Solution Brief
Going Passwordless Fast & Effectively with MFA
Best practices for initial passwordless deployment.
Jan 2021
Introduction
Organizations have been achieving passwordless access for user populations for years by effectively leveraging existing Multi-factor Authentication techniques. By combining or stacking two unique MFA factors (one of them can be threat assessment), an organization can quickly and intelligently assess risk for each access request and make the appropriate grant/deny/step-up decision by analyzing user behavior, contextual signals, and the device security profile.
A key user benefit of passwordless login is an outstanding user experience – think about typing a complex password on a smartphone screen. And a significant beneifit for organizations deploying passwordless authentication is exponentially stronger security because passwordless removes the threat of popular attack vectors such as credential stuffing, Man-in-the-Middle attacks, and compromised credentials. Additionally, organizations realize cost savings with fewer help desk tickets for password resets.
Going passwordless is a journey that benefits users and the organization. Passwordless is not a silver bullet and will not resolve every security concern. As well there are some user groups, applications, and systems that are just not ready to enable or support Passwordless. Understanding limitations and that Passwordless will not eliminate all the access challenges your organizations contends with everyday will make planning easier and expectations realistic. Passwordless provides a great number of benefits to an organization and getting started could not be easier…
Passwordless Success Requires MFA Self-Service
A key component to passwordless success is MFA self-service. Unrealistic requirements such as hands-on MFA enrollment may be a barrier of entry for companies with 50,000 employees.
It’s critical to provide easy MFA self-enrollment so that users can complete these steps on their own, with little to no guidance from the IT or helpdesk teams. A self-service user portal is a key driver to the long-term success of every passwordless initiative.
Where Passwordless Helps
- Substantially reduce helpdesk tickets created by users requesting assistance to access their account or with a password reset. Eliminate the need to manage password complexity policies.
- The requirement to modify the password every 30/60/90 days will cease.
- User accounts will no longer be automatically set as “password reset” for expired passwords.
- Users will no longer experience disruptions via notifications for “password reset” rules.
- Breached credential services will no longer be necessary for either login or new password setup.
- Browsers will be prevented from capturing and storing passwords in their built-in password managers.
Passwordless Impact on Helpdesk
- To truly save money on helpdesk costs, you will need to provide and require two authentication factors in lieu of a password – one primary and one backup factor.
- Keep in mind that some non-password factors may have the same helpdesk costs as passwords, i.e. when user loses a phone with their authenticator app and you only allow this one factor.
- Much better login experience for users if you choose the right authentication factors. Users will sign in faster and spend less time on self-service and helpdesk lines.
Basic Use Cases for Getting Started
Workforce (B2E)
B2E is your best bet for initial deployment because your organization has much higher control over the user. Keep in mind that passwordless is a journey. You will find that winning hearts and minds of a subset of your employees in one location or user group will provide the necessary buy-in when you look to go wider with your deployment plans.
As a starter, consider no-additional-cost factors such as WebAuthn if your user group is on PC/macOS laptops with built-in fingerprint readers (i.e. every MacBooks since late 2016 has WebAuthn-compatible Touch ID). Alternatively, look for a small user group population utilizing mobile devices to enable biometric fingerprint and the device itself as factors for authentication.
Customer (CIAM)
The ability to provide self-service MFA enrollment is critical to a successful rollout of passwordless authentication for customer use cases. Users are increasingly tech savvy and increasingly prefer passwordless workflows to access their applications. Look into lightweight MFA factors that use user attributes you may already have such as user’s email address, alternative/recovery email address, or phone number. These lightweight factors are comparatively easy to auto-enroll. The user typically only needs to confirm possession of the factor, for example you will send a code to the phone number or a verification link via text message or email. You then tie this confirmation to the user’s account in the IAM system.
This MFA factor enrollment process is convenient for users and in-line with their expectations. It also provides the trust level you need to verify the user. Remember with lightweight factors it is a good practice to re-confirm with users, i.e. every 12 months. Note that this re-verification process may not be needed if the factor utilized is a frequently used primary factor.
Best Practices for Initial Deployment
- Avoid thinking you can deploy passwordless for every system and for every user. When getting started we recommend to identify just one use case so you can execute a pilot deployment of passwordless authentication.
- Select a smaller sized user group for the initial deployment. We also recommend that the user group selected is comprised of tech savvy users.
- Make sure you offer two methods to sign in to passwordless accounts so that a person can self-service their login when they cannot use one of the factors. For example, use Click-to-Accept (push notification) through an authenticator app and OTP-via-email (link or code), or a similar combination.
- Offer users a method to self-service their MFA enrollment. If they have an authenticator app (i.e. SecureAuth Authenticate), they may need to move it to an upgraded phone. Users must be able to enroll the new device and unenroll the old one without helpdesk intervention.
- Ensure users can report a lost MFA token to the help desk, i.e. when a user loses a YubiKey, so the helpdesk can remove it from their user profile.
- Train your helpdesk! Put some people from the helpdesk on the same passwordless policy – it should be the same group that will be supporting your initial B2E/CIAM passwordless group.
- Launch the initial passwordless deployment with your help desk team. Monitor for issues.
- Think through how you enroll a non-password factor. With email or phone number, you are able to auto-enroll the user.
- Evaluate enrollment costs. For example, an OTP app needs to be enrolled – in this case the user should be prompted to do so in the regular login flow. In the case of OTP-link-as-email, you may already have user’s alternative email but evaluate if you trust the alternative email. Note: secondary personal email is OK for CIAM but insufficient for B2E.
- Ensure the helpdesk team can deactivate an MFA factor, i.e. when a user loses their YubiKey or Google Titan Key.
- Ensure the helpdesk is able to generate a one-time access code in emergencies and make sure you have a way to validate a user’s identity over the phone.
- Always combine any of these methods with risk/threat analysis. Risk analysis provides a fundamentally strong factor, i.e. a built-in factor.