The Business Challenge
One of the first challenges as organizations start the journey to passwordless authentication is user adoption.
How to get users re-trained on a new way to access services after years-to-decades of using passwords and legacy two-factor authentication? The larger and more distributed the workforce, the harder the challenge.
But security and IT teams live in a heterogeneous world with a mix of old and new systems acquired over years. Newer systems may be easier to retool for passwordless authentication. Older systems will take more effort – the 80 / 20 rule will inevitably apply as those systems will likely take proportionally more effort.
One of the most important considerations when going passwordless is how to ease users into accessing systems via new passwordless capabilities as well as how to enable passwordless access for older systems that may not comply with the latest technology standards.
We’ve developed our platform with these considerations in mind. Giving users options and letting them onboard at their own pace is important, so we’ve designed that capability in. We also provide an elegant off ramp for antiquated two-factor authentication systems and automate password resets to help drive operational savings for those essential systems that will remain password based until replaced.
The BlockID Advantage
QR codes can either replace traditional login or can deploy side-by-side the user id and password for gradual user adoption
While QR codes have been around for some time, their convenience as a touchless interface has only recently been rediscovered on everything from restaurant menus to roadway signage and network broadcasts.
Of course password-based authentication can be phased out over time for whatever category of users and time frame seems appropriate. But, the key to successful user adoption is first to enable a very fast and easy method of authentication and then provide users the choice to adopt at their own convenience. The QR code placed adjacent to the traditional log in fields accomplishes just this!
One solution supports multiple authentication channels and methods
We’ve built FIDO2 biometric authentication into all of our solutions, but we also realize that organizations and users need flexibility to accommodate multiple ways to authenticate. That’s why we’ve delivered our solutions in various ways.
Some users have smartphones or tablets with the latest capabilities, and for those users our fully brandable mobile app will work fine for biometric authentication and, in addition, offers the convenience of handling various legacy two-factor authentication mechanisms as well. Our mobile app can also be embedded via API / SDK into an existing mobile application.
Other organizations will want users to utilize those devices, but without downloading the app, and for those users we have our app-less authentication capability.
We also support the ability to utilize FIDO compatible browser-based biometrics using the built-in capabilities of existing smartphones, laptops and desktops.
Convenient password reset for legacy applications saves time and money
Despite moving to passwordless authentication, organizations may still need to manage legacy passwords such as Active Directory for some time to come. When it comes to resetting these passwords, users often need assistance from the IT helpdesk. This problem tends to compound itself when a few other things begin to happen.
Many organizations enforce password reset policies that require new hard-to-hack passwords every 90 days or so. But, when they start using passwordless authentication, it’s natural that users forget legacy passwords more often. This typically results in rising IT helpdesk requests for IT password resets. Statistics for this vary, but some estimate 20%-50% of all help desk requests are for password resets and that costs can average around $50 / reset when IT needs to get involved.
We’ve developed a password reset capability that enables password reset for legacy systems and applications via biometric authentication. There is no need to remember a previous password, to retrieve a one-time code or to produce some other artifact.
Using the multi-factor authentication enabled by the FIDO2 biometric authentication we simply prompt the user to enter the new password of their choice. No IT involvement is required for the authorized user to regain access and still keep the fraudsters out!
One solution supports all legacy two-factor authentication needs
On day one of their journey to passwordless authentication many organizations have a variety of authentication protocols in place to shore up password-based logins. These may include one time codes sent via email or SMS, hardware U2F keys, desktop agents and applications with push notifications.
Over time, the move to passwordless authentication reduces reliance on these technologies, but this typically needs to happen over time and should be addressed as part of the strategic plan.
Our solutions have been developed for interoperability and are certified to the NIST 800-63-3 standard. They support legacy factors including email/SMS/TOTP codes, U2F tokens, desktop agents, application push, and even fraud signals from behavioral or session analytics.
This allows a strategic or “graceful” transition from legacy 2FA “one time code” systems allowing IT management to save money, reduce operational burden and streamline the customer experience with minimal headache and disruption.
One reusable identity serves as a digital wallet supplying credentials needed to support multiple accounts and services
In real life, an individual is of course a singular entity, but tends to have multiple business relationships that transcend their personal and professional life. When we apply this abstract to the online world, the identity remains a singular entity, but the association of that identity/credential with the various online services can be described as a persona. And just as in the offline world, one digital identity can have multiple personas.
With 1Kosmos BlockID Workforce, there is no practical limit the the number of personas or accounts a user can have. Users can be enabled on any number of accounts — the platform binds their biometric to a FIDO2 certified credential, providing access to multiple accounts via one consistent experience.
This is especially useful for administrators and organizations that have gone through mergers and acquisitions and need to support multiple Active Directory trees.