Should You Implement Passwordless Authentication?

Should You Implement Passwordless Authentication?

Passwordless authentication is an emerging concept in IT security. It is a way to replace the shortcomings of traditional passwords while protecting IT security. As a newer technology, it might be helpful as a way to reach your security goals. Discover what exactly passwordless authentication can do for your security and identify the challenges with it.

Why Is Passwordless Authentication Significant?

Passwordless authentication represents a potential way to overcome problems associated with passwords. According to Microsoft, “Forrester Research estimates large organizations spend up to $1 million per year on staffing and infrastructure to reset passwords.” Your company might be used to paying those expenses, but passwordless authentication might give you a lower-cost alternative.

The other reason why passwordless authentication matters is that it reduces the burden on your employees. Unfortunately, many people struggle to memorize high-quality passwords. Becker Hospital Research recently found that the four most popular passwords as follows:

●  123456

●  123456789

●  qwerty

●  password

Such passwords are sequences of characters that appear next to each other on standard U.S. English keyboards. In other words, these popular passwords appear to be solely concerned with convenience rather than security. If your employees are using weak passwords, then it might be appealing to passwordless authentication.

The Challenge With Passwordless Authentication

While passwordless authentication has benefits, it might not be right for your company. First of all, you might have a large set of cloud software tools in place. In those cases, such tools may still use standard usernames and passwords. Asking those third parties to switch to passwordless authentication may not be practical. In other cases, your company may not have the appetite to replace password technology.

Given these challenges, you might feel frustrated about your password situation. If passwordless authentication is not a good fit for your company right now, you need alternatives. To inspire you, review this list of six IT security project ideas to boost IT security.

Six Alternatives To Improving Your IT Security Without Passwordless Authentication

These practical cybersecurity improvement ideas don’t require complex or unproven technology. Instead, you need to apply discipline and consistent execution to tighten your defenses.

1. Improve Your Password Policy

Open your password policy and review the document. If the document is more than one year old, your password policy may be due for review. There are a few ways to make your password policy more effective. Start by looking for technical IT security jargon in the document. Using complicated terms in your password policy makes it less likely that employees will understand password requirements.

Further, you can transform your password policy to make it more effective in other ways. Start by giving employees advice: Tell them about high-risk behaviors that must be avoided. For instance, you might warn employees against writing down passwords in paper notebooks. Alternatively, you might caution employees against using dictionary words in their passwords. These types of precautions will make it more likely that employee password policy will improve over time. 

2. Offer Memorable Employee Password Training

Aside from IT security professionals, most of your staff do not think much about passwords or security. That’s the reality you have to face. Therefore, your approach to inspiring employees to manage passwords well requires that you offer quality training. Your password training needs to be memorable.

To improve the quality of your IT security training, study psychology best practices. “Made to Stick: Why Some Ideas Survive, and Others Die” by Chip Heath and Dan Heath is a fantastic resource to use. Imagine the possibilities of training employees once on clear IT security principles.

3. Use Multi-Factor Authentication (MFA) More Consistently

If you look closely at the details, some passwordless authentication methodologies are little more than multi-factor authentication. In that case, take a closer look at how exactly your company implemented multi-factor authentication. Check how often MFA is used in your company. You might find that few people are using it. In that case, you can boost your security protections by increasing MFA usage.

To achieve the most significant benefit, consider requiring all employees to use multi-factor authentication. By making MFA universal, you can make up for poor-quality passwords. If your executives do not support mandating MFA, start an awareness campaign to encourage employees to use MFA more frequently.

4. Use Virtual Private Network (VPN) Security

Companies with remote employees need to have VPN security in place. It is a core best practice to maintain security when employees do not have an office’s physical security protection.

5. Eliminate Inactive User Accounts

Picture the following scenario. A handful of former employees lose track of their passwords when they throw out old papers. In those cases, your company’s security might be at risk. Fortunately, there is a simple way to reduce the security risk associated with former employees. The better approach is to remove access from inactive user accounts. For more insight on this critical security practice, review our article: Stopping Inactive User Account Risk Fast.

6. Request An External Review of Your IT Security Assessment

In IT security, it is easy to develop blind spots over time. Whether it is a wireless network configuration from three years ago or an old password policy, you may forget to notice these gaps as you focus on other issues. Fixing these problems is easier when you get an outside perspective. Specifically, consider hiring an IT security consultant to review your security arrangements. At the end of the engagement, you can expect to receive a report with recommendations to address. Use this report to fix critical gaps even if you are not interested in passwordless authentication.

What To Read Next For Cost-Effective IT Security

While IT security matters, you do not have an unlimited budget. Rather than face budget cuts and criticism, look for bold ideas to save time and money. If your company needs to achieve compliance with the California Consumer Privacy Act, use our article to get ready: 5 Ways To Use Software To Reduce Your CCPA Compliance Burden.

Written by Nelson Cicchitto