Going Passwordless
“Passwordless” refers to authentication methods that do not use traditional passwords, instead relying on other secure methods such as biometrics, temporary codes, or multi-factor authentication (MFA).
Moving to a passwordless solution can be an intimidating thought, but many organizations are moving away from traditional passwords and implementing easy-to-use and arguably more secure authentication methods. A 2023 Workforce Authentication Report from FIDO and LastPass found that 92% of businesses already have or plan to use passwordless technology, while 95% of businesses are currently using a form of passwordless technology.
Here’s what you need to know about going passwordless and what that means for users and organizations.
What does it mean to go passwordless?
“Passwordless” refers to authentication methods that do not use traditional passwords, instead relying on other secure methods such as biometrics, temporary codes, or multi-factor authentication (MFA). Most of us are probably already using one or more of these authentication tactics. Think about logging into your work laptop every morning and authenticating with your smartphone via MFA. These non-password authentication methods can include:
Biometrics
Physical attributes or behavioral traits used to recognize or verify identity. You may be familiar with some of these biometrics methods:
Fingerprint scanning: We see this on newer computers; you open your laptop, touch the scanner, and the OS logs you in without using a password.
Facial recognition: Until a few years ago, to keep your mobile phone secure, a passcode was required to unlock it. Now, most of us use facial recognition to unlock our phones and authenticate with many of the apps on our phones.
Voice recognition: Software captures the characteristics of your voice to create a unique voiceprint that is stored and used for future authentication attempts. Using your voice for authentication is less common, but you may be using it and not even know it. For example, if configured correctly, Siri should only recognize and respond to your voice.
Iris scanning - Even less common, a piece of hardware scans your eye, looking for unique patterns in your iris. This method is probably used in secret underground bunkers at Area 51 and is less likely to be used to log in to your laptop anytime soon, but like voice recognition, this method of authentication will eventually become more prevalent.
Hardware tokens
This non-password authentication method uses a physical device, often USB, that is inserted into your primary device to provide validation. While Google was testing physical security keys, they found that phishing attacks were 100% avoided by employees authenticating with a physical device. One of the most popular hardware tokens is the YubiKey. After registering your YubiKey and linking it to the services you log in to, you insert it into your computer’s USB port; it then communicates with your phone to initiate authentication.
Software tokens
You're likely using this authentication method daily. A secondary application, either an authenticator app or a push notification to a mobile device, is used to verify your identity.
Authenticator apps: These have become quite common, and most of our household tech companies have their own app. Some include Google Authenticator, Microsoft Authenticator, or LastPass Authenticator. After attempting to log in to a system, the authenticator app sends you a one-time passcode, or pin, that you’ll use to complete the verification.
Push notifications: If your organization is using Okta, you’re most likely using push notifications to verify your logins. Push notifications require an app on your mobile device where you’ll complete a one-time identity verification. This app then sends a push notification to your device after a login attempt to verify your identity.
Magic links
Similar to authenticator apps and push notifications without the convenience of a native application. After attempting to log in to a system, a link is sent to either your registered email or as a text message to your registered phone number. Clicking the link verifies your identity and allows you access to the system.
Why go passwordless?
All of our cybersecurity training has taught us the importance of password complexity—length, numbers, special characters, etc. The importance of periodically changing passwords, and the updated passwords must not be variations of any previous ones has also been a part of our learning. Hopefully none of us are sticking notes to our monitors anymore. All of these rules often lead to a sense of “password fatigue," where most users have dozens of accounts, be they personal or work, and they have to maintain a mental library of all of the passwords and the complex rules associated with them. Oftentimes, because of this "fatigue," users develop poor password management, most commonly having one password for all of their accounts, personal and professional. While there are some third-party software solutions out there that help you securely store and reapply your passwords on the relevant website, ironically, these often also require passwords in order to use them.
Unfortunately, theft is another problem with traditional passwords. Phishing attacks are one of the most common methods bad actors use to steal passwords. In an identity and access management report from Forrester, companies that moved to a passwordless solution noticed a 50% reduction in phishing-related incidents. Data breaches are another common avenue for cybercriminals to steal not only passwords but other sensitive information as well. The 2024 Verizon Data Breach Investigation Report states that 24% of data breaches are a result of compromised credentials.
Benefits of implementing passwordless solutions
User experience
Users love the idea of eliminating passwords. Not having to remember or manage multiple complex passwords and faster, more convenient authentication methods are definitely advantages from a UX perspective.
Secret Double Octopus, a company specializing in passwordless technology, conducted a survey and found that 79% of users preferred passwordless methods over traditional passwords.
Cost savings
Believe it or not, passwords come with a cost. Next time you're at the water cooler chatting it up with an IT Support Tech, ask them how many times they’ve had a request for a password reset. Significant resources are spent on password management, including resetting passwords and implementing MFA solutions. The previously mentioned Forrester Identity and Access Management report cites a Gartner study showing that 20–50% of all IT help desk calls are for password resets, with the average cost of a single reset being $70.
The Ponemon Institute, an independent research and education institution, conducted a study that found that enterprises that use passwordless technology saved, on average, $1 million annually in IT support-related costs.
Regulatory compliance
Compliance programs require strong authentication methods and solutions in order to achieve and maintain compliance. Passwordless technology makes it easy for an organization to comply with the requirements set forth in programs such as PCI-DSS, FedRAMP, SOC, and ISO 27001. Passwordless solutions also make it easier to comply with data protection and privacy standards such as the GDPR and CCPA.
Enhanced security
Passwordless methods are proven to be more secure than traditional passwords because they rely on something else: something the user has (a physical device) or something that a user is (biometric data), as opposed to something the user knows. These extra layers of protection are unique to an individual and difficult to steal, providing more security than passwords.
From an organizational perspective, a passwordless solution reduces a company’s attack surface. Eliminating the database needed to store, manage, and transmit password data removes the vector that can potentially be breached or leaked. Mass credential theft is not possible if there is nothing to steal. Mass credential theft is not just a one-time event, and it can lead to “credential stuffing," where stolen credentials are reused multiple times to access different user accounts.
Enhanced security with passwordless solutions
As mentioned, over half of cyber attacks occur because of stolen credentials. Implementing passwordless solutions enhances the user experience and can also help organizations earn compliance certifications and comply with standards set by various regulatory bodies. Most importantly, passwordless solutions provide a level of enhanced security that is not possible through traditional password methods.
Reducing vulnerabilities related to passwords and providing stronger passwordless methods improves user experience and develops a stronger security posture.
Docusign offers an extensive portfolio of easy-to-use identification and authentication solutions to address a range of use cases globally. To learn more about these solutions, contact your Docusign account manager or read here.