Strong MFA: The First Stop on the Path to Passwordless

By Andrew Hickey, Director of Content at Duo

Strong MFA: The First Stop on the Path to Passwordless

Passwords, the antiquated security mechanism in place since the 1960’s, have since their inception caused user and administrative frustration due to their complexity and frequent resets. As technology has evolved, there is a strong desire to move away from the use of passwords, but it’s not as if we’re going to wake up tomorrow morning and – POOF! – we never need passwords again.

We have too many apps; too many accounts; too much complexity.

Yes, there will eventually come a day when passwords are just a pesky thing of the past. And businesses are currently evaluating a good place to start their journey in preparation for a passwordless reality.

Gartner predicts that by 2022 60% of large and global enterprises and 90% of midsize enterprises will implement passwordless methods in more than 50% of use cases. Right now many are evaluating what adopting passwordless, sometimes referred to as “modern authentication,” means and where to start.

As with any major technology shift and architectural change, the journey toward a passwordless environment should be a phased approach, with a handful of stops along the way; and based on your environment there may be some twist and turns too.

To help organizations prepare for passwordless, today we published a new white paper “Passwordless: The Future of Authentication.” The paper, written by Duo Advisory CISO J. Wolfgang Goerlich, examines how digital transformation is prompting a shift toward passwordless authentication and its business benefits, while laying out a five-step phased approach to realizing passwordless authentication.

“Sixty years after adopting the password as the primary authentication factor, we’re at a unique moment in history, where we can both improve the user experience and increase the security posture,” Wolfgang says. “Passwordless provides a strategic opportunity to get users excited, and this latest white paper shows how to move security programs forward.”

Passwordless vs. Less Passwords

Since passwordless doesn’t happen with the snap of a finger – think about it, the average business user must keep track of 191 passwords, we’re not going to eliminate them in one fell swoop – it’s important to start by using less passwords, as in reducing your reliance on passwords.

One way to start moving toward passwordless practices and to lower the risk of credential theft is by identifying and selecting specific use cases for passwordless in your organization. Next, rank these use cases based on user experience, IT time and costs and security and compliance risks. From there, group them by applicable passwordless solutions – or you may end up with a series of point products. Once ready, you can create an implementation plan for areas that will have the biggest impact and have the shortest time to value.

This sets the stage for more pervasive passwordless authentication within your organization.

Strong Authentication

The point at which users are accessing applications is a practical starting place for an organization’s passwordless journey. If we are getting rid of the password, we need to make sure that we have mechanisms in place to verify trust in the user, passwordless doesn’t mean no authentication but strong, secure authentication with less friction.

This is where multi-factor authentication (MFA) truly shines.

Implementing strong MFA for secure access to all applications – cloud, on-premises, hybrid – offers broad security coverage and allows you to reduce your reliance on passwords while letting you modify password policies to require less frequent resets. This combines to alleviate help desk burden and costs, and ultimately quell user frustration.

With MFA, you can eliminate the risk of using passwords as the single form of user authentication and reduce the risk of credential theft by requiring a second method of identity verification that cannot be easily stolen remotely by an attacker – and let’s face it, passwords have proven themselves pretty easy to steal. According to Verizon’s 2020 Data Breach Investigations Report (DBIR), more than 80% of hacking breaches involve brute force or the use of lost or stolen passwords.

MFA opens the door for additional authentication methods – whether it’s through biometrics, security keys, mobile devices and more. MFA, in many cases, can take the day-to-day use of passwords out of the equation.

Simply put, MFA provides more factors. More factors provide more choices for verifying identity. In the future, these alternatives enable security leaders to carefully calibrate authentication to balance ease of use and strength of security.

Read more about the path to passwordless in our passwordless blog series.