5-Step Path to

Passwordless
The Future of Authentication

1
© 2024 Cisco and/or its affiliates. All rights reserved.
 5-Step Path to
Passwordless
The Future of Authentication

Table of Contents
Foreword 1

1.0 The Problem with Passwords 2

2.0 The 5-Step Path to Passwordless 5

3.0 Cisco’s 130,000-user Passwordless Deployment 9

4.0 Building Your Organization Towards a Passwordless Future 12

Additional Resources 14

© 2024 Cisco and/or its affiliates. All rights reserved.

Foreword
It goes without saying in the IAM space that security I don’t think it’s fully appreciated, then, that we are in an
exists on a spectrum. On one side is the utmost unprecedented time in multi-factor authentication. With
protection of secrets at all costs. On the other side is the introduction and widespread adoption of passkeys,
ultimate usability. How can we build something that we can finally offer customers a way to protect access
leverages strong multi-factor authentication while to sensitive systems that increases security and
remaining something customers of all skill levels are usability and eliminates password use. The pendulum
comfortable using? We continue to find success in head has impossibly widened to cover more of the
investing in building a user-centric solution that handles spectrum than ever before in a way that is almost too
best-in-class multi-factor security across a wide range difficult to believe.
of customer use cases.
As Duo continues to evolve its support for passkey-
Historically, many companies including Duo have backed authentication, we have also increased
focused on finding solutions to the question of, “how the security of our beloved Duo Push to help keep
can we make password-based auth more secure?” customers secure across a wider range of use cases
Second-factor authentication methods like SMS one- than with passkeys alone. Together, Passwordless
time passcodes, time-based one-time passcodes, and offers customers a path to benefiting from all these
Duo Push have incrementally improved our customers’ recent innovations in a streamlined way that offers
security posture by adding a “something you have” users security without them really having to think about
factor to a password’s “something you know.” But it. Because at the end of the day, you and your users
despite our best efforts, some of these second-factor have more important things to spend your time on.
technologies retain a fundamental weakness: they can
be vulnerable to phishing, just like the passwords they
are intended to protect. This isn’t just a problem for
Duo, but for any company that has sensitive data that
they want to control access to.

Matthew Miller
Duo Technical Lead & WebAuthn SME, FIDO Alliance Board Member for
Cisco, W3C Web Authentication Working Group Editor

© 2024 Cisco and/or its affiliates. All rights reserved. 1

 1.
1.0 The Problem
with Passwords
Passwords are plagued with problems. Combined with
user friction and frustration, passwords alone are an
increasingly insecure factor for identity verification.

Passwords are costly and

burdensome to manage.
Passwords take up a lot of IT and help desk support
time each year – so much so, that many large U.S.-based
organizations have allocated over $1 million annually for
password-related support costs, according to Forrester.

Expired or reused passwords can cost organizations

of all sizes. With 10 billion passwords leaked and the
uptick in password-spraying attacks, frequent password
resets can be a time-consuming and expensive process.
It also increases reliance on the individual user to
choose strong and secure passwords that can’t be
easily “popped.”

“Passwords remain a significant

source of risk for organizations
— even when incorporated with
another method for MFA — and of
friction, frustration and fatigue for
users and administrators,” notes the
Gartner Group in their Market Guide
for User Authentication

© 2024 Cisco and/or its affiliates. All rights reserved. 2

Passwords rely on user vigilance.
A survey of 2,000 end-users conducted by 1Password
revealed that seven out of 10 respondents found having
to remember or reset passwords a regular annoyance.
“
Passwords have multiple
weaknesses that attackers can
exploit. Even the best password
policy cannot mitigate spyware or
This isn’t a surprise – lockouts pause productivity and
contribute to poor user login experiences. phishing attacks.”
In addition to password lockouts, the sheer number - Gartner IAM Leaders’ Guide to
of cloud services and passwords that a user needs to
User Authentication
log into to do their job has increased over the years.
Now, the average enterprise uses over 1,000 different Passwords are inherently easy for adversaries to
applications, while the average business user must subvert. Due to password fatigue, users often choose
juggle an average of 168 passwords. In the same weak passwords. They also often reuse or only slightly
survey by 1Password, nearly a third of respondents said modify old passwords for different accounts. This often
they’re open to using any new technology that makes leads to disastrous consequences: Over the past 10
life simpler. years, stolen credentials have appeared in almost one-
third (31%) of breaches, according to the 2024 Verizon
Passwords are easily compromised. Data Breach Investigations Report.

Passwords don’t last as long as they used to. Given this alarming (and evolving) trend, organizations
Adversaries now have access to simple and effective are being forced to re-evaluate their security posture.
password-related attack vectors. A few examples While simple two-factor authentication (2FA) like SMS
include credential stuffing (large-scale, automated codes, physical tokens, or app-based push notifications
login attempts using stolen credentials); phishing (an was once enough of a safeguard against most
attempt to deceive users and illegally acquire sensitive attacks, that’s no longer the case. MFA should now be
information, like passwords); brute-force attacks considered the first line of defense and should offer
(password guessing); and push-bombing attacks. both security for the organization and a frictionless
login experience for the user.

This is where passwordless authentication comes in.

© 2024 Cisco and/or its affiliates. All rights reserved. 3

 What is Passwordless Authentication?
Passwordless authentication establishes a strong Business Benefits of Passwordless
assurance of a user’s identity without relying on
Passwordless authentication provides a single, strong
passwords, allowing users to authenticate using
assurance of users’ identities to achieve user trust. As a
biometrics, security keys or a mobile device. Traditional
result, enterprises can realize the following benefits:
MFA relies on something you have, like a mobile
device, and something you know, like a password. • Better User Experience: By eliminating reliance on
Passwordless may seem like it counter-intuitively passwords, users benefit from a reduction in login
removes a knowledge factor (the account’s password- fatigue and frustration, as well as an increase in
-something you know), but the password is replaced user productivity.
it with something you have (a possession factor, for
• Reduced IT Time and Costs: Similarly, administrators
example, a locked device with Touch ID) with something
and enterprises can benefit from reduced burden due
you are (an inherent factor, your biometric). This
to password-related help desk tickets and
balances usability with stronger MFA authentication.
password resets.
Passwordless gives users a frictionless login
experience, while reducing administrative burden and • Stronger Security Posture: Eliminating system
overall security risks for the enterprise. reliance on passwords can result in the elimination of
related threats and vulnerabilities, including phishing,
stolen or weak passwords, password reuse, brute-
force attacks, etc.

3 Authentication
Factor Categories
ge

Po
led

MFA checks for at least two of

se
ow

the 3 authentication categories,

ss

colloquially: “something you

Kn

ion

know,” “something you have,” and

“something you are.”

Inherent
© 2024 Cisco and/or its affiliates. All rights reserved. 4
2.0
2.0 The
5-Step Path to

*
Passwordless
The Challenge:
Adopting a New Technology
Today, many authentication solutions only solve for Administrative and Management Costs
one use case or enable a password-lite experience
Supporting passwordless technology may involve cost-
for users through single sign-on (SSO), changing the
prohibitive security hardware and device management.
order of factors and session management. However,
The cost of security keys and biometric-based
these piecemeal approaches can leave security gaps
authentication can be a barrier to entry to supporting
while not fully solving the weakness of passwords. For
different types of users across an enterprise.
example, will the passwordless solution cover every
authentication flow, and even if it does, will it assess the Compliance Regulations
posture of devices accessing without a password?
Many companies or supply chain partner companies
Modern enterprises cannot cover all of their access use that need to meet compliance standards for data
cases today with a single passwordless solution. regulation have tied their policies to passwords, making
it difficult to shift to stronger authentication methods.
There are additional business challenges to consider:
Cyber insurance providers and federal standards like
Complex and Hybrid IT Environments NIST 800-63 outline more guidelines for passwords,
MFA, and phishing-resistant authentication methods,
Finding a solution that supports both legacy and cloud
with more recent guidance on dropping password end
applications and provides a consistent, simplified user
and complexity requirements.
experience is a challenge. Cloud federation provides
passwordless only for cloud applications – users can
log in and verify their identity using biometrics or a
security key. But in reality, modern enterprises need to
protect access to a hybrid mix of both cloud and on-
premises applications.

© 2024 Cisco and/or its affiliates. All rights reserved. 5

 An industry-wide shift

Problem Statement Passwordless Challenge

Passwordless point solutions Establish a basis for user
today do not solve every identity trust that doesn’t rely on
common use case across passwords – no matter where
modern enterprises, causing the user goes or what they
critical gaps in access security. attempt to access.

Passwordless can’t be achieved by one solution alone. It requires a compatible IT and application
ecosystem that puts security at the forefront. Platforms like Windows Hello, Touch ID, Face ID and
fingerprint APIs must work in tandem with hardware-based biometric authenticators, supporting open
standards like WebAuthn, SAML, and CTAP. Providers must upgrade to set the technical groundwork for
seamless, secure passwordless experiences.

© 2024 Cisco and/or its affiliates. All rights reserved. 6

The Solution:
5-Step Path to Passwordless
We recommend taking a phased approach to providing
secure access for the workforce, with each step taking
you closer to a fully passwordless future:

1. Identify passwordless use cases 2. Streamline and consolidate

and enable strong authentication. authentication workflows.
The first step is identifying and selecting specific Rationalize authentication for a set of use cases as
enterprise use cases and evaluating the “starting point” part of the implementation plan. For cloud apps, reduce
for modernizing infrastructure in support of stronger reliance on passwords by using SSO for SAML-based
authentication. Rank the use cases by user experience, applications. For on-premises services, integrate the
IT time and costs, and security and compliance risks. workflows using access proxies and
Group the use cases by applicable passwordless authentication proxies.
solutions, so as not to end up with a series of point
With MFA in place and a consolidated login experience,
solutions. Create implementation plans for areas that
you can change password policies that require
have the biggest impact with the shortest time to value.
stringent and complex password characters, as well
Reduce your reliance on passwords as the only form of as policies around password reset frequency. You
user authentication and plan additional factors to later can also minimize the number of times users need
provide primary authentication. Protect cloud and on- to authenticate (or perform MFA) by implementing
premises applications with strong MFA. This enables solutions where a single strong authentication persists
you to lower the risk of credential theft by requiring a across different applications and the users are
second method of identity verification that cannot be prompted only when there is a change in context or risk.
easily stolen remotely by an attacker. This lowers the user frustration related to password
security and reduces your reliance on password
complexity as your primary authentication.

© 2024 Cisco and/or its affiliates. All rights reserved. 7

3. Increase trust in authentication. For example, consider using passwordless
authentication to securely log on to your SSO solution.
Increase Trust with Adaptive Policies
In this way, all of the applications federated behind the
and Device Trust
solution receive the benefit of passwordless. Choosing
An often-raised concern about passwordless is the the right passwordless authenticator will depend on
potential for increasing security risk when reducing your environment – leveraging hardware with built-in
the steps people take to authenticate. Address that biometrics is one option and investing in security keys
head-on by increasing control based on the context of that support FIDO2 is another. There are also phone-
the user’s authentication. as-a-token providers that can enable passwordless
via a mobile application. Many of these methods will
Is the authentication coming from a trusted device?
leverage WebAuthn in the background. WebAuthn
Does the access device’s security posture meet
is an open standard that enables strong public key
the organization’s security hygiene standards?
cryptography to ensure user presence at the point of
Finally, check for suspicious behavior like unusual
authentication. It requires a supported web browser,
authentication factors, unusual locations, strange
operating system, and built-in authenticator such as
times of day, or access attempts by high-risk users
Touch ID, or USB-based security keys.
or against high-risk applications. Apply adaptive
access policies based on the context of the user,
device, location, behavior, and more, to ensure the
5. Optimize the passwordless toolset.
authentication is trusted.
Achieve passwordless authentication for all use
cases, including passwordless for legacy tools using
older protocols along with cloud-based applications.
4. Provide a passwordless experience. The path to passwordless is an iterative approach to
If MFA is a password with one or more authentication selecting, streamlining, and securing authentication.
factors, passwordless is best described as two or The final step in the journey is integrating the
more authentication factors without passwords. technology and moving towards continuous
People can log in using a biometric authenticator improvement. Passwordless will eventually end
and the possession of a trusted device to access your need to rely on passwords for any login
applications. This would be something they have and workflow, either behind the scenes or throughout
something they are, instead of relying on something your users’ experiences.
they know (a password).
This is the challenge in the market today that
In this step of the journey, implement standard passwordless-pioneering technology platform
technology to remove passwords as the primary providers need to solve. Duo is working on support
authentication factor for the use cases and areas for a comprehensive ecosystem that enables
with the biggest impact on user experience, cost, passwordless across every enterprise use case.
and security.

© 2024 Cisco and/or its affiliates. All rights reserved. 8

3.0
3.0 Cisco’s 130,000-user
Passwordless Deployment
Cisco fully rolled out Duo Passwordless across over Another component of Cisco’s Zero Trust strategy is to
130,000 users in August 2023, but planning and define device trust standards, especially with a hybrid
small pilot groups began two years prior. As a modern BYOD-accessing workforce. Duo enabled Cisco to limit
enterprise, the Cisco IT security team faces a complex sensitive application access to only trusted endpoints
and hybrid IT environment, regulation and compliance like corporate-managed devices. This added another
requirements, and a general need to keep administrative layer of defense if credentials are compromised.
and management costs to a minimum.
With thorough planning, alignment with leadership,
Password resets and account lockouts result in lost and active communication and feedback practices,
time and resources, and standard form-based login Cisco’s rollouts saw high levels of adoption with minimal
with MFA increases security but at the expense of related helpdesk tickets — a resounding success in
repeated user friction. Streamlining and consolidating enterprise security.
authentication workflows became a priority for the
Cisco IT team. With Duo Passwordless, Cisco was able
to implement a FIDO2-based login flow that utilized
Duo SSO and built-in hardware biometric platforms like
Touch ID and Windows Hello to improve the overall login “We rolled out Duo
experience without compromising security.
Passwordless globally to
Cisco’s Zero Trust Security 130,000+ users. It almost was
Responsive and adaptive access policies also a non-event at some point. We
contribute to a smoother end-user login experience and have just a few open cases and
stronger zero trust security practices. Cisco deployed
maybe 90 after 3 weeks, which
Risk-Based Authentication (RBA) alongside
passwordless. RBA steps up authentication to a more is nothing. Adoption level shave
secure method when risk factors or novel attack been fantastic. A global rollout,
patterns are detected such as impossible travel, push
with no problems whatsoever.
harassment, and push spray. Risk is assessed at each
authentication request, even if the end user doesn’t That’s phenomenal. That never
interact with Duo directly. happens when we roll things out
at this scale.”
- Sarabjeet Rana,
Principal Architect, Cisco IT Security Team

© 2024 Cisco and/or its affiliates. All rights reserved. 9

 Rolling out stronger security
Passwordless journey at Cisco.

October 2021
Pilot starts within Enterprise Security
(160 users)
August 2022
Pilot expands to Infra
and Infosec teams
(3,000 users)
November 2022
Duo Passwordless is
Generally Available

December 2022
Pilot expands to Security Business
and Sales, and Cisco ONEx
(30,000 users) February 2023
Duo provides capability for mobile users
to access zero trust-enabled apps.
Pilot expands to Supply Chain and CX
(60,000 users)

July 2023
Optimization of SSO, Form Auth,
and Passwordless algorithms
August 2023
Duo Passwordless is
rolled out to all of Cisco
(130,000 users)

10
KPIs:
• Passwordless adoption
end-user sentiment
• # of device biometric enrollments
• % of passwordless authentications
• # of step-down and
step-up authentications
• # of apps protected by Duo
• # of authentication-related
help desk tickets

Best Practices:
• Take time to identify your organization’s • Start small to go faster at scale. Pilot programs
application landscape. What percentage of with limited users can result in valuable feedback
applications are WebAuthn and CTAP-compatible and important monitoring.
today? What are key applications that need to
• Get executive buy-in/sponsorship. Sharing
be protected?
benefits with leadership and employees can
• Define pre-requisites and establish your help win “air cover” to make decisions and move
definition of “done.” Passwordless is just one quickly. Weekly newsletters and fireside chats to
component of a zero trust strategy. What are stakeholders can create momentum and a sense
specific metrics your organization or leadership of urgency.
focus on?

Read the full Cisco & Duo case study

© 2024 Cisco and/or its affiliates. All rights reserved. 11

4.0
4.0 Building Your Organization
Towards a Passwordless Future
Passwordless is a building block for organizations • OS-level passwordless authentication for Windows
working towards a zero trust security strategy, from Logon, compatible with Duo Passport to deliver a
small businesses to major enterprises like Cisco. It true and secure single sign-on experience across
provides a key aspect of establishing a single, strong protected platforms and applications
user identity and trust, and enables the shift to a mobile
• Strong authentication using passwordless with
and cloud-first enterprise — allowing users to work
Duo Mobile application
remotely, increasing productivity and driving
business agility. • Full compatibility with Microsoft Entra ID MFA
requirements through external authentication
Duo offers a flexible implementation of passwordless
methods integration (replacing Custom Controls)
authentication to meet the needs of businesses and
their use cases. This includes: • Risk-based authentication with Duo Passwordless
for automatic authentication step-ups, and native
• Wide support for phishing-resistant roaming and
integration of passwordless with Trusted Endpoints
platform authenticators: WebAuthn FIDO2 passkeys
to define access for managed and
and security keys with biometric or PIN verification,
unmanaged devices
and authenticators or biometric sensors built into the
device like Touch ID, Android Biometrics, or • Out-of-box analytics and detailed logging to track
Windows Hello and report on passwordless adoption

© 2024 Cisco and/or its affiliates. All rights reserved.

12
 WebAuthn and
Agnostic Integrations
are available in all
Duo editions.

“It was exactly what I was looking Passwordless Enables Zero Trust.
for, which was a simple and elegant A combination of user and device trust, driven by
way to use YubiKeys or Windows adaptive policies ensures access to applications and
data is secured. Duo’s Passwordless authentication
Hello or Touch ID to replace the
improves the working experience while strengthening
password. It simultaneously our trust in authentication for all Duo customers.
simplifies a user’s life and takes Establish a passwordless login workflow for cloud
apps without ripping and replacing
the risky password off the table.” existing infrastructures.

- Jason Watts
CISO Inductive Automation

© 2024 Cisco and/or its affiliates. All rights reserved. 13

Additional Resources
Don’t let passwords burst your balloon. Learn more about what
Duo is doing to enable the passwordless future by working to make
passwordless technology and standards open, accessible and easy
for the broader community:

• What is WebAuthn?

• WebAuthn.io

• Web Authentication: What It Is and What It Means for Passwords

Blog:
What are passkeys?

Webinar:
The State of Passkeys

Mini-Docu Series:
The Life and Death of Passwords

Duo Passwordless Documentation:

https://duo.com/docs/passwordless

Cisco Duo protects against breaches with a leading access management suite that
provides strong multi-layered defenses and innovative capabilities that allow legitimate
users in and keep bad actors out. As a trusted partner, Duo quickly enables strong
security while also improving user productivity.

Try it for free at duo.com.

© 2024 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list
of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership
© relationship
2024 Cisco and/or itsbetween
affiliates.Cisco and any
All rights other company. (1110R)
reserved. 1364499477 08/2024 14