What is passwordless and why does it take a journey to get there?

Let’s start the journey with the destination in mind.   In a passwordless world you will no longer need to remember a complex string of letters, numbers, and special symbols for each site or server you connect to.  In a passwordless world you will no longer need to type or enter these passwords. In a passwordless world you will no longer need to think of new complex strings of letters, numbers, and special symbols every 90 days to update your many passwords.  In a passwordless world you will no longer need to worry about your password being leaked in a server breach.  In a passwordless world you can’t be phished into typing your password into an attacker’s site. In a passwordless world you will no longer need to go through time-consuming password reset recovery procedures.   In a passwordless world your information and accounts will be more secure.

Sounds pretty good, right?  Why not just do it and be done with it?   Why make a journey of it?

Well, passwords have been around a very long time and have used by computers since the early 60’s.    They are baked into a lot of systems and burned into people’s psyches.   Some systems still only support passwords but many more have reduced the reliance on passwords for security by adding a second step of authentication.  Others allow passwordless login while keeping the password in the background for recovery.   Few have eliminated the password completely, including on the server side.

The goal is to improve user experience, reduce risk and IT costs.    Being a security guy, I think about security first, but I am not so naive to think that user experience is not just as important.  Here are the steps I would suggest for the journey to become passwordless:


Do a risk assessment on your information systems.     Which system(s) would the impact of a breach be the highest?   Where is it most likely to occur (are the systems exposed to the internet)?

Risk is a function of impact & probability.   High impact and high probability equals high risk.  Select the systems most at risk and determine what authentication options they currently support.  What is your  IdP (Identity Provider)?  Are you using a single sign on portal to all your applications that is insufficiently protected?   Do they support FIDO Security Keys or certificate authentication?    Next, assess your user base.    Which form factors (device/laptop , mobile phone, USB security key, etc.)   best fit their user experience preferences.  Let your IT Team weigh in.  What methods are the easiest to deploy and support and will keep costs down?  Think about what’s needed for backup, recovery and portability too.

For example, perhaps your Microsoft Office 365  is rated high risk because of the threat of Business Email Compromise (BEC) and Salesforce is medium risk, but you know they have gone on record to require MFA by Feb 2022.

Now define your passwordless strategy for each system, starting with the highest risk first, to lay a strong foundation for the future while doing what can be done now.  Try to have as much commonality in your strategy across systems as possible, to keep things simple.

Based on your requirements from step 1 and what is supported by your system make your choices:

  • Two step authentication or passwordless login
  • FIDO or Certificate Authentication (Virtual Smart Card)
  • Laptop or token or mobile phone for primary authentication device
  • Laptop or token or mobile phone for alternate authentication device
  • Laptop or token or mobile phone or USB for backup device
  • PIN or Biometrics (e.g., Fingerprint or facial recognition)

For example, perhaps users have corporate-issued laptops but not corporate mobile phones, so FIDO authentication using the laptops’ built in TPM is the best choice.  O 365 is configured for passwordless login, while Salesforce uses two step login until they support FIDO passwordless.   Your laptops have fingerprint readers, so your users can either use their fingerprint or a simple local PIN to authenticate.

Help your users on this journey.   Share your security policy, educate them to develop security awareness on the risks, then explain the advantages of going on a passwordless journey.

Select a subset of your users and do a proof of concept.     Respond to any concerns and collect feedback.   Get your users to share their experiences so that everyone will want in.

Take what you learned in the proof of concept, then roll out to your users.

Monitor the modes your systems support over time.   As they evolve to support passwordless login, convert to that mode.

Once all users on a system are converted to passwordless login then eliminate the actual passwords on the server / Identity Provider side.  That will eliminate the last bit of password attack surface.    Once the last password is removed you are truly passwordless.

Once you have eliminated passwords you will have built a strong foundation, because passwordless authentication is built on top of strong asymmetric encryption.   The burden will have been shifted from the users to the technology.    Users no longer need to create, remember and type passwords.  The hard work is done by the crypto on the authentication device.    This opens up the possibility of having the technology evolve to address emerging threats (like the recent SolarWinds MFA bypass attack) in a way that’s transparent to the users and seamless with the OIT infrastructure.


Going passwordless is a journey that will take some time.  Passwords have been around for a very long time and there has been talk of eliminating passwords for at least a decade.   So why start now?  Two basic reasons:

  • The attacks continue to evolve, and the vulnerabilities are multiplying with more applications moving to the cloud and users working from home.
  • Passwordless is ready for prime time now. The technology has matured and supported by the major players from Microsoft to Google. It will soon be considered best practice.

Contact us to see how we can assist you to get started on the journey.



Previous Post
Encryption and Authentication at the endpoint
Next Post
Why is a PIN better than a Password?