As the world continues to adapt to the pandemic, many organizations have opted to keep their workforce at home for a longer time. Some are even changing how they operate and introducing hybrid models with employees spending time working both in office and remotely. This hybrid workforce is already presenting many challenges for IT teams – one of them being password security.
Passwords have become one of the main sources of frustration for IT teams and users alike. In fact, today’s IT teams are spending an average of six hours a week on password-related issues alone – an increase of 25% from 2019. On top of that, resetting, remembering, and changing passwords continues to drive users to reuse their credentials across accounts, including personal and business logins, putting critical information at risk.
While passwords have always been a prime target for malicious actors, this has only increased with the rise in remote work. From password stuffing to brute force attacks, threat actors continue to capitalize on moments in time like COVID-19 and rely on us – users – not following online security best practices. So, what can be done to alleviate password challenges? This is where passwordless authentication comes in.
Improving Security Through Passwordless Authentication
In our latest LastPass report, “From Passwords to Passwordless,” we found that 92% of IT professionals believe that delivering a passwordless experience for end users is the future for their organization. Yet, 85% do not think passwords are going away completely. A passwordless approach is not a replacement for passwords, but a complement to them, and more importantly, a critical security improvement.
Passwordless authentication provides employees with a user-friendly and secure login experience to their work accounts and devices – no matter where they access them from – while eliminating the use of a password. It brings several benefits, such as reduced IT costs by eliminating password-related risks, increased productivity among employees as they save time on remembering and/or changing passwords, and stronger security by enforcing stronger passwords that employees don’t need to remember and guarding every access point with more secure forms of authentication.
There are several methods organizations can implement to go passwordless:
- Single Sign-On (SSO) – Relying on authentication through SSO can simplify managing access and provide employees an easy and secure way to login no matter where they are working. SSO contributes to a higher level of general security because no passwords are used. Through a catalog of pre-integrated apps, IT can provision or deprovision access as needed. SSO allows for employees to reduce the number of passwords they must remember or update, boosting their productivity and minimizing the risks associated with credentials.
- Enterprise Password Management –The challenge is achieving a universal passwordless experience. Not all apps can be authenticated through single sign-on. That’s where password management can help fill the gaps. With an integrated enterprise password manager, users can manage all their other passwords in one secure vault. For organizations with an existing identity provider in place such as Azure AD, the LastPass master password can be eliminated through federation, so your existing identity provider can be used to authenticate to LastPass. Employees truly only have one username and password to remember – their identity provider credentials – and the rest is managed by the identity provider and LastPass combined.
- Multifactor Authentication (MFA) – Enabling MFA allows IT teams to manage access at the individual user level, defined groups, or even by job role. MFA is unique in the sense that before granting access to an application it takes into consideration different “factors,” from location and IP address to biometrics, versus only one “factor” – as passwords do. This not only streamlines the process for the final user, it also improves IT’s confidence into the identity of the person requesting access.
Whether you choose one of the methods listed or a combination of them, a passwordless approach eliminates the manual input of passwords. Remember that passwords will still be in use behind the scenes. That’s why organizations should couple a passwordless login experience for employees along with enterprise password management like LastPass for every password that is still in use. This secures every access point while delivering a seamless login experience, adds another layer of security, and helps users easily manage their own accounts to make their login experience smoother.
From users’ devices and Wi-Fi connection, to the apps and the websites they frequent, remote work has increased the risks and the variables that need to be considered. Passwordless authentication has the potential to provide convenient access and strengthened security that today’s organizations need to navigate this new environment.
Read the report From Passwords to Passwordless for more information on how password security has changed in the remote work environment and visit LastPass.com to learn how to easily help your organization go passwordless today.
Gerald Beuchelt, Chief Information Security Officer at LogMeIn
Gerald Beuchelt is the Chief Information Security Officer at LogMeIn, makers of password and identity management solution, LastPass. He is responsible for the company’s overall security, compliance, and technical privacy program. With more than 20 years of experience working in information security, he is a member of the Board of Directors and the IT Sector Chief for the Boston Chapter of Infragard. In his prior role, Gerald was the Chief Security Officer for Demandware, a Salesforce Company. He holds a Master of Science degree in theoretical physics.