It is well understood that identity-related security issues are the most common cause of breaches today. A key component of identity security is password, which unfortunately, are susceptible to various attacks such as phishing, brute force, and credential stuffing. Why not take passwords out of the equation entirely? Some organizations are embarking on this journey and I’d like to walk you through the details of this passwordless journey.

Implementing a passwordless approach for an organization workforce involves eliminating the conventional reliance on passwords for user authentication. Instead, employees are asked to utilize something they are (biometric identifiers) or something they have (mobile devices) to security access systems and data. This transition requires the establishment of alternative identity verification methods, leveraging individuals' distinct attributes or approved devices. And while passwordless projects can span to include devices, applications, infrastructure, etc…, many are prioritizing core requirements including configuration of IdP, SSO, SaaS apps and cloud infrastructure. Despite the long process, many organizations are banking on passwordless to provide them enhanced identity fabric immunity. 

If passwordless indeed addresses one of the biggest issues with identity security, why don't all companies adopt it? There are two primary challenges: First, the passwordless solution can be very complex to roll out, requiring insight into one’s identity posture few organizations have. Second, organizations don’t have the insight into the adoption of passwordless solutions by various users and departments to effectively adjust their strategy along the way. These are the most common challenges I hear from CISOs and IAM managers who seek help from Spera Security with their passwordless projects.

Inline with the two primary challenges, here are some of the most common passwordless-related  issues I’ve heard from organizations:

1. Regardless of the identity providers (Microsoft, Okta, etc…), the implementation is not trivial and requires deep understanding and planning. 
2. High cost of hardware and software required for providing physical or biometric authentication factors.
3. Some legacy systems may require additional password-less vendors tools to be purchased and deployed.
4. Training the workforce to change their core ingrained behavior is difficult.
5. Lack of visibility to applications makes it hard to track the adoption and usage of the new authentication factors.
6. Employees fall into several categories; those who use old and new MFA factors, some that enable passwordless and others that do not - all creating blindspots and posture issues.
7. Organizations cannot monitor the impact of the passwordless project nor can they quantify the decrease in risk.

With all these challenges and hurdles, what are the next steps for organizations embarking on the passwordless journey? Here are the steps I recommend to many organizations: These are the same steps followed by Spera Security when supporting organizations embarking on such projects.

1. The first critical step is to partner with a security vendor or service provider to plan the project, estimate the required effort and discover the edge cases.
   Your ‘partner’ should guide you with all the data points needed, such as:  how many accounts you have across all your systems, which ones have access to critical systems any may be candidates to start with, which ones are already enrolled with factors eligible for passwordless. The partnership also helps you consider edge cases such as service accounts, applications without SSO, unused and orphan accounts. Eventually enables a clean-up before launching the project.
   ‍
2. It's critical to have tools in place to monitor the progress.
   You must be able to easily track adoption of optional and mandatory passwordless factors, monitor the actual usage of new and legacy authentication methods, detect failure points in time, and get any specific stats  such as groups that moved their access policies to the new ones.
   The ongoing progress with evidence and reports should be readily available to leadership and executives.
   ‍
3. At the conclusion of the project, you should measure the effectiveness and ROI.
   You must confirm passwordless adoption by new users and validate the enforcement of new access policies on all users. In addition, measure the cost savings and efficiency resulting from the reduction of posture issues present before (such as password rotation, leaked passwords and weak MFA issues). Having Compliance controls reports and/or dashboards readily available, allows you to quantify how your adherence to compliance standards have increased and easily share the data with company executives and leaders.

As I partner with CISOs and IAM teams who are deploying Spera Security, it's obvious they are gaining for the first time, a comprehensive visibility and context of their identity program including Identity providers, SaaS applications, Cloud providers and beyond. Speaking from real-world experience, many of our customers realized that such visibility and actionable context are game-changers for IAM projects including passwordless. If you’re strategizing or implementing identity security projects, contact me for a discussion on how you can leverage our experience.