Nov 08 2022

Security

4 Things to Know About Passwordless Authentication

A step beyond multifactor authentication, passwordless platforms offer stronger security.
Karen Scarfone
by

Karen Scarfone is the principal consultant for Scarfone Cybersecurity. She provides cybersecurity publication consulting services to organizations and was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST).

Everyone seems to agree that passwords and password management are a pain. Many universities have adopted multifactor authentication, but MFA still requires the use of passwords. Organizations adopting zero-trust security measures may want to look for something stronger.

Passwordless authentication is MFA without a password. Instead, it uses biometric verification, cryptographic keys and other types of authentication factors frequently supported by existing devices. Companies such as MicrosoftApple and Google already support these standards in their products and services.

Here are four things university IT leaders should keep in mind when considering whether to adopt passwordless authentication.

1. It Can Be Rolled Out Gradually

For example, you could start with a pilot for some of your administrative employees, especially those most likely to be targeted by attackers. Then you could expand the pilot to include more administrative staff and any other users who volunteer for early adoption. Over time, you could make passwordless authentication available to many more university users.

Click the banner below to receive exclusive content about cybersecurity in higher ed.

Insider security CTA Insider security CTA — mobile

2. Alternative Authentication Factors Should Be Identified

It’s likely that your staff won’t all be able to use the same authentication factors. For example, some may have computers or mobile devices that don’t support biometrics, while others might not be able to use particular types of biometrics. These workers might need to be issued a hardware authentication token instead.

3. Users Will Likely Still Have Some Passwords and PINs

The most common shortcoming of passwordless authentication is that legacy systems and applications are unlikely to support it, so some use of single passwords or password-based MFA will be necessary. Also, passwordless authentication sometimes requires a PIN to be effective, but this is for local device authentication only; a stolen PIN cannot be reused from another device.

4. Physical Safeguards Are Necessary

Your employees may think that passwordless authentication makes their computing more secure. It does — but an attacker who gains physical access to a user’s device and physical credentials, like a hardware token, can use them to masquerade as the user. Educate your staff on the physical security precautions they should be taking on and off campus.

hakule/Getty Images

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now