Passwordless Security Guide
Password Elimination Guide
While Identity challenges and IT environments can be complicated, your passwordless journey should be simple. This guide contains best practices, tips, and an outline of how organizations are achieving similar company-wide deployments of True Passwordless MFA. This guide can be downloaded as a PDF or viewed as a single page down below.
Who Should Read this Guide?
This guide is for IAM buyers, IT Managers, C-Level Executives and business leaders who are deploying passwordless authentication to their workforce. It doesn’t matter how mature your identity program is or how many of your employees use Multi-Factor Authentication. This guide assumes your organization has a desire to move away from passwords and legacy 2-Factor Authentication such as OTP and SMS 2-FA.
1. Deploy Desktop MFA
Your workstation is the first thing you log into each day and it’s where your passwordless journey should begin. Whether it’s a Windows 10, 7, or MacOS workstation, your desktop remains the front door to the workforce experience. Most companies have a large Desktop MFA gap so solving this quickly will demonstrate the biggest time to value for your peers.
Following an initial user pilot, initiate a company-wide deployment of Passwordless Desktop MFA. Once you secure the front door, all other passwordless use cases are attainable.
What’s the Impact?
- Best-in-class workforce login experience.
- Faster login speeds lead to increased productivity.
- Happy employees who feel more secure can accomplish more.
- An IT Team and Helpdesk that sees fewer password reset calls.
How Does it Compare with Legacy Methods?
Here’s a video comparison of HYPR vs Legacy MFA for Desktop Login:
Employees spend up to 24 hours each year typing in passwords. Workstation login is a majority of those use cases. Once you introduce Desktop MFA your employees will be excited to log into their workstations with their smartphone. It’s a new experience that’s fast, easy and intuitive.
2. Connect Your Single Sign-On
The next step is to enable HYPR for your Single Sign-On (SSO) provider. If we think of the workstation as the front door to a building, then SSO is the elevator that gets your employees to where they need to go. Deploying True Passwordless MFA for your Identity Provider is critical and allows you to cover many more use cases. These include web applications, VPN, 3rd party applications, and other services that typically rely on passwords.
HYPR supports your Identity Provider out of the box so you don’t need to displace any technologies or make changes to your infrastructure. Simply activate your IdP in your HYPR Control Center and invite your users to enroll HYPR for their SSO.
What’s the Impact?
- Users don’t need to remember a password for their web login
- Even fewer password inputs deliver an even more productive experience
- Applications are easily accessed with passwordless mobile-to-web login
- IT and Helpdesk teams field even fewer VPN password lockouts
How Does this Look for My SSO Provider?
Here’s a demo video of True Passwordless Single Sign-On:
Passwordless Adoption at this Stage:
With SSO covering most of your applications, almost all password-based logins are now replaced with HYPR. What happens when users discover they no longer have to remember their SSO password? They rip up those password sticky notes.
3. Disable Unnecessary OTP Licenses
At this point most of your employees are using passwordless authentication. You most likely won’t need all of those expensive OTP licenses. Some applications that haven’t been transitioned to your SSO might still require legacy OTP, but those typically make up <10% of an organization’s login footprint. Remember: you can still use OTP from your existing provider, but there’s no reason to delay passwordless progress.
Traps to look out for
Just as your passwordless journey is progressing, an incumbent MFA vendor suggests you slow down. They might try to justify you keep using OTP, SMS 2-FA, or worse — stronger passwords(!). It’s not that they disagree with you using True Passwordless MFA, it’s just not their primary focus. Some might suggest you still need OTP because there are apps that just won’t work without it. Even if this is true, it still means you need fewer OTP licenses. Especially since those applications will be tied to your SSO soon enough.
A legacy provider might also promise you a transition plan to go from OTP to True Passwordless. Not only can this set you back 1-3 years, such a transition is unlikely because there is no incentive for people to make the switch. Ask such vendors “Why would our users voluntarily change behavior and stop using One-Time Passwords if they are still available?” Delaying a passwordless rollout means it likely won’t happen.
OTP is Free if You Really Need It
You shouldn’t be paying for it. If you absolutely must use an OTP product, we recommend one of the many free solutions such as Google Authenticator.
When your legacy MFA Provider tries to convince you to keep using legacy 2FA, SMS, or OTP, you risk getting trapped using passwords forever. When your leadership team finds out they can significantly reduce IAM costs and make more of the existing authentication budget, that’s a win for everyone.
Not Sure if You’re Being Delayed?
Learn how to spot The Differences Between Passwordless Marketing and Passwordless MFA.
4. Enable Smart Card Enforcement
It’s time to enforce passwordless authentication. At this point your users are familiar with passwordless and have been using HYPR regularly to log into their workstations, SSO portals, web applications and VPN. Now is the best opportunity to complete your company-wide passwordless transformation.
Remember: you don’t need to mandate passwordless MFA until you are ready and comfortable. Enforcing passwordless authentication as a mandatory login can be done at any time. Smart Card enforcement can be configured for user groups by an AD Administrator by enabling “Smart Card required for interactive login.”
What’s the Impact?
- Significantly improved security companywide
- Consistent workforce login experience for all use passwordless cases
- Fewer legacy 2FA tokens to manage = Happy IT Team
- No need for multiple MFA apps = Happy users
- Heavily reduced IT/IAM costs = Happy leadership
How do You Prepare Your Help Desk for Passwordless?
Your help desk is used to “I forgot my password.” In a passwordless environment, the volume of support calls goes down as passwordless logins go up. Once rare support requests may appear such as “I lost my phone.” — a remark that may come up more often, so it’s important to have a help desk that is trained and ready for any passwordless request they encounter. Follow the HYPR Help Desk Guide to provide your Help Desk and IT teams a reference to help people with setup and troubleshooting.
Passwordless Adoption at this Stage:
Smart card enforcement ensures people must use passwordless MFA to log in, and introduces new use cases such as RDP. What happens when people discover they no longer have to remember their SSO password? They start tearing up those password sticky notes.
5. Secure Those Legacy Applications
At this point the only applications remaining that aren’t tied into your True Passwordless MFA system are legacy apps that require passwords. These might be very old financial applications, embedded systems or unsupported enterprise software.
As your passwordless apps become faster and easier than the legacy OTP login, more users who experience the speed of HYPR will want to make the switch. There are a few ways for your IAM and IT teams to bridge the gap for these password-based applications.
Add these Apps to your SSO
The passwordless users are experiencing hundreds of hours in improved productivity and the rest of the company wants to experience the same. Use this opportunity to drive the remaining applications to your Single Sign-On.
Replace the OTP with a PAM Solution
Add the application to a Privilege Access Management provider. This will create a meaningfully better user experience while reducing your reliance on OTPs and Passwords.
Integrate True Passwordless into Your Apps
For applications that can’t be tied into your SSO environment, HYPR provides an SDK that can be integrated into these applications directly.
6. Congratulations, You Eliminated Passwords
You have joined the world’s most secure organizations in eliminating the #1 cause of security breaches. Your users are more productive, your IT team is much more efficient, and your workforce experience has improved significantly. As you continue your Passwordless Journey, the important thing is to stay the course and avoid going backwards.
Your Next Task is to Stay True Passwordless
- Don’t introduce password-based login for new apps.
- Avoid password managers — they’ll take you backwards.
- Don’t increase your legacy 2FA/OTP footprint.
- If utilizing hardware security tokens, only use FIDO-Certified, PKI or smart-card based approaches.
- Continue to use Single Sign-On everywhere possible.