KuppingerCole Report
By Paul Simmonds

Planning for a "Passwordless" future

Passwords have been beyond their "sell-by" date for over twenty years and managing the password lifecycle within an organisation comes at a large cost to any enterprise; passwords also form an attractive target for hackers and organised crime alike. Passwordless systems promise not only to save us from the nightmare of passwords but enable us to move to an environment where access is based on risk, leveraging multiple factors to determine whether a user should be allowed access; as well as provide the foundations for other corporate initiatives such as Zero Trust, Software Defined Networking and a modern work-from-anywhere culture.
By Paul Simmonds

Commissioned by Duo Security

1 Introduction / Executive Summary

Passwords have been beyond their "sell-by" date for over twenty years and are being regularly exploited with lists of usernames and passwords being traded for a few cents on the dark-web.

Managing existing passwords within an organisation comes at a large cost to any enterprise, with figures of between $50 and $70 for a password reset; with potentially up to 80% of all help desk interaction involving a password issue.

The whole notion of passwords is based on an oxymoron. The idea is to have a random string that is easy to remember. Unfortunately, if it's easy to remember, it's something non-random like 'Susan.' And if it's random, like 'r7U2Qnp,' then it's not easy to remember1. (Bruce Schneier)

Passwordless systems are now a viable solution to the password nightmare, where users need to remember tens (and in some cases hundreds) of passwords and if implemented correctly provide a higher level of security.

Passwordless gives us the ability to increase the trust in authentication while reducing friction; with the added benefit of giving increased confidence in the health and status of the devices accessing applications and systems as well as allowing the monitoring of access risk.

A passwordless solution also has the ability to convey identity, authentication and risk information to support other corporate initiatives such as Zero Trust and Software Defined Networking, as well as enable a modern work-from-anywhere strategy.

If successful, you end up with a modern authentication system that does not rely on users remembering passwords and is frictionless for the users - while adding substantially to the overall security posture of the organisation.

2 What does "passwordless" have the potential to fix?

Passwords are a binary authentication mechanism, generally set and managed by IT. Once a user successfully completes the password challenge then that ...

Login Get full Access

3 Passwordless Authentication Overview

The concept of "passwordless" authentication has been gaining significant industry and media attention. The reason for this is clear: our digital live ...

Login Get full Access

3.1 Why passwordless can be better and more secure

To understand why a passwordless system has the potential to be better and more secure, it is first necessary to understand why passwords are failing ...

Login Get full Access

3.2 Acceptance of alternatives

Alternatives to passwords are becoming accepted by both users and information security professionals.

  1. Phone apps that give users the convenience ...

Login Get full Access

3.3 Ability to implement alternatives

Alternatives to passwords are getting easier to implement in systems and applications due to the increasing ubiquity of standard APIs (Application Pro ...

Login Get full Access

4 Passwordless authentication in detail

Properly implemented, passwordless authentication has the ability to provide a better user experience coupled with increased security.

Login Get full Access

4.1 How passwordless actually works

Passwordless authentication is a method of verifying users' identities without the use of passwords or any other static secret that can be captured, g ...

Login Get full Access

4.2 Minimising user friction

Users want to take the path of least resistance; in the corporate environment this typically manifests itself with people choosing weak passwords or w ...

Login Get full Access

4.3 Providing higher levels of assurance

When a higher assurance level for the identity of the user requesting access is needed, there are typically two methods employed; step up authenticati ...

Login Get full Access

4.3.1 Step-up Authentication

Step-up authentication only requests a further level of security check when the risk-tolerance for the transaction being undertaken demands it.

  • S ...

Login Get full Access

4.3.2 Adaptive & Continuous Authentication

Adaptive & continuous authentication takes advantage of contextual and behavioural aspects to assess the risk of an access attempt and adapt the type ...

Login Get full Access

4.3.3 Monitoring access risk

Adaptive & continuous authentication works both ways, and by monitoring when user context changes rapidly or looks anomalous or risky then access can ...

Login Get full Access

4.4 Increasing trust in authentication

If we're going to remove the shared secret (password) then it is critical that we have higher levels of both trust in, and visibility of, the authenti ...

Login Get full Access

4.4.1 Confidence in the health and status of devices accessing applications & systems

There is a need to be even more confident in the health and status of the devices (Windows, MacOS, iOS and Android) that are accessing applications; a ...

Login Get full Access

4.5 The smartphone at the heart of your passwordless strategy?

For many the ubiquity of the smartphone may point to it being the obvious choice to be at the heart of any passwordless strategy. This has led to ques ...

Login Get full Access

5 Strategy

Implementing an alternative to passwords requires a strategic approach. The danger is that all the existing authentication methods remain and the resu ...

Login Get full Access

5.1 Your strategy should consider

As part of planning any new system it is important to clearly understand the following:

  1. What any new authentication system will allow you to rem ...

Login Get full Access

5.2 Implementation issues to consider

A new MFA/Passwordless solution has the potential to be a strategic benefit to the entire business, if planned and implemented properly, touching on a ...

Login Get full Access

5.3 Overlap with other technologies

Any replacement authentication system will likely need to interact with more than just the systems you physically own and directly manage. It should a ...

Login Get full Access

5.4 Wider Security Issues

In any strategic approach there are always questions you should ask yourself as a sanity check to your proposed solution and/or the processes that sur ...

Login Get full Access

6 Recommendations

Replacing a complex IT infrastructure that has been underpinned by username-password authentication will need careful planning if it is to be a succes ...

Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.