Best Practices for a Smooth Transition to Passwordless Authentication
-
By
Vikram Subramanian
, Vice President of Worldwide Solution at 1Kosmos - Best Practices, Featured,
By
Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Vikram Subramanian of 1Kosmos establishes some best practices for creating a smooth transition to passwordless authentication.
A migration to passwordless authentication is the proverbial journey of a thousand miles. If the first step is planning the transition, implementation is the long march that follows, when all sorts of things can go wrong.
A haphazard migration that merely replaces passwords without rethinking access policies and privileges is a recipe for trouble. The deployment could drag on or fail, while significant missteps early in the process can turn key stakeholders into objectors and doom the project. An effective transition to passwordless can avoid the worst pitfalls of deployment, smooth out bumps on the road and let the project managers score some early wins that can enhance the stakeholder buy-in.
Passwordless Authentication: Best Practices for a Smooth Transition
The road to passwordless authentication can be rough. Some best practices for a smooth transition include:
- Start gradually: Don’t try to do everything at once. Avoid a “big bang” and migrate departments to the new passwordless architecture in stages. Communicate with users to let them know the advantages of the new passwordless environment. Score some early wins by focusing on the three most heavily used systems—for example, virtual or personal desktops, remote access, and Single Sign-On gateways, which typically make up about 80 percent of password-based user interactions in most organizations. These can be deployed rather quickly without affecting authentication on other systems and reduces friction significantly, which leads to good reviews from users. Altogether, it allows the transition team to put some checks in the win column, while also sharply reducing attack surfaces in the network.
- Provide options: It’s worth remembering that most people resist change, even when it improves their user experience, so consider coexistence as a deployment strategy, with side-by-side passwordless and legacy login, so users can choose when to make the move. Resistance will dissipate as the holdouts see how it works out for other users, and they will choose to move of their own accord, out of curiosity, not some corporate mandate they may resist out of resentment. One key advantage of passwordless is abstracting authentication from individual applications or SSO, which makes moving between applications seamless for users. It can also make the migration to new applications transparent to users. For example, when switching VPN products, users can scan a QR code and their face to verify their identity, instead of being issued a new username/password and establishing a new two-factor authentication experience. Users won’t know anything has changed, and the switch will be a lot less labor-intensive for the IT staff.
- Track progress and adjust: Change management is a continuous improvement process. When an organization makes the transition to passwordless, it needs to review and analyze the process as it progresses, to make sure the migration is working. Without this analysis, there is no way to prove the return on this investment to stakeholders. In the planning stage, the team should have established a timeline and some baselines such as administration, cost and help desk times, and chosen key performance indicators (KPIs) to measure progress. Performance metrics such as login success rates, time to authenticate and user adoption rates are easily measurable to demonstrate time to ROI to stakeholders. As the process moves forward, collecting feedback is important, and a step that is often overlooked. Feedback sessions and surveys can provide insights into the user experience and any challenges emerging. Additionally, monitoring performance metrics gives staff a view into the overall effectiveness of the project. This migration is not a one-and-done process; it will need to be adjusted based on the ongoing progress, implementing changes where the process falls short, or considering where new technologies will fit into a passwordless strategy if they’re added to the stack. Regular reviews will make sure the passwordless architecture is meeting the organization’s needs and business goals.
The goal of change management in a passwordless migration is to bring staff, partners, and clients into a modern, secure authentication process, simply and with a smooth user experience. This development accomplishes the key objective of managing digital transactions in the same way as in-person interactions while minimizing fraud threats and attack surfaces in the network. With a smooth deployment, the organization can manage those risks without disruptions and protect the network from the constant threat of ransomware attacks and data breaches, despite a rising tide of credential-based attacks.
Vikram Subramanian
Vikram Subramanian is the Vice President of Worldwide Solutions for 1Kosmos where he helps organizations implement identity-based passwordless authentication. He held a similar role at Simeio, a provider of managed identity and access management (IAM) services and Identity as a Service (IDaaS). He also served in technical identity positions with Sun Microsystems.
