From Passwords to Passkeys: A Journey Towards Passwordless IAM

From Passwords to Passkeys: A Journey Towards Passwordless IAM

Passwords were made for a world with network perimeters, not one where identity is the new security boundary. It’s understandable that passwords are now a security risk and a usability burden, especially as complexity requirements hardened in response to rapidly evolving threats.

Credential stuffing, phishing, and social engineering are now dominating cyberattacks. Generative AI is now augmenting cybercriminal capabilities. Adversaries have refined their methods, and defenders are shifting toward proactive defenses.

This drive is reflected in regularity and compliance frameworks for data protection (GDPR) and risk management measures (NIS2 and DORA) that are moving beyond baseline practices. Forward-looking IT managers will adopt stronger, passwordless authentication methods.

The Passwordless Imperative

Passwordless authentication factors augment and modernize the security that you’ve already invested in while providing users with frictionless log-in experience. Users authenticate using something they have, something they are, or something they do (and not something they know or forget). The result is access control that is secure and user-friendly, and it mitigates the risks associated with reliance on passwords like breaches and lateral movement.

Core benefits

“Passwordless” doesn’t mean “no authentication” —it utilizes alternative, highly secure methods for authentication that don’t rely on passwords. It’s stronger, more user-friendly, and reduces costs.

Improved Security

Security is increased by deploying phishing-resistant credentials, which cannot be reused across multiple services. Methods like cryptographic keys are nearly impossible to phish and aren’t vulnerable to man-in-the-middle attacks. Passwordless also reduces attack surface area, because it reduces (or eliminates) password storage. IT administrators should assume breach and migrate from passwords.

Seamless User Experiences

Users embrace security that’s easy to use. There’s no passphrase to remember (reset, manage, or commit to memory), establishing seamless access to resources and a more consistent experience across devices. Going passwordless results in fewer support requests and less likelihood that workdays will be disrupted.

Cost Savings

Fewer helpdesk cases mean lower IT support costs. There’s also a decreased risk of breaches and the associated costs, resulting in more time being spent on security architecture. You achieve:

  • Reduced cybersecurity insurance premiums
  • Less risk of financial penalties and reputational damage from security incidents
  • Better compliance with security standards like GDPR or NIS2
  • Simplified IT infrastructure, which reduces attack surface and administrative overhead.
  • Quicker onboardings that permit new team members to get to work faster

Modern Authentication Methods

Passkeys Explained

Users can be prompted to use a passkey through authentication policies or select it themselves. Banks, SaaS services, healthcare providers, and a growing list of vendors provide them as a login option.

Passkeys use FIDO2/WebAuthn standards with public-private key pairs to provide secure, phishing-resistant logins. They’re stored on devices and unlocked using biometrics like fingerprints, facial recognition, or user behavior. PINs can provide a backup method when biometrics aren’t used.

Device-based authenticators like Windows Hello and Apple’s Face/Touch ID support passkeys, as do some password manager apps, and hardware tokens like smart cards and FIDO security keys. Hardware security keys are generally more secure than software-based passkeys, though both are highly secure.

IAM Architecture Considerations

Centralized vs Federated Identity Models

Some organizations have consolidated into a single Identity Provider (IdP) or utilize legacy directories, but it’s possible for multiple IdPs to coexist through federation. Authentication solutions like Thales SafeNet Trusted Access support both models to centrally enforcing MFA and access policies. This makes it possible to control access to all apps with the right policy to enforce the right authentication methods.

Policy-based Access Control and Adaptive Authentication

Adaptive MFA works hand-in-hand with passwordless methods to apply the right policies based on user behavior, shared risk signals, and contextual factors like location and device health. This combination tightens controls when risk is high and streamlines access when it’s safe, optimizing the user experience.

Phased Transition Strategy

Assess

Conduct a comprehensive audit of all identity sources, user roles (RBAC), and application dependencies. Identify high-risk users, systems, and non-human identities (when application) that require stronger controls. Prioritize areas with legacy protocols or weak authentication mechanisms. This is a good time to flag any users who are violating segregation of duties and to work with managers to determine why.

Plan

Develop clear segmentation of users-based roles, sensitivity levels, and risk profiles. Establish authentication requirements (e.g., Adaptive MFA, passkeys) tailored to each group. Include contingency plans and rollback procedures to ensure minimal disruption during unforeseen issues or use time-bound Temporary Access Pass (TAP) if that authentication method is an option and fast access is important.

Pilot

Begin the transition with a small, low risk group that won’t impact core operations. Use this phase to test integrations, fine-tune the user experience, and create support processes with real users in real environments. It’s important to see what the user experience is for yourself and what common stumbling blocks are. This will enable you to develop a communication strategy that reflects reality.

Expand

Gradually increase adoption based on metrics and user feedback. Then, scale the deployment by onboarding higher-risk or more complex groups in controlled waves.

Implementation Blueprint

Deploy passkeys with SafeNet Trusted Access, integrating Passwordless Windows Logons. Register devices, manage keys, onboard users, train, and handle fallbacks (like PINs) and recovery procedures.

Security and Compliance Impacts

Passkeys enhance security with resistance to phishing and replay attacks, align with Zero Trust Architecture principles, and provide auditability and logging in a passwordless environment.

Passkeys demonstrate adherence to GDPR and NIS2, enhance visibility, and support incident response. Access logs provide traceability and allow for incident reporting.

Common Pitfalls and How to Avoid Them

Common pitfalls with passkeys include ignoring device diversity, overlooking user education and change management, and poor fallback planning. Address these with a solution that offers cross-platform device support, comprehensive user training, and robust recovery options like recovery codes and PINs. There are currently industry initiatives underway to make Passkeys portable across all device platforms.

What Success Looks Like

Measure your success by tracking key metrics such as login success rates, help desk tickets, MFA fatigue, and security incidents. Metrics ensure accountability while keeping you on track to deliver a frictionless and secure IAM solution. They flag areas for improvement, ensuring compliance and a better UX.

Don’t underestimate the impact that resistance and confusion can have on operations, strategic partnership motions, and the association that customers have with your brand.

Conclusion and Call to Action

Passkeys offer phishing-resistant authentication while increasing productivity. Learn how SafeNet Trusted Access provides Passwordless authentication that meets key criteria like device compatibility, including with Microsoft Windows. It offers centralized access control, MFA, and single sign-on (SSO) for cloud and on-premises applications. And crucially, provides an experience that’s superior to passwords.