The Administrator’s Guide to Passwordless: An Introduction

This article has been indexed from The Duo Blog

Introduction

It’s 2030, and passwords are a thing of the past. Okay, there are a few lingering cases we haven’t been able to eradicate yet, such as old WiFi systems and some legacy software nobody knows how to work with anymore. It’s been an interesting decade. Do you remember how we used to be afraid of biometrics because a few early implementations stored users’ personal information in a central database? Good thing we stopped doing that pretty early on. Oh, and enrolling each of our devices individually with our accounts took a little bit of getting used to.

But wow, it’s hard to think back to pre-2020 when we had to remember a mnemonic or series of semi-random words every time we wanted to do something online. And doing that for each site? Forget about it. And then even if we did our due diligence, sometimes a database would get popped and we’d have to go reset our passwords anyway! (If we were lucky enough to notice we got hacked). Anyway, things are much better now in 2030.

Now, back to reality. It’s 2021 and you’re an administrator or security engineer trying to figure out what this whole “passwordless” thing is about. Maybe trying to figure out your strategy for rolling it out in your own organization. We’ve been using passwords for decades. What does it mean to go without them now? It seems like a half step forward and a full step back. After all, we leave our fingerprints and faces sitting out in the open all the time.

It’s much harder to steal something kept secret in your brain, right? People trying to sell us something keep telling us that just getting rid of the password is more secure, but that seems risky. Even with one of those fancy security keys, that’s still just something you have. Now someone can just steal your security key and they’re in. Where is the something you know?

Read the original article: The Administrator’s Guide to Passwordless: An Introduction