Going passwordless is difficult for a lot of companies, even the ones with “security” in the name.
Jim Taylor, chief product and technology officer (and resident IT professional) at RSA Security, spoke with IT Brew about lessons learned as he led the deployment of passkeys, biometrics, and other non-password implementations across the organization. Two major keys to passwordless success, he said, included having lots of options and lots of patience.
“There’s no big switch. I wish there was a big red button that you could just press and go, ‘Ta-da!’ with passwordless, right? It doesn’t work like that,” Taylor told IT Brew.
The best security is optionality. RSA began its efforts just under a year ago, according to Taylor, starting with enabling passwordless login on the company laptops—a “gateway,” he said, to initiate more passwordless options across the company.
If the company detects an elevated risk due to a factor like an unexpected login location, the system can trigger a secondary authentication method on the user’s phone, such as a push notification or QR code scan, according to Taylor. The out-of-band approach acts as extra security, given the unlikelihood that an attacker has access to both a laptop and a mobile device.
Passkeys play. Another option for RSA: passkeys. Employees can register multiple unique passkeys for different devices: The device stores the private-key component of the passkey, and the service provider holds the public-key component of the passkey. Those halves together enable authentication, activated by a pin or biometric check.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“We provide you that range of options and give you a system that is flexible enough to fit whatever option you need to get to passwordless,” he said.
A recent survey from the FIDO Alliance—an organization dedicated to reducing “the world’s reliance on passwords”—found that 87% of 400 UK and US employees have successfully deployed or are deploying passkeys, a 14% growth since 2022.
Ongoing, ongoing, gone. RSA is about 80% to 90% passwordless across the entire organization, according to Taylor.
The company may never reach 100%, however, given legacy systems or third-party applications that require those old-fashioned special characters. As much as the company has its share of tinkerers, RSA also has HR, lawyers, and finance teams—people who may not be up to speed on, say, passkeys.
“Anytime you change somebody’s user experience, it’s like trying to change a habit. It’s really difficult,” Taylor said.
The implementation of biometrics and passkeys requires patience, he said.
“Anything that’s an improvement in your security posture, anything that makes you a little bit more secure today than you were yesterday, is a good thing. And if you do that every day, after a year or so, you’ll be in pretty good shape.”