My Passwordless Experience: Is This the Right Time to Make Your Move?
Is now the right time to go passwordless?
In June 2023, I decided to remove the password on my personal email account and the one used to log-in to all of my devices. Did I wait too long? Am I too optimistic this will work without issue? Are there kinks that still need to be worked out? I recently attended Identiverse 2023 and got a FIDO2 hardware token intending at some point in the future to go passwordless. Why wait though? I was pumped up with all the passkey and passwordless sessions I attended and was eager to try this out and share my experience.
My journey starts with a pair of Thales SafeNet eToken FIDO hardware devices. Some devices are NFC, which make it convenient to interface with other types of devices, but as I found out, in some cases this becomes a necessity. These hardware tokens are USB-C, but not all my devices have a more recent USB-C port. Lesson learned, and a couple of extra hoops to jump through for sure. I think an NFC alternative, like the Yubico YubiKey 5 or the USB-A version of this hardware token, would have made it an uneventful experience.
So off I went to manage my Microsoft account.
In the Security portion of account management, I was able to see the ways I could prove who I was. Here it was a matter of removing the less optimal authentication methods and adding my new secret key.
I selected add a new way to sign in or verify and Use a security key in the next pop-up window.
The next window asked me to set up my security key! Now I was getting somewhere, and it seemed like good things were starting to happen.
After I clicked Next, I was presented with a fork in the road – the passkey route or the hardware token route? I selected Use a different device but it was a teaching moment for me on the subtle differences here.
From here on, it was a straightforward experience.
From a security perspective, I was pleased that it required me to touch the USB token at several points of the setup.
I named my primary and secondary tokens and completed the hardware token setup. Here you can see that the new way to prove who I am has been added. Now, onto removing my password!
I turned on Passwordless account from the menu as my next item on the list.
That took me through some logical prompts.
Could it be that simple? Indeed, it was.
Now I’ll take you back to my account security and what options are available to prove who I am. Passwords are indeed gone, and out of the remaining options, I chose to remove the one-time password (OTP).
Here is where I ran into my first roadblock due to account verification. This is something to consider in your own journey. My security posture has improved, but not entirely as expected.
Lastly, there is the option to add an additional two-step verification to the ways you can prove who you are.
Our Take
The passwordless journey is not as difficult as I originally expected it to be. I found all the prompts followed a logical sequence and I didn’t consider them excessive. From a security perspective, there are several benefits. I no longer need to identify myself on any of my devices – simply plugging in my token identifies me. I just punch in the pin code that I issued my token and I’m in, which is a much nicer experience. Now that I’ve gone through this, I wish I would have done it sooner. No pitfalls or surprises to report; you can leverage Authenticator and a secret key to prove your identity and remove passwords as one of the verifiers. Based on your use cases, this could move the security needle forward for you as it provides phishing-resistant MFA, and it reduces friction for users authenticating themselves.
Want to Know More?
- Sign in to your Microsoft account with Windows Hello or a security key - Microsoft Support
- Navigate the Digital ID Ecosystem to Enhance Customer Experience | Info-Tech Research Group (infotech.com)
- Simplify Identity and Access Management | Info-Tech Research Group (infotech.com)
- SoftwareReviews | Yubico Authenticator | Make Better IT Decisions (infotech.com)