Aug 15, 2024

Security Boulevard Community Chats Webinars Library Going Passwordless: 6 Tips to Navigate Passkey Adoption By now, most of us realize that passkeys and passwordless authentication beat passwords in nearly every way — they’re more secure, resist phishing and theft, and eliminate the need to remember and type in an ever-growing string of characters. Despite this, most organizations still rely on password-based authentication methods. Transitioning to passwordless authentication offers a far more secure and user-friendly experience, but making the switch can seem daunting. In fact, the most recent Passwordless Identity Assurance survey found that nearly one third (31%) of organizations name implementing passkeys as a primary identity security challenge. Technical integration is only one aspect. For many organizations, rolling it out to users and getting them to use it can be the thornier part. Understanding User Adoption User resistance to an unfamiliar technology can be a  hurdle in transitioning to passwordless. It’s critical to take a phased, change management approach, including pilot programs and early adopter groups. Clear communication about the benefits of passkey systems, referencing successful case studies, and industry best practices, helps allay user skepticism and increase acceptance. User-centric design and understanding the psychology of habit formation are essential to achieve widespread adoption. User experience greatly impacts a passwordless initiative — balancing security and convenience is key. Consider and address your varying use cases, potential accessibility issues, and technical challenges, such as legacy systems. As Director of Customer Excellence at  HYPR, I’ve worked with many customers during their passwordless transition. As someone with even more years in IAM and customer experience in general, I’ve seen and heard many tech rollout tales. Here are some of the top tips to help your organization navigate passkey adoption effectively. Best Practices for Passkey Adoption 1. Map Out Use Cases Different user groups within an organization may have varying needs, both in their job function and as individuals. When it comes to passkey adoption, one size doesn’t fit all. Multiple passwordless options may be required. Begin by getting a full picture of your current login methods. Identify priority login systems and stakeholders. Do you haveremote or hybrid employees?. What IdPs, devices, browsers and operating systems are being used? Consider non-employees like contractors, business partners, or volunteers — when and how do they log in? For users who travel extensively, note any special authentication requirements. PRO TIP: Identify any applications, systems, or tools with additional authentication controls due to sensitive data. Evaluate specific user accounts, like IT administrators, with higher security needs. 2. Identify and Plan for Legacy Systems and Other Challenges Passwordless deployments can be hindered by legacy systems, technical and usability concerns and under preparedness for the reliance on secondary devices. Look at the legacy applications in your tech stack, how they are used, and their current authentication methods. Will your passwordless solution integrate with them? If system updates or configurations are required for compatibility, make sure to get leadership buy-in during the planning stage. Addressing technical and usability concerns requires capturing all unique workstream requirements and considering business-specific constraints. For example, customer-facing roles may have different constraints than back-office roles or a manufacturing floor. Users that travel may require offline authentication options. PRO TIP: The reliance on secondary devices makes it critical to be ready with secure recovery and backup options. 3. Strategic Planning for Rollout Thorough planning and secure process design are critical for successful rollout. Authentication is a critical path product — ensure you’re prepared. Establish timelines, set roll-out stages, and develop communication plans. Conduct a pilot test with a small group to help identify and address potential issues before roll out. Take the roll out in stages too, beginning with a first adopter group. This approach allows for fine-tuning the system and ensuring a smoother transition for the entire organization. Ideally, the group will include both technically-minded people as well as those less comfortable with technology. Your early adopters should represent a cross-section of use cases, especially privileged users or other groups with specific security requirements. The sequence and timing of roll out will depend on your unique environment and business, but make sure senior leadership is part of the earliest stages — a top-down approach significantly helps end-user buy-in and speed passkey adoption. Communication during all stages is critical to both educate and preempt objections. Concerns about biometric data usage, for example, can be mitigated through educational campaigns that clarify how such data is stored and protected. PRO TIP: Consider aligning your password policy with your improved security strategy by enforcing complex passwords in line with guidance from CISA and PCI DSS 4.0 requirements . Your users will look forward to the ease of passwordless authentication. 4. Clear Communication and Guidance Effective communication and guidance are essential for facilitating passkey adoption. Clear, concise, and user-friendly documentation can help users understand and adapt to new authentication methods. Early adopters can provide invaluable feedback to improve documentation and identify fringe use cases and outlier scenarios. User adoption relies on awareness of the improvements passwordless authentication offers over traditional methods. The FIDO Alliance provides some helpful communication recommendations in their Design Guidelines. Explain that you are replacing passwords with stronger, phishing-resistant authentication. Don’t get hung up on terminology – use what works best for your users. For example, one of our customers used the term “non-shareable credentials” instead of passwordless authentication or passkeys as that resonated better with their workforce. Provide training on new login flows, highlighting speed, ease-of-use and security. Use multiple touchpoints, such as town halls, training videos, and cheat sheets. Include guidelines for troubleshooting issues like lost devices and keep stakeholders updated throughout the transition. Importantly, solicit user feedback and be prepared to adjust communication materials if needed. Example user communication courtesy of the FIDO Alliance 5. User Onboarding and Support Plan for supporting your users when the new system goes live. Make sure you take into account the needs of users in different time zones or those who travel frequently. Train your help desk to educate as well as troubleshoot. Ensure that support resources are readily available to address any issues that arise. Monitor KPIs like login times, call volume and ticket metrics pre vs post-implementation. PRO TIP: Create a promotion or contest, with prizes. Use gift incentives, swag or giveaways to first or all enrollees. 6. Choose the Right Passwordless Solution All of the previous steps depend upon you selecting the right passwordless provider for your environment, user population and use cases. The optimal solution removes adoption obstacles, balancing hardened security with maximized convenience and quick deployment. If you’re reading this, you’ve likely decided that a solution based on FIDO Certified passkeys is the best approach, but there are a wide range of options within this category. Assess vendor offerings based on cryptography standards, biometric and device support, scalability, customer success rate and implementation timeframe. Ease of integration with existing web/IT infrastructure is critical. 💡12 Considerations for Assessing a Passkey Solution — Download the Guide PRO TIP: Don’t forget that secondary authentication processes and situations — registration, re-registration, lost and stolen devices — must also be protected. Look at your provider’s entire set of identity security capabilities — do they provide identity proofing technologies and other critical identity security controls? HYPR Is Your Passkey Adoption Partner Companies need an identity security partner with expertise in change management and a solution that provides flexibility along with the controls enterprises require. HYPR has been helping companies implement passkeys and passwordless authentication for more than a decade. This includes a top U.S. bank with the largest workforce FIDO implementation in the world. HYPR’s leading passwordless MFA solution , HYPR Authenticate, eliminates shared credentials while providing a friction-free user experience. It offers a range of authenticator options, including our award-winning passwordless app, and works everywhere, whether in-office or remote, online or off. HYPR Authenticate is the foundation of our Identity Assurance Platform , which combiness phishing-resistant authentication, adaptive risk mitigation, and automated identity proofing and verification to secure the entire identity lifecycle. HYPR Integrates with your current systems, IdPs, SSOs and applications to unify authentication across the business. *** This is a Security Bloggers Network syndicated blog from HYPR Blog authored by Darrin Ingram . Read the original post at: https://blog.hypr.com/tips-to-navigate-passkey-adoption