We’ve said it before, but it bears repeating: the road to passwordless is a journey, not an overnight transition. At first, it begins with a basic understanding of what passwordless authentication is (and isn’t), but then it becomes time to take action and head further down the road. Still, the question for every enterprise IT manager remains…where to start?
Like every successful trip, you start with a map, a plan, and steps you can take to execute on that plan. The first thing to remember is that your company’s path won’t look like the next company’s path, but there are several rules of thumb that will help you plot out that path. All you need is the right contextual information before you map, plan, and execute. There are many roads to passwordless, and the good news is wherever you are is the perfect place to start.
In that spirit, we’ve put together seven steps you can take once you’ve decided to go passwordless, along with corresponding questions to assess your readiness and determine the solutions that are best suited to meet your needs:
Consider users and their use cases
- What are your users’ needs, behaviors, and risk profiles?
- Do they use mobile phones, desktop devices, shared workstations, or a combination of the three?
Key Takeaway: Different users may require different levels of security within the organization, and device types may dictate which passwordless authentication methods will deliver optimal user experience.
Achieve cross-functional alignment
- Have you included all appropriate departments within your organization in planning meetings for your passwordless journey?
- For example, has HR been invited to the table with IT to gain consensus on training practices?
Key Takeaway: Consider the needs of all departments when designing your passwordless workflow — there may be varying levels of input or perspective that dictate which passwordless authentication solution is best for your organization.
Assess existing technical environment, investments, and resources
- Do you work with a current Identity Access Management (IAM) system?
- Is that IAM solution on-premise or in the cloud?
- How complex is your software supply chain?
- Do you have all of the appropriate technical resources to implement and integrate a passwordless solution?
Key Takeaway: If you have a mostly on-premise solution, you may want to consider smart cards as a first step toward passwordless. If you live in the cloud, you may be ready for FIDO2 and WebAuthn-compliant hardware security keys. Of course, multi-protocol security keys, like the YubiKey, can support both of these needs simultaneously, and meet you where you are if you have a mixed infrastructure.
Prepare for distribution models and requirements
- Where are most of your users located? Are they remote or in offices?
- How will your users receive any authentication hardware they might need for access?
- Do you plan to handle distribution of this hardware in-house or outsource the delivery and activation process?
Key Takeaway: The location of your workforce — with employees working from offices and/or from home — will affect most aspects of your passwordless deployment. Security key distribution and registration for remote workers in particular is often different than for office workers, and should be considered early in your project.
Plan sufficient training and support
- How will you train and support users once you decide to go down the road to passwordless?
- Do you have a communication plan with accessible assets that will help support users?
Key Takeaway: Get an early start with HR or other stakeholders to produce clear communication tools, then put them in front of employees way before deployment to prepare them for what’s coming.
Measure your success
- How will you measure the progress and success of your passwordless deployment?
- What specific metrics make sense for your organization?
Key Takeaway: Metrics will vary by organization, but some of the most common ones are bottom-line metrics that save money and time. For example: help desk hours saved, initial and follow-up on-boarding resources saved, or equipment savings.
Consider additional technical services
- Would industry expertise augment and accelerate your journey?
Key Takeaway: Once you’ve assessed the expertise your current staff has, consider getting outside consulting help from vendors who have guided other enterprises through a passwordless journey. Your timeline length may determine how much extra budget you want to put into getting technical services. If you do not have a set deadline for deployment, you can move slower, but if implementation is driven by a compliance or (knock-on-wood) a breach of some kind, technical services can accelerate the passwordless journey.
There are many passwordless solutions available on the market, which can make the path to passwordless confusing, overwhelming, and stressful for many enterprise IT managers. Here at Yubico, we aim to simplify the process to the best of our ability. With world-class cryptographic expertise, a delightful and versatile product portfolio, and a committed professional services support team, Yubico is here to help your organization every step of the way.
To learn more about how to determine your passwordless strategy, read our Bridge to Passwordless: Key Considerations whitepaper. Or, for a primer on how to “separate fact from fiction” on passwordless check here.