Everyone seems to agree that passwords and password management are a pain. Many universities have adopted multifactor authentication, but MFA still requires the use of passwords. Organizations adopting zero-trust security measures may want to look for something stronger.
Passwordless authentication is MFA without a password. Instead, it uses biometric verification, cryptographic keys and other types of authentication factors frequently supported by existing devices. Companies such as Microsoft, Apple and Google already support these standards in their products and services.
Here are four things university IT leaders should keep in mind when considering whether to adopt passwordless authentication.
1. It Can Be Rolled Out Gradually
For example, you could start with a pilot for some of your administrative employees, especially those most likely to be targeted by attackers. Then you could expand the pilot to include more administrative staff and any other users who volunteer for early adoption. Over time, you could make passwordless authentication available to many more university users.
Click the banner below to find out how identity and access management paves the way to zero trust.
2. Alternative Authentication Factors Should Be Identified
It’s likely that your staff won’t all be able to use the same authentication factors. For example, some may have computers or mobile devices that don’t support biometrics, while others might not be able to use particular types of biometrics. These workers might need to be issued a hardware authentication token instead.
3. Users Will Likely Still Have Some Passwords and PINs
The most common shortcoming of passwordless authentication is that legacy systems and applications are unlikely to support it, so some use of single passwords or password-based MFA will be necessary. Also, passwordless authentication sometimes requires a PIN to be effective, but this is for local device authentication only; a stolen PIN cannot be reused from another device.
4. Physical Safeguards Are Necessary
Your employees may think that passwordless authentication makes their computing more secure. It does — but an attacker who gains physical access to a user’s device and physical credentials, like a hardware token, can use them to masquerade as the user. Educate your staff on the physical security precautions they should be taking on and off campus.
Line graphic background: Tatiana Magurova/Getty Images | Woman holding laptop: Paffy69/Getty Images