Passwords are a problem.

While ubiquitous, passwords are an easy target for cybercriminals and malicious actors. Some 61% of data breaches in 2020 involved compromised credentials. Passwords aren't even that convenient and are more expensive than you might think. Password resets are a frequent and costly drain on support desks and IT budgets, averaging $70 per reset.

Modern passwordless authentication offers a ready alternative, including biometrics, security keys, and specialized mobile apps. These methods secure access for hybrid, cloud, on-premises, and legacy apps.

High costs and user reluctance have stood in the way of passwordless adoption, but you don't need to — and shouldn't — convert to passwordless in one fell swoop. The companies that are most successful in adopting passwordless access commit to a process and advance step by step. Here's where to start.

Start Small
Passwords are so ingrained across organizations and their myriad applications, that it's virtually impossible to go passwordless overnight or even in a week or month. Start by adding a layer of security, like multifactor authentication (MFA). This permits continued use of legacy solutions while shoring up credentials with additional authentication methods, as a gateway to a passwordless future.

Define Your Policies
Use tactics and tools like segmentation and device posture security to help define and enforce your changing access security policies. This will happen even before you've actually gone passwordless, and is one of many important steps on the passwordless journey. While large, complex environments with hybrid infrastructures and complex login flows make passwordless implementation challenging, you can gradually reduce your users' dependence on them. You don't need to create policies for everyone and everything on day one.

Gain Control of Identities
Many organizations are protecting their perimeter, but lack the monitoring, policies, or control that can block users from accessing any resource they want. Implementing zero-trust security principles ensures each identity is governed by policies that limit access to what each user needs to do their job.

To get there, you need full visibility into user identities and what data they can access. It all comes down to the principle of least privilege, and a solution that limits users' access by default.

Consolidate Authentication
You likely have many different logins across various services and applications, from Gmail to Salesforce to Hubspot.

You'll need to define one access management provider that can integrate into all those different resources. That same provider needs to integrate resources within your organization, too, like servers and administrative systems. Because these resources are often geographically distributed, they must be redistributed to the cloud or via an on-premises solution that requires additional hardware.

Educate End Users
Most employees are used to passwords and reluctant to change. Passwordless is easier and safer, but still creates friction as employees get used to the new procedures.

Larger organizations have more friction and resistance to change than smaller ones and guidance is required at every turn. It's best to pilot the process with a small group of employees who can become champions for the switch to passwordless access. As they adjust and become happy internal customers, you can replicate your success and expand passwordless access to additional employees.

Most employees have dozens of login credentials, and dealing with them all within a new framework can be overwhelming. You should consider empowering them to handle these changes with a centralized credential management system.

Keep Refining and Enriching
Adopting passwordless is an ongoing process involving everything from keeping your organization's technologies updated to investing time in user maintenance. In particular, be sure to continue updating and enriching the metadata and environmental variables you use to verify a user's identity — an important practice to prevent identity theft.

After the Switch
By going passwordless, you can reduce the potential for human errors and minimize leaked passwords and data. Reducing your attack surface won't happen overnight, but with a carefully planned approach, you can gradually shift toward passwordless.