Over the past several years, experts have recognized that perhaps the best password strategy for your application logins is to have no password at all, what has been often labeled as “passwordless.” It is a bit of a misnomer, as you’ll see as we investigate the commercial options. The passwordless concept has seen various innovations, including Windows 10 Hello and Okta Verify. Vendors such as SecretDoubleOctopus, Auth0 and HYPR have their solutions.
Reasons to try a passwordless approach
Let’s step back and understand the benefits of passwordless. Are you trying to truly eliminate passwords for all (or some subset) of your users, or just reduce their penchant for duplicating memorable passwords across multiple logins? Do you currently use hardware keys such as RSA SecurID and want something more convenient? Are you trying to boost multi-factor authentication (MFA) usage to better protect your logins?
These are all good reasons to examine passwordless options. The devil is in the details, though. For example, not every application supports every passwordless option, or even many MFA options. If you have deployed your own custom apps, your developers will need to add these methods or make use of a software development kit that can make the job easier. (Both Auth0 and HYPR have tools to help with your own apps, for example.)
If you have deployed a single sign-on (SSO) product or use an enterprise-wide password manager, you probably should continue to use these tools in combination with one of the passwordless methods to make them more palatable for your users. If you don’t have a solid identity management system in place, check out what RSA, OneLogin and Okta have to offer here and what it would take to implement one of them – all three have made efforts towards passwordless or at least better MFA integration with their tools. Or consider using Auth0’s SSO and start with their passwordless options firmly in mind.