Passwordless authentication solutions: What adoption means to enterprises

Welcome to passwordless - where enterprises adopt convenience and ease of use for employees while retaining security and the authentication systems adhering to organizational requirements.

The continuum of security, convenience, and ease of use is an exciting one, and those principles remain core tenants of the Bitwarden user experience. It’s why the company has fully embraced passwordless authentication as a method to eliminate passwords. Adaptive access policies enhance trust and security around user authentication processes. Innovations such as biometrics and integrations with enterprise SSO and security keys enable Bitwarden to offer passwordless authentication, reducing password entry and streamlining user experiences.

Read more: Bitwarden and the passwordless revolution

As enterprises seek more secure and convenient ways to manage user identities, passwordless authentication is becoming increasingly popular–for good reason. Passwordless authentication offers many benefits to businesses, including enhanced security, reduced administrative tasks related to password management, and improved user experience. To help enterprises navigate this transition, this article discusses common challenges faced by enterprises during their adoption process of passwordless authentication solutions, such as deployment costs and end-user skepticism.

Passwordless authentication is a revolutionary approach to user authentication that provides a more secure and user-friendly experience, significantly reducing the risk of data breaches and cyber threats. By leveraging technologies such as biometric authentication, one-time passwords, and security keys, passwordless authentication allows users to verify their identities without the hassle of remembering or manually typing passwords. For instance, biometric authentication uses unique physical characteristics, such as fingerprints or facial recognition, to authenticate users. This not only enhances security but also streamlines the login process, making it a more convenient and efficient way to access applications and services. Security keys, on the other hand, provide a physical token that users must possess to gain access, making this method resistant to common cyber threats like phishing and brute-force attacks.

As enterprises continue to seek robust security measures, passwordless authentication solutions stand out as a promising tool to safeguard user identities and sensitive data. By implementing these passwordless authentication methods, enterprises can create a more secure and seamless authentication process, reducing the reliance on weak passwords and enhancing overall cybersecurity.

Passwordless is here today, complementing the traditional use of passwords. Passwords remain embedded in the fabric of our digital lives, both at home and at work where most websites, applications, and online services still rely on passwords as a form of authentication. For enterprises seeking to adopt passwordless, there are concrete steps to take today that extend into the future. But what does that approach look like?

To answer that question, Bitwarden sought input from IT leaders across the industry. While passwordless adoption varies by company, here are a few repeated themes.

Passwordless authentication, in general, means authenticating a user identity without requiring a password. For many enterprises, adopting multi-factor authentication is a way to introduce a familiar, non-password authentication experience into user workflows by leveraging various authentication factors.

Such is the case for Internxt, a zero knowledge cloud storage service, that is transitioning to a passwordless environment by starting with multi-factor authentication and security keys.

“This helps our team to deliver an outstanding customer experience without worrying about cybersecurity issues. If you only use a password to authenticate a user, it leaves a trace for a cyberattack. If the password is weak or was exposed elsewhere, how do you know if it is actually the user signing in with the credentials and not an attacker? By requiring a second form of authentication, you increase security,” says Sergio Gutiérrez Villalba, Chief Technology Officer at Internxt.

Moving from a password-dependent workplace to a passwordless one requires taking into consideration the work habits of your user communities – employees, executives and senior leadership, and mobile or remote workers. Enhancing the authentication experience through features like biometric and multi-factor authentication not only secures access but also fosters greater user adoption and overall satisfaction.

Breaking old habits around password authentication and getting employees to embrace change is a top priority for automotive data startup CarVertical.

CIO Arnoldas Vasiliauskas says that his company started with technologies that were already familiar to their employees and then expanded usage slowly across company workflows. For CarVertical, it was biometric authentication.

“Since most mobile phones today have already exposed our employees to passwordless authentication technologies, all we did was optimize their existing familiarity with biometric authentication by making sure we are adopting that same technology. Our efforts mostly focused on getting employees acclimated to utilize the technology in places beyond their mobile phones, such as their work computers and our central work system,” Vasiliauskas explains.

Adopting passwordless warrants a systematic approach that takes into account the size of your enterprise, its specific use cases, current IT infrastructure, user experience, budget, and more.

Internxt is prioritizing three key challenges as part of the company’s passwordless strategy.

According to Gutiérrez Villalba, the first is deployment cost and effort, which will require additional resources for new software or hardware, project and change management, and employee training. Enterprises need to be prepared for the fact that these efforts could take away from other tasks and strategic projects. Hardware tokens, along with biometrics and cryptographic keys, are essential components that enhance security by providing a reliable means of user verification resistant to phishing and other attacks.

Understanding your enterprise security limitations is also critical. Adopting passwordless authentication, while good, should not give enterprises a false sense of better security if other measures are ignored.

“Even with passwordless authentication, malware, man-in-the-browser, and other attacks are possible. For example, hackers can install malware specifically designed to intercept one-time passcodes (OTPs). Or, they could insert trojans into web browsers to intercept shared data like one-time passcodes or magic links,” says Gutiérrez Villalba.

Finally, Gutiérrez Villalba acknowledges that end-user skepticism will likely be persistent for many enterprises. “Most people are accustomed to using passwords, especially ones that are easy to remember. This makes it difficult to conceptualize a passwordless world, and many people are suspicious of its efficacy,” he says.

To tackle this, Internxt will conduct ongoing webinar training for employees on passwordless procedures so users can learn new authentication methods without too much friction and effort.

An end-to-end passwordless experience is exciting. Implementing passwordless authentication enhances user experience and security by simplifying the login process, reducing administrative tasks related to password management, and mitigating risks associated with password breaches. But don’t overlook the process itself - prioritizing the employee experience and designing a deliberate rollout that takes into account specific use cases will help ensure your enterprise reaches its end goal successfully.

“The goal is to give convenience and secure authentication options to our users for them to gain quicker, easier access to resources. At the same time, passwordless authentication reduces the burden on your IT staff by minimizing or eliminating password reset requests and decreases the risk of cyberattacks,” says Gutiérrez Villalba.

What passwordless means

• Developing a passwordless strategy that addresses integration (which user flows do I start with?) and authentication (how do I verify identities without using a password?). Passwordless authentication work involves replacing traditional passwords with security tokens, using techniques like biometric checks and one-time passcodes, and leveraging cryptographic key pairs to enhance security against phishing and malware.

• Prioritizing the people, applications, and workflows for which you deploy passwordless

• Understanding the distinction between a passwordless experience and passwordless FIDO2 WebAuthn workflows

• Ensuring multi-factor authentication is used organization-wide

• Integrating key applications with your SSO systems and identity provider

• Exploring password replacement options such as PIN, physical security keys, and biometrics

What passwordless doesn’t mean

• Eliminating all passwords

The incentive to move quickly towards passwordless is a strong one and Bitwarden is here to protect customer data at every point of their passwordless adoption. Bitwarden is the only open source enterprise password manager that offers zero knowledge, end-to-end encryption, and cross-platform support so your company data is completely secure. Start a free enterprise trial today.