No need to change your password because there is no password to change
Going passwordless is gaining traction. The best rundowns and my favorite takeaways for teams thinking about or already on the path to passwordless
I go through the RSA Conference’s top-rated sessions each year. This year, one of my favorites was “Going Passwordless for Employees: Secure Modern Authentication at Work” with Accenture’s CISO. Why it matters is because “55% of organizations said they had a plan in place to move employees away from passwords [and among] those organizations, 32% said they plan to reduce password reliance in the next year and 54% plan to do so over the next two years.” (Source: Axios)
This talk is one of the best rundowns I’ve come across on the passwordless journey, from how to get budget and support for the project to what the journey will look like, to explaining user experience and technical challenges, and then how to visibly execute the change management. Plus, the best questions were in the Q&A. Below are my three favorite takeaways for teams thinking about or already on the path to passwordless.
1. Start with why (use a visual of authentication tooling matched with phishing resistance)
2. Chart your journey’s route
3. Show progress with consumer-grade experience
1. Start with why
It will take endurance to go Passwordless. Start by painting a picture of why this is good: user experience first, then modernization, then security. We know passwordless provides greater phishing resistance, but most senior leadership and the board will not fully understand why this is better than the many MFA tools we already have, including hard tokens, soft tokens, SMS, authenticator apps, etc., and how all come together at different levels to give you something.
Phishing is the bane of our existence, and while for years it may have taken convincing businesses to invest in ever maturing capabilities to defend against it, in today’s climate the harms are more well-understood. This slide from Accenture does an excellent job illustrating some of what Passwordless MFA can achieve.
While the above slide in the RSA talk is a Microsoft-oriented visual of how different security tooling boosts resistance to phishing, the next view from Daniel Messler (not in the RSA talk) helpfully breaks down each approach and its resistance level.
🤔 Perhaps when you do your pitch, merge both.
2. Chart your journey’s route
🤔 What pieces need to be in place?
Consider that your employees will need computers, phones, and devices that support passwordless., Applications will need to integrate with passwordless, be upgraded to passwordless (whether SaaS or on-premise), or be decommissioned in favor of an app that supports it (which then involves the migration of data and users). Applications you don’t even know that already exist or soon will exist that won’t even be in your inventory.
To support this planning, Accenture, calls out the move to identity as a service (IDaaS), an enabler for the move to Passwordless.
In this next slide, the speaker explains well what to do about finding and planning for various assets. Some apps that cannot move. Some use cases will never support passwordless authentication, or it may take longer to get there.
3. Show Progress
Determine what metrics, measures, and milestones highlight progress along your path to success. Investing in a consumer-grade experience for your employees shows program and change management maturity.
🤔 A nice portal and dashboard goes a long way, examples of which are provided in Accenture deck as well.
Bottom line: The move to passwordless is gaining traction for good reason. It will be complex and different for each company. This talk and Daniel Messler’s authentication maturity model are good resources to frame your journey. Check out the full talk (especially the Q&A section at the end) and other top talks.
Sources
RSA Conference: Going Passwordless for Employees: Secure Modern Authentication at Work talk
RSA Conference: Review the top-rated sessions for this year and years prior
Daniel Miessler’s CASMM Consumer Authentication Maturity Model
Axios: Passwordless Tech
Lastpass: Combatting Social Engineering in 2024