How to Start Your Passwordless Journey: Get the Applications Ready
Tell me if this sounds like you - over the last few years, you’ve steadily increased the length and complexity of your password requirements for users. Now, you’re constantly feeling the pain as users grapple with the poor experience of managing passwords.
You’ve heard the hype around passwordless and you’re actively exploring how you get your organization from A to B, but you’re wondering where to get started.
If this sounds like you, here are three steps you can think about as you’re defining a passwordless strategy for your organization!
Step #1: Understand your environment and goals
The most important first step is having a clear view of how the applications in your environment authenticate today. For each application, you have to ask - is there a way for me to remove the password from the authentication flow?
For some applications, this is easy! Modern applications that authenticate via SAML or OIDC can delegate control of the password to a single-sign-on provider, like Duo SSO. Older applications that use protocols like RADIUS may give you less control over removing the password.
It’s important to note that you should be thinking about more than just the password here! Business-critical applications that don’t support modern authentication cannot leverage critical security features beyond just passwordless, like Duo Risk Based Authentication and Duo Trusted Endpoints.
Once you have a firm understanding of your existing landscape today, you can move to step 2 and start building a plan for making these applications passwordless.
Step #2: Take one small step, not one giant leap
Take the applications that you’ve catalogued and break them down into three buckets:
Modern Applications
If you already have applications in your environment that support modern authentication, you can start to go passwordless today.
Duo’s Passwordless solution offers granular application and user group controls, providing you the ability to roll out passwordless to subsets of your organizations that are ready for it. A benefit of taking this approach is we often see these early-adopter groups helping to act as evangelists, touting the benefits of passwordless to the rest of the organization. This helps you drive change and builds support for your overall roadmap.
New Net Applications
A question to ask yourself - are you ensuring that every new application added in your environment supports modern authentication? We commonly see customers institute processes around this to ensure that any new application (either external or internal) has to support SAML or OIDC as a requirement.
Legacy Applications
For applications that don’t already use modern authentication in your environment today, check if the application supports modern protocols like SAML and build a plan to upgrade it! Many major applications are increasingly adding support for modern protocols - for example, Citrix added SAML 2.0 support for Netscaler in 2021. Duo strongly recommends planning and upgrading to modern authentication wherever possible as a first step.
If the application doesn’t support SAML, look to identify other integration methods, like the Duo Network Gateway, that can give you control over a passwordless experience. The DNG can sit in front of many applications, providing a modern and secure authentication experience, even if the application itself doesn’t natively support it.
It’s important to realize this might not happen quickly. Duo defines passwordless as a journey for a reason! Modernizing your infrastructure to improve security and the user experience can be a large undertaking, but is worth the benefits.
Step #3: Put your plan into action
By now, you have a clear understanding of which applications can easily go passwordless today and a plan for the applications that can’t. You don’t have to wait for an all or nothing approach - get started today with the low-hanging fruit!
However, there’s one more big thing to consider - you may be ready to remove the password, but what are your users going to authenticate with, if not a password?!
We’ll address that hurdle – and unpack how to define your authenticator strategy in a passwordless world – in our next post on starting your passwordless journey.