How to set up passwordless authentication in 4 steps

By: Reinier Aerdts, Hemang Davé and Chris Kirkpatrick

When multi-factor authentication (MFA) was introduced, it revolutionized end-user security, significantly reducing the risk of breaches, account takeovers and data theft that were common with traditional password systems.

Despite the pivotal role MFA has played in advancing password technology, it has not been without drawbacks. From the onset, MFA brought about various security and accessibility challenges, signaling a clear need for further innovation.

Enter passwordless authentication.

Passwordless security leverages passkeys—digital credentials linked to user accounts and specific websites or applications—to authenticate users without usernames, passwords or additional authentication factors. This shift offers the opportunity to heighten security against threats like phishing and aims to streamline the user experience.

Transitioning to passwordless authentication has been found to save enterprises roughly USD 1.4 million in costs over conventional password-based systems.¹

However, shifting to passwordless authentication is a significant undertaking. Passwords remain one of the most familiar, trusted forms of authentication and are deeply embedded in our habits and preferences. Successfully navigating this transition requires a careful planning and implementation strategy that considers the technical, organizational and user aspects.

Consider our four-step plan:

1. Implement alternative options to passwords with passkeys

The first step organizations should take to set up passwordless authentication is to implement passkeys as an alternative option to passwords, allowing users to choose their preferred authentication method. This involves setting up the technical infrastructure for passkeys, such as an identity provider, a device attestation service and a user enrollment process. As part of this first step, organizations should also consider educating users about the benefits and features of passkeys—and encouraging them to explore this tool for themselves, at their own pace. The advantages of this approach are that:

• Users can experience the convenience and security of passkeys without giving up their passwords.
• Organizations can test the functionality and performance of passkeys while gathering user feedback.
• Organizations can use internal experts to champion the pilot and drive company-wide adoption, then measure the adoption and usage of passkeys while identifying potential barriers.
  

2. Enable new authentication options on key applications

The second step to setting up passwordless authentication is to reduce the use of passwords by enabling passkeys on key applications, such as email, cloud services and VPNs. This involves configuring applications to support passkeys and enforcing passkeys as the default authentication method.

To smooth this transition, organizations should consider prioritizing communication with users, providing them with support and guidance about the changes entailed. Some benefits of this approach include:

• Users can access their most important and frequent applications with passkeys, without having to enter passwords.
• Organizations can reduce the exposure and reliance on passwords and improve the security and compliance of their applications.
• Organizations can monitor the impact and benefits of passkeys and adjust their strategy accordingly.

3. Transition into strategic passwordless deployment

The next step would be transitioning into strategic passkey deployment as the primary approach by enabling passkeys on all applications and services. Importantly, this requires disabling passwords as an option. Consider also enabling additional security assurance through adaptive or risk-based authentication, coupled with your passwordless strategy.

When taking this step to set up passwordless authentication, organizations will need to integrate and migrate all their applications to passkeys, removing password fields and prompts from the user interface. To drive transformation and understanding of company-wide adoption, a change management program will need to be deployed to notify users about the passwordless transition and provide further training and support. The benefits of this approach are:

• Users can access their apps and services with passkeys, without a password.
• Organizations can eliminate the risks and costs associated with passwords.
• Organizations can leverage the full potential and value of passkeys and enhance user experience and satisfaction.

4. Eliminate passwords from identity directory

The fourth and final phase of setting up passwordless authentication is eliminating passwords from the identity directory by deleting the password hashes and attributes from user records.

Before taking this step, organizations will need to verify that all applications and services are fully compatible with passkeys, and that no passwords are required or stored anywhere. This means auditing and reporting on the passwordless status—but also celebrating the not-insignificant achievement of this transition. The benefits are:

• Users can enjoy a truly passwordless experience without worrying about password breaches or leaks.
• Organizations can achieve the highest level of security and privacy in compliance with standards and regulations.
• Organizations can showcase their leadership and innovation in passwordless authentication.

Why make the transition to passwordless?

Despite the clear advantages of transitioning to a passwordless authentication framework, it’s normal for teams to feel hesitant or maintain some reservations. Here are the most common questions we field from our customers:

Does moving to passwordless make financial sense?
MFA systems can be costly, but significant gains can be made by eliminating the expenses associated with maintaining that infrastructure.¹

Is the transition worth the required time investment?
Yes, and it’s about the long game. Start with stakeholders who are seeking optimized experiences. They can become champions for passwordless within your organization, touting the value and advocating wider adoption.

What may help motivate our team or our investors to shift to passwordless?
From an end-user perspective, passwordless access speeds logins and minimizes common pain points associated with traditional passwords. Additionally, by eliminating the need for passwords, additional devices, fobs or personal information, passwordless authentication enhances the overall user experience.

Reinier Aerdts is a Client Technical Leader at Kyndryl, Hemang Davé is a Client Technical Leader at Kyndryl and Chris Kirkpatrick is a Director of Offering Management in Kyndryl's Global Digital Workplace Practice

1. Organizations can save $1.9 million using workforce passwordless authentication, Help Net Security, November 2021.