy and custom solutions, without having to retool those apps and directories.
"ForgeRock and SDO give customers the ability to roll out passwordless MFA to any workforce application quickly without retooling applications or disrupting identity infrastructures," says Kost. "Digital identity managers can make changes at any time with a non-technical staff, so you're not always having to involve developers and coders."
The integrated ForgeRock/SDO approach immediately improves security by virtue of fast, easy onboarding, with IT free to modernize the backend identity infrastructure at its optimal pace. Even with a win-win value proposition for employees and IT, it can be hard to navigate change.
"How much, how soon?"
Passwordless MFA delivers on ROI — less risk with less effort at less cost — leading some progressive enterprises to become early adopters. Once the passwordless MFA champion in your organization gains support for the project, the question becomes, "Where do we start?"
Though not always easy, answering this question produces valuable insight into priorities:
- Should you start with high-profile users likely to be targeted by spear-phishing or "whaling" attacks?
- Should you start with remote workers and VPN users authenticating via the open internet?
- Or should you start with the group that, for whatever reason, requires inordinate support to reset and rotate their passwords? Or the one that requires detailed auditing to solidify compliance?
There may be no one right answer, but there is at least one solid best practice to follow: don't tackle too much too soon.
"The implementation of passwordless login doesn't need to happen all at once; it can be something you roll out over time and get there incrementally," says Kost.
For example, the first phase might include entering a username and having that trigger a prompt for passwordless authentication that helps users become accustomed to logging in using biometrics. The next step might be taking the username and password out of the user workflow, and the final stage getting rid of passwords completely.
"The greatest successes we see are when customers choose one or two applications to start with and get those done within the first year," says Kost. "Where we see projects go sideways is when companies try to do something for everybody all at once and the whole project gets derailed. Initially, we advise taking things in bite-size increments."
Security, simplicity, and savings — in time to meet new mandates
Together, ForgeRock and SDO deliver enterprise-class security with consumer-grade simplicity. The combination may be the key to surviving pressure from cybercriminals and regulators alike.
"We're already seeing Zero Trust mandates from the Biden administration and other governments worldwide specifically calling for phishing-resistant MFA," SDO's Zambrano says. "It's only a matter of time before most if not all security standards and frameworks do the same and acknowledge that phishing-resistance requires a passwordless approach to authentication."
ForgeRock's Kost concurs. "Companies that upgrade now or go directly to passwordless will be lightyears ahead of the game compliance-wise. More importantly, they'll be far less likely to get hit with ransomware and other attacks that put data at risk and companies out of business."
Join us for a webinar with KuppingerCole
Register today for Passwordless Authentication: What, Why, and How to learn how to successfully implement passwordless in your organization.
