Passwordless authentication, in the form of inherence factors (e.g., fingerprint, facial) or in the form of possession factors (e.g., device, app, token/certificate) and supplemented by other factors (e.g., location, user behavior), is an emerging authentication technology that will protect organizations from brute force attacks, credential stuffing, phishing, and social engineering tactics. If carefully selected and implemented correctly, passwordless authentication also offers a superior user experience compared to password-centric authentication.

Enterprises have begun adopting passwordless authentication. Adoption is still nascent, however. A recent Forrester poll of individuals responsible for enterprise passwordless showed that half of the respondents are less than three months into the process. Most organizations are likely doing pilots, POCs, and small deployments with specific user groups and not full enterprisewide deployments yet.

The barriers to enterprisewide passwordless adoption include legacy applications that only support password-based authentication, business disruption, and budgetary challenges. The ecosystem of technology providers is working to overcome these with standards like FIDO2 (WebAuthn) as well as APIs, SDKs, toolkits, prebuilt integrations, and effective user training modules. Most organizations will still need to adopt good multifactor authentication (MFA) practices before making the leap to passwordless.

I will be presenting on this topic during Forrester’s Security & Risk Forum (live at 3:55 p.m. ET on November 10). And for Forrester clients, I am currently writing a report, entitled The State of Enterprise Passwordless Solutions In 2021, that should be available before the end of the year.