Why Passwordless?
Traditional authentication using a username and password has been the foundation of
digital identity for over 50 years. But with the ever-growing number of user accounts,
there are new issues: the burden on end-users to remember multiple passwords,
support costs, and most importantly, the security risks posed by compromised
credentials. As a result, the case for eliminating passwords from the authentication
experience is getting more compelling every day.
Understanding the need for passwordless authentication starts with understanding the
challenges presented by passwords. The core challenges with passwords can be broken
down into the following areas:
● Poor account security - “80% of hacking-related breaches used either weak or
stolen passwords” — Verizon Data Breach Report 2019.
● Poor user experience — A survey by the University of Oxford predicted that
roughly a third of online purchases are abandoned at checkout because people
cannot remember their passwords.
● Increased costs - 12.6 minutes per week average time spent entering or
resetting passwords, $5m+ cost in productivity, and labor lost per company,
according to the 2019 Ponemon Authentication report.
Moving beyond passwords requires some deep thought. Before organizations decide to
eliminate passwords, we recommend a gradual approach by looking at threats,
technology, user journeys, costs, adoption friction, and implementation.
Going Passwordless
Eliminating passwords and going passwordless can be accomplished using several
different technologies.
Fundamentally, passwordless authentication is synonymous with eliminating
knowledge-factor authentication methods (all memorized secrets).
In the table below, we provide an example of definitions of assurance levels (classified
into three categories: low, medium & high) and requirements for authentication, as well
as the “context” of the device.
Note that these assumptions are not a reference model but an example, and they must
be adjusted by or with the customer based on their specific security requirements.