Countless cybersecurity awareness training sessions have been dedicated to passwords over the years. Their typical objective is to keep employees from using passwords that are too weak, sharing them with their colleagues, and storing them in an unsecured manner.
But after everything that has been said and written about password security, increasingly many cybersecurity experts are now saying that the era of the password is over.
The alternative they advocate is called passwordless authentication, and this article explores what it is and why all SMBs should pay attention to it.
What Is Passwordless Authentication?
The term passwordless authentication can be used to describe any authentication method in which a user can access protected resources without entering a password.
Instead of traditional passwords, passwordless authentication solutions rely on the following authentication factors:
Each of the above-described authentication factors has its advantages and disadvantages (ease of use, implementation cost, etc.), and any organization that decides to go passwordless should carefully evaluate them while keeping in mind its own unique needs and priorities.
MFA vs Passwordless Authentication
Passwordless authentication revolves around the elimination of passwords from the authentication process. But alternative authentication factors are not invulnerable.
For example, cybercriminals use mobile malware and the so-called SIM swapping techniques to intercept one-time codes, and there have been many cases of employees getting their hardware tokens stolen. That’s why passwordless authentication is often paired with multi-factor authentication (MFA).
As its name suggests, MFA is an authentication method that adds one or more extra layers of protection by requiring users to provide at least two different authentication factors, such as a hardware token and a one-time code.
That said, most MFA implementations are not passwordless. Instead, they combine traditional passwords with one alternative authentication factor. The reason for this is that organizations still widely rely on legacy systems, many of which don’t support passwordless MFA.
Should Small Businesses Ditch Passwords?
The short answer is: yes, at least eventually.
Passwords represent a major cybersecurity threat because employees still neglect basic password best practices, such as never revealing their passwords to others and not using the same password over and over again.
Passwordless authentication solves this problem by largely removing the human factor from the equation, rendering brute force methods and credential stuffing attacks useless.
Of course, employees can still fall for phishing scams and authorize malicious requests, or their devices can become infected with malware capable of stealing one-time codes, but such threats can be addressed separately.
By ditching passwords, organizations can also boost their productivity because the average person spends 12.6 minutes each week or 10.9 hours per year entering and/or resetting passwords.
Start Your Passwordless Authentication Journey
Passwordless authentication is still not as widely supported as most cybersecurity professionals would like it to be.
For example, Google announced its decision to implement passwordless support for FIDO Sign-in standards in Android and Chrome only this May, and not many companies SMBs often rely on are considerably further ahead.
Still, you can start your passwordless authentication journey today by partnering with a managed service provider who knows what it takes to get rid of passwords and can help you plan for a passwordless future—like us at TechGen.
With us by your side, you can be among the first organizations in your industry to go passwordless and reap the security and productivity benefits associated with the modern authentication method.