KuppingerCole Report
Whitepaper
By Paul Simmonds

Planning for a "Passwordless" future

Passwords have been beyond their "sell-by" date for over twenty years and managing the password lifecycle within an organisation comes at a large cost to any enterprise; passwords also form an attractive target for hackers and organised crime alike. Passwordless systems promise not only to save us from the nightmare of passwords but enable us to move to an environment where access is based on risk, leveraging multiple factors to determine whether a user should be allowed access; as well as provide the foundations for other corporate initiatives such as Zero Trust, Software Defined Networking and a modern work-from-anywhere culture.
By Paul Simmonds
ps@kuppingercole.com

1 Introduction / Executive Summary

Passwords have been beyond their "sell-by" date for over twenty years and are being regularly exploited with lists of usernames and passwords being tr ...

Login Free 30-day Select Access Get full Access

2 What does "passwordless" have the potential to fix?

Passwords are a binary authentication mechanism, generally set and managed by IT. Once a user successfully completes the password challenge then that ...

Login Free 30-day Select Access Get full Access

3 Passwordless Authentication Overview

The concept of "passwordless" authentication has been gaining significant industry and media attention. The reason for this is clear: our digital live ...

Login Free 30-day Select Access Get full Access

3.1 Why passwordless can be better and more secure

To understand why a passwordless system has the potential to be better and more secure, it is first necessary to understand why passwords are failing ...

Login Free 30-day Select Access Get full Access

3.2 Acceptance of alternatives

Alternatives to passwords are becoming accepted by both users and information security professionals.

  1. Phone apps that give users the convenience ...

Login Free 30-day Select Access Get full Access

3.3 Ability to implement alternatives

Alternatives to passwords are getting easier to implement in systems and applications due to the increasing ubiquity of standard APIs (Application Pro ...

Login Free 30-day Select Access Get full Access

4 Passwordless authentication in detail

Properly implemented, passwordless authentication has the ability to provide a better user experience coupled with increased security.

Login Free 30-day Select Access Get full Access

4.1 How passwordless actually works

Passwordless authentication is a method of verifying users' identities without the use of passwords or any other static secret that can be captured, g ...

Login Free 30-day Select Access Get full Access

4.2 Minimising user friction

Users want to take the path of least resistance; in the corporate environment this typically manifests itself with people choosing weak passwords or w ...

Login Free 30-day Select Access Get full Access

4.3 Providing higher levels of assurance

When a higher assurance level for the identity of the user requesting access is needed, there are typically two methods employed; step up authenticati ...

Login Free 30-day Select Access Get full Access

4.3.1 Step-up Authentication

Step-up authentication only requests a further level of security check when the risk-tolerance for the transaction being undertaken demands it.

  • S ...

Login Free 30-day Select Access Get full Access

4.3.2 Adaptive & Continuous Authentication

Adaptive & continuous authentication takes advantage of contextual and behavioural aspects to assess the risk of an access attempt and adapt the type ...

Login Free 30-day Select Access Get full Access

4.3.3 Monitoring access risk

Adaptive & continuous authentication works both ways, and by monitoring when user context changes rapidly or looks anomalous or risky then access can ...

Login Free 30-day Select Access Get full Access

4.4 Increasing trust in authentication

If we're going to remove the shared secret (password) then it is critical that we have higher levels of both trust in, and visibility of, the authenti ...

Login Free 30-day Select Access Get full Access

4.4.1 Confidence in the health and status of devices accessing applications & systems

There is a need to be even more confident in the health and status of the devices (Windows, MacOS, iOS and Android) that are accessing applications; a ...

Login Free 30-day Select Access Get full Access

4.5 The smartphone at the heart of your passwordless strategy?

For many the ubiquity of the smartphone may point to it being the obvious choice to be at the heart of any passwordless strategy. This has led to ques ...

Login Free 30-day Select Access Get full Access

5 Strategy

Implementing an alternative to passwords requires a strategic approach. The danger is that all the existing authentication methods remain and the resu ...

Login Free 30-day Select Access Get full Access

5.1 Your strategy should consider

As part of planning any new system it is important to clearly understand the following:

  1. What any new authentication system will allow you to rem ...

Login Free 30-day Select Access Get full Access

5.2 Implementation issues to consider

A new MFA/Passwordless solution has the potential to be a strategic benefit to the entire business, if planned and implemented properly, touching on a ...

Login Free 30-day Select Access Get full Access

5.3 Overlap with other technologies

Any replacement authentication system will likely need to interact with more than just the systems you physically own and directly manage. It should a ...

Login Free 30-day Select Access Get full Access

5.4 Wider Security Issues

In any strategic approach there are always questions you should ask yourself as a sanity check to your proposed solution and/or the processes that sur ...

Login Free 30-day Select Access Get full Access

6 Recommendations

Replacing a complex IT infrastructure that has been underpinned by username-password authentication will need careful planning if it is to be a succes ...

Login Free 30-day Select Access Get full Access

Copyright

©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top