A Practical Approach To Passwordless

Best Practices

February 26th, 2025

This blog was originally published at IDMig.org.

Passwordless authentication is changing the way we approach digital identity security by introducing user friendly alternatives to password based systems. It is a critical component in a mature IAM strategy, and a much needed enhancement to Identity Security. In this article I will dive into the problems passwordless authentication aims to solve, governance implications, implementation strategies, and more.

What is Passwordless Authentication?

Passwordless authentication refers to methods of identification with which a traditional password is not required. It relies on alternative methods like cryptographic keys, biometrics (facial recognition, fingerprints, retina scans, and so on) or hardware tokens. This approach enhances security by addressing several vulnerabilities associated with password based systems, such as weak passwords, password reuse, and susceptibility with phishing or brute-force attacks.

The Problem Passwordless Authentication Helps Solve

Traditional passwords have been a foundational component of identity security, but come with significant drawbacks. It is commonly considered the weakest link in cybersecurity. Here are some of most common problems passwordless authentications helps with:

User experience, the human factor: users find it inconvenient to remember passwords, especially with increasingly complex requirements. It is a cumbersome experience managing multiple strong passwords leading many users to adopt insecure practices such as password reuse, or worse storing passwords in insecure ways, writing them down or storing them in notebook applications.
Security Vulnerabilities: Passwords can be easily compromised, at times even through no fault of the end user. Attack methods like brute force, dictionary, phishing, and credential stuffing are all examples of common methods. In addition, attacks on IAM infrastructure result in credential compromise, and leakage beyond what any one individual has done to protect their password.
Operational Costs: Governing, and managing password related issues are a burden to IT, and service desk teams. Self Service password reset tools have come a long way, and help reduce this but not completely eliminate it.

Passwordless authentication addresses these vulnerabilities quite elegantly by removing the weakest portion of the authentication transaction from the equation. This reduces the attack surface, and related risk and enhances the user experience in the process. It’s a win/win in most aspects.

Reality check: Although passwordless authentication can and will address these issues, in most cases you will not be able to completely eliminate all uses of a password. Legacy applications for instance may still require a traditional password. Knowing this, and being able to identify these use cases will help early on as you plan your journey into passwordless.

Did you know: According to IBM’s Cost of a Data Breach 2024 report, it takes 292 days to identify and contain a compromised credential? To top it off, the average cost of a breach has increased to $4.8M. [1]

A Brief Timeline of Passwordless Adoption

Passwordless authentication has been a topic for a very long time:

2004: Bill Gates predicts the decline of passwords saying “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.” [2]
2013: Google announces the move away from passwords. [3]
2020: Apple, Google, and Microsoft began integrating passwordless authentication methods alongside Yubico who helped pioneer the WebAuthN and FIDO standards. [4]
2022: Gartner designates passwordless authentication a priority. [5]
2024: Market growth of passwordless authentication solutions increased to a compound annual growth rate (CAGR) of 15.7% [6]

With technical advancements, and increased importance of modern authentication methods it is clear that a significant shift and momentum towards passwordless authentication is well underway.

Governance and Compliance

Embarking in implementing passwordless authentication requires closely satisfying regulatory frameworks as well as industry standards. For example, NIST 800-63B strongly recommends the use of multifactor authentication and phishing resistant methods (i.e. security keys, and biometrics), all core components of passwordless authentication.

Regulatory frameworks such as HIPAA, GDPR, PCI, and others also drive the adoption of passwordless authentication mandating robust access controls to access sensitive data making passwordless authentication methods attractive by greatly reducing the risk of a credential compromise.

Practical Implementation of Passwordless Authentication

Implementing passwordless authentication is more complex that it first meets the eye. Below are a few considerations that might make planning and executing a passwordless strategy in a practical manner while maintaining a high trust with your users. A simple formula to a practical approach is to Design, Execute, Scale (DES).

Before starting head first, assess your risk within your environment, that is to say, do you have a more pressing need to secure certain users or levels of access with stronger authentication? Depending on your environment, admins and certain business users might reduce your risk substantially by addressing their logins first.

Design:
- Evaluate your current authentication use cases, identify the largest benefit up front first. This commonly means your end-user workstation logon.
- Design for high trust, multiple authenticators are your friend, and increase the level of trust where it is warranted. There are several authenticators commonly available:
  - Use built-in passwordless methods you may already own, Microsoft Windows Hello for business (WHFB) is a great example,
    Biometrics (leverage what you already own, check your workstation’s capabilities),
  - Hardware tokens like USB security keys,
  - Device based authenticators like trusted devices (i.e. smartphones).
Execute:
- Pilot test your methods by implementing your solution with a representative sample of your user base and their authentication use cases.
- Create documentation, and training where needed to support your user population. This doesn’t mean a complex walk through of the solution – focus on user experience.
- Partner with your support stakeholders, and ensure that end users and support teams have documented recovery processes.
Scale:
- When ready to roll your solution out enterprise-wide, ensure that you have identified your key and critical KPIs; this will be the best way to monitor adoption, and its effectiveness. Some examples:
  - User Enrollment,
  - Passwordless authentication success rate,
  - Number of password related support tickets,
  - User feedback survey or satisfaction score.
- Phase in your users by coordinating with your support teams on a maximum number of daily or weekly users you’ll want to trigger enrollment into passwordless authentication until all users have enrolled.

Reality check: Passwordless authentication enhances security a great deal but is not without risks, here are a few examples:

Vulnerable devices such as users’ smartphones,
Use of insecure authentication factors (i.e. SMS or Magic Links),
Phishing attacks are still a thing.

As you implement a passwordless strategy, ensure that your organization has adequate controls to mitigate these risks.

Things to Keep in Mind

A thoughtful implementation strategy will ensure a smooth and seamless transition into a passwordless experience for your users, as you evaluate, and assess your environment, don’t forget these aspects, addressing them early will dramatically increase your chances of success, and ensure a good user experience:

Legacy systems and flows: your organization will likely still need a password for certain users/use cases. Be prepared to provide a password manager for those users who still need it.
Expect users to forget their passwords more frequently than before: as passwordless authentication adoption grows, users will need a reliable self service password reset with a significant demand for it in the first few months of your roll out before it stabilizes.
If using biometrics at all: ensure that you have considered any privacy, and consent needed from your users before rolling out.
If your authenticators rely on your user’s access to a smartphone: validate with your governance, and compliance team that the proper reimbursements or alternatives fully paid for by your organization are in place.
If addressing administrative access: Separate your authentication factors as much as possible between privileged regular access. This can take the form of separate PKIs, or separate authenticators all together. Practice an oil and water mentality between your regular and privileged authentication above all.
Deploying security keys: Carefully plan the shipment and delivery of your keys, international shipping will be challenging, and be prepared for a degree of lost keys early on in the adoption.
Ensure you have detailed logging, auditing, and evidence collection systems and procedures in place.

Beyond Passwordless

It is important to also recognize that although passwordless authentication is a very good enhancement to identity security, it should not be considered an end all be all solution. The next evolution is already here with a few notable mentions:

Continuous rather than event-driven authentication will provide a high level assurance of a user’s session as they work, provided the user experience remains a high priority.
Zero-trust and least privilege principles complement a passwordless strategy perfectly by ensuring that privileges are granted only when they are absolutely needed and are automatically removed.
Identity Proofing, and Know Your Customer (KYC) methods will only increase the overall security and trust of passwordless authentications, and sensitive user sessions.

In Conclusion

Although it will not be possible to eliminate all passwords from all use cases today, the time is now to push forward and address as much as possible reducing the overall number of passwords in your environment. Consider that most users today experience some form of passwordless authentication in their daily lives – the concept is not strange any longer, and it has come to be expected the more sensitive the data a service holds (i.e. banking, healthcare).

Passwordless authentication is no longer an emerging trend. It is a reality, and all organizations will benefit from it with an increase in security, improved user experience, and reduced operational costs. This transition requires careful planning, strong policies, and a scalable approach but the benefits far outweigh the level of effort. The real question then is, can you afford to not implement passwordless?

References

About the Author: Miguel Furtado is a senior leader in Identity and Access Management with over 20 years of experience shaping identity security strategies across healthcare, finance, and technology sectors. Passionate about identity-centric security, Miguel has led enterprise-scale identity transformations, driving innovation in IAM engineering, governance, and modern authentication frameworks. With deep expertise in identity integration for mergers and acquisitions, Miguel has played a key role in ensuring seamless identity consolidation, reducing security risks, and enabling scalable, secure access strategies during organizational transitions. A frequent contributor to industry discussions, research, and conferences, Miguel is recognized for bridging technical excellence with business strategy to help organizations build secure, scalable, and user-friendly identity ecosystems.

Learn more at IDMig.org