Welcome to passwordless - where enterprises adopt convenience and ease of use for employees while retaining security and the authentication systems adhering to organizational requirements.
The continuum of security, convenience, and ease of use is an exciting one and those principles remain core tenants of the Bitwarden user experience. It’s why the company has fully embraced passwordless authentication as a method to eliminate passwords. Innovations such as biometrics and integrations with enterprise SSO and security keys enable Bitwarden to offer passwordless authentication, reducing password entry and streamlining user experiences.
Read more: Bitwarden and the passwordless revolution
Passwordless is here today and complements the use of passwords we have had for years. Passwords remain embedded in the fabric of our digital lives, both at home and at work where most websites, applications, and online services still rely on passwords as a form of authentication. For enterprises seeking to adopt passwordless, there are concrete steps you can take today that extend into the future. But what does that approach look like?
To answer that question, Bitwarden sought input from IT leaders across the industry. While passwordless adoption varies by company, here are a few repeated themes.
Passwordless authentication in general means authenticating a user identity without requiring a password. For many enterprises, adopting multi-factor authentication is a way to introduce a familiar, non-password authentication experience into user workflows.
Such is the case for Internxt, a zero knowledge cloud storage service, that is transitioning to a passwordless environment by starting with multi-factor authentication and security keys.
“This helps our team to deliver an outstanding customer experience without worrying about cybersecurity issues. If you only use a password to authenticate a user, it leaves a trace for a cyberattack. If the password is weak or was exposed elsewhere, how do you know if it is actually the user signing in with the credentials and not an attacker? By requiring a second form of authentication, you increase security,” says Sergio Gutiérrez Villalba, Chief Technology Officer at Internxt.
Moving from a password-dependent workplace to a passwordless one requires taking into consideration the work habits of your user communities – employees, executives and senior leadership, and mobile or remote workers.
Breaking old habits around password authentication and getting employees to embrace change is top priority for automotive data startup CarVertical.
CIO Arnoldas Vasiliauskas says that his company started with technologies that were already familiar to their employees and then expanded usage slowly across company workflows. For CarVertical, it was biometrics authentication.
“Since most mobile phones today have already exposed our employees to passwordless authentication technologies, all we did was optimize their existing familiarity with biometric authentication by making sure we are adopting that same technology. Our efforts mostly focused on getting employees acclimated to utilize the technology in places beyond their mobile phones, such as their work computers and our central work system,” Vasiliauskas explains.
Adopting passwordless warrants a systematic approach that takes into account the size of your enterprise, its specific use cases, current IT infrastructure, user experience, budget, and more.
Internxt is prioritizing three key challenges as part of the company’s passwordless strategy.
According to Gutiérrez Villalba, the first is deployment cost and effort, which will require additional resources for new software or hardware, project and change management, and employee training. Enterprises need to be prepared for the fact that these efforts could take away from other tasks and strategic projects.
Understanding your enterprise security limitations is also critical. Adopting passwordless authentication, while good, should not give enterprises a false sense of better security if other measures are ignored.
“Even with passwordless authentication, malware, man-in-the-browser, and other attacks are possible. For example, hackers can install malware specifically designed to intercept one-time passcodes (OTPs). Or, they could insert trojans into web browsers to intercept shared data like one-time passcodes or magic links,” says Gutiérrez Villalba.
Finally, Gutiérrez Villalba acknowledges that end-user skepticism will likely be persistent for many enterprises. “Most people are accustomed to using passwords, especially ones that are easy to remember. This makes it difficult to conceptualize a passwordless world, and many people are suspicious of its efficacy,” he says.
To tackle this, Internxt will conduct ongoing webinar training for employees on passwordless procedures so users can learn new authentication methods without too much friction and effort.
An end-to-end passwordless experience is exciting. But don’t overlook the process itself - prioritizing the employee experience and designing a deliberate rollout that takes into account specific use cases will help ensure your enterprise reaches its end goal successfully.
“The goal is to give convenience and secure authentication options to our users for them to gain quicker, easier access to resources. At the same time, passwordless authentication reduces the burden on your IT staff by minimizing or eliminating password reset requests and decreases the risk of cyberattacks,” says Gutiérrez Villalba.
The incentive to move quickly towards passwordless is a strong one and Bitwarden is here to protect customer data at every point of their passwordless adoption. Bitwarden is the only open source enterprise password manager that offers zero knowledge, end-to-end encryption, and cross-platform support so your company data is completely secure. Start a free Enterprise trial today.
What it means
What it doesn't mean
Developing a passwordless strategy that addresses integration (which user flows do I start with?) and authentication (how do I verify identities wthout using a password?)
Eliminating all passwords
Prioritizing the people, applications, and workflows for which you deploy passwordless
Understanding the distinction between a passwordless experience and passwordless FIDO2 WebAuthn workflows
Ensuring multi-factor authentication is used organization-wide
Integrating key applications with your SSO systems and identity provider
Exploring password replacement options such as PIN, physical security keys, and biometrics