How to Start Your Passwordless Journey: Enable Flexible Authentication Options
If you already read our first post about getting started on your passwordless journey, you’ve already learned about the importance of cataloging the applications in your environment and building a plan around them.
Once you’ve done that though, a critical next step is answering this question: Once you remove the password, what exactly are users going to use to authenticate?
Evaluating your authentication options
Duo has always focused on providing a variety of authentication options for end users. We understand that your business needs often determine what factors are possible to use, and we designed our product to meet those requirements.
However, for 2FA, we do have strong opinions on the security value of different authenticators. You can see this reflected in how we present authentication registration options to end users in our Universal Prompt! Our end goal is helping you encourage end users to enroll the most secure factors: FIDO2-backed biometrics or security keys.
However, we also recognize that this may not be feasible for your organization. In fact, you may have spent the last few years just focusing on getting your users away from things like SMS and Phone Calls and looking at biometrics is a significant uphill climb! This is why we provide a variety of other more flexible factors, including Verified Push, which is designed to increase the security of our most common authentication method, Duo Push.
Finally, we advocate actively evaluating the context of each authentication using Risk-Based Authentication (RBA), which can dynamically determine what authenticator types are appropriate given the risk of a specific authentication.
For passwordless, however, we have even stronger opinions. A passwordless authentication must always still be a true multifactor authentication. This means only certain factors like FIDO2 backed biometrics and security keys, or Duo Push for Passwordless are appropriate in a passwordless context.
Choosing the right authentication for your organization
So how can you think about deploying these in your environment?
First, start by evaluating what FIDO2 options are available in your environment today that you may not be leveraging:
Biometric-Capable Devices: Many organizations are already buying laptops that are biometric-capable, but do not have a process instituted to actually get users to enroll in them! We’ve seen customers in our preview drive biometric adoption from low numbers to a high majority of end users simply by focusing on this problem alone.
Security Keys: If you’re already spending on hardware tokens, evaluate the potential to leverage FIDO2-capable security keys instead. Duo’s solution allows for seamless self-service enrollment of security keys leveraging our Self-Service Portal, which reduces the management overhead you may be familiar with from older hardware tokens.
Duo Mobile: Leverage Duo Mobile for Passwordless! We recognize many customers rely on mobile devices as a critical part of their authenticator strategy for 2FA today and we don’t expect this to change right away in a passwordless world.
Second, start with a small set of users and build a plan around them. Duo’s Device Insights can help you identify users already leveraging modern authenticators or Duo Mobile in your environment today.
If you don’t have a ready set of users with authenticators, you can consider purchasing a set of Yubikeys and doing a pilot or enabling Windows Hello for a group of users. In many cases, we’ve found customers’ help desk processes are built around password-based use cases, and there are things you have to consider and plan for in a passwordless world that may not be top of mind today. Starting with a small group can help you iron these out before scaling to your wider organization.