Enterprises of all size and shape have to manage their employees, customers, and partners access to a variety of information. In most cases passwords are used as a gate-keeper to prevent unauthorized access to data and digital services. Passwords do an insufficient job at protecting said information and they also make it difficult for us to access the services we need for work, health, and entertainment purposes. In this article we’re trying to be as agnostic as possible whether you think about deploying passkeys to your workforce or customers. Some parts might be more relevant for one or the other of these scenarios.
When moving away from passwords, there is not one unique replacement, but rather a multitude of options that provide different grades of security, privacy, and may not be available to everyone in every situation. One of the most promising new standards is passkeys, built on FIDO2 and WebAuthn, that allows passwordless authentication on most modern platforms.
This article aims at giving Identity- or Security- professionals talking points and a framework to champion the adoption of passkeys within their organization. This consists of three main elements.
If you’re interested in reading up on what passkeys are and how they can help to reduce our reliance on passwords visit the website of the FIDO Alliance.
Why should an organization adopt passkeys?
Before you go out there and champion the move to passkeys in your organization, we should agree on some basics on what problems in your organization can be solved by reducing the reliance on passwords and introducing passkeys.
Passkeys replace passwords
The purpose of passkeys is to replace passwords on websites and applications. Initially deploying passkeys can be a step to reduce the reliance on passwords, which means that the account will still have a password, but users are only prompted for them when they can’t use passkeys to authenticate.
Your employees and customers are likely to experience the use of passwords with your organization at multiple touch points:
- Sign up
- On-boarding or registration
- Login & Re-authentication
- Access their data
- Login to a service
- Recurring re-authentication to refresh a session
- Transaction confirmation / critical actions
- Confirm transactions
- Confirm intent to take critical actions
These touch-points, where your employees and customers have to provide a password, can occur more or less often, depending on how you define your policies and if any external (regulatory) requirements apply to your situation.
Generally speaking, each of these touch-points follow the same structure of things that can happen when someone is asked to provide their password:
With this in mind, you should think about what passwords mean to your organization and who would benefit from replacing them.
- What’s the cost and harm resulting from account-takeover for your organization?
- What’s the cost of maintaining your password-based infrastructure?
- How does the churn of users who forgot their passwords impact your business goals?
- How much do you spend to get people back into their account when they lost their passwords?
Think about all the teams in your organization that could benefit if the costs mentioned above would significantly reduced.
Internal stakeholders
As mentioned above, the focus of this article is to discuss potential stakeholders in your organization you want to get on board if you want to champion investments in going passwordless with passkeys. In order to justify any investment in your existing infrastructure, you need to understand the problem that can be solved or reduced by doing so.
In most organizations these answers might not be readily available or spread across the company in the minds and folders of different people.
B2C or B2B: Customer acquisition and retention
If you run an online platform through which your customers can access your services, it’s very likely that they need some sort of credentials to access the service. When new users sign up for your service they have to create a new password and remember it.
Signing up for a new service can put a significant mental load onto a person. Coming up with a username and a password can feel overwhelming for some people and lead to increased drop-off rates. Talk to the people responsible for this process to understand how much they know about password-related drop off and assess how much of an issue this might be for them.
Later when customers want to login to their accounts (from new devices) they will again encounter the dreaded password prompt. People who don’t remember or lost access to said password are at risk of churning out. This harms retention and increases the overall cost of acquiring customers. Does your business team know how much of the churn you experience is connected to password issues?
Enterprise: IT Support
Passwords can be hard to remember, especially if you have many of them. Talk to your IT Support team to understand how much of their cost comes from this problem. How many people contact them in a given month because they forgot their passwords? How much money do they spend to maintain this process - human guided or self-serve?
It’s also worth talking to them about how going passwordless could help them achieve other goals they have within the IT organization. Do they want to increase the satisfaction of their internal customers?
Enterprise & B2C/B2C: Security & Compliance
I put this last intentionally, because that’s likely the one you have thought about first, or are a part of anyway. Knowing how much harm and costs are caused by issues related to passwords is an important start to this conversation. What’s the level of account-take over within your responsibility? Are there compliance issues that come with having weak authentication methods like passwords?
Set the right expectations
Once you know how passwords impact the goals of your internal stakeholders, set realistic expectations how passkeys can help them. Help them understand that there’s no silver bullet. Just because passkeys aren't one, they shouldn’t wait for one to come.
Setting realistic expectations requires you to talk about the limitations of passkeys and what factors play a role that are outside of your control.
- Passkey support is not universal: Especially if you have a consumer deployment, there will be people using devices that don’t (yet) support passkeys. While an iphone released two years ago can be upgraded, the old Android phone from 2015 is unlikely to ever get an update making it passkey-compatible. Either these users won’t be able to use your service, or you need to provide adequate alternatives.
- It’s hard to mandate anything: Depending on how forceful you want to be in mandating a password-alternative, some people will hesitate to change the way they do things. Most of your users or employees haven’t been waiting eagerly for this new technology and the fact alone that it’s new won’t necessarily motivate them to change anything. Education and being opinionated is important, but not easy.
- Some people will lose their passkey: Since passkeys are tied to the underlying platform accounts - i.e. iCloud, Google, Microsoft - they can be lost. Some people will lose access to these accounts and require a path of recovery.
- Nothing is bulletproof: While passwords are the easiest and cheapest way for account-takeover, they are not the only cybersecurity thread you're going to face. If your services are attractive enough for bad actors, they will look for other ways to compromise your employees and customers. Don’t fire your Security team.
Conclusion
Like most other IT projects, going passwordless is an interdisciplinary process. It impacts the way you build your services, help your users, and deal with security issues. If you understand the benefits and trade-offs you have to make beyond your own part of the journey, you’ll be more likely to find allies in getting the most out of this transition.
Check out a passkey demo experience here.
About Dario Salice
Dario is an authentication subject matter expert with decades working with the most loved consumer digital products at Facebook (Meta) and Google specifically in identity and trust. Dario has spent time representing Meta on the board of the FIDO Alliance championing investments in areas such as User Experience.
Recently Dario moved to a role taking on advisory and consulting mandates to help organizations build and integrate great identity solutions.
He also founded ProtectYour.Business a platform to help Freelancers and Small Businesses get out of the “security poverty line” that makes them disproportionately more vulnerable to scaled cyber attacks.
