PASSWORDLESS SECURITY

EVALUATION GUIDE
12 Key Considerations for Assessing
Passwordless Multi-Factor Authentication
(PMFA) Solutions
About this Guide
Organizations of all sizes and across all sectors are looking to passwordless This guide will help you discern among available passwordless
authentication to make their authentication processes more secure while security products and determine which solution best suits all
reducing friction. And for good reason. Nearly two-thirds of all breaches and the needs and requirements of your organization. This guide is
all ransomware attacks start with credential theft and account compromise. intended for:
Passwords are one of the key targets for attackers, largely because they are easy IT and system administrators
to steal and typically stored in one place.
Identity and Access Management (IAM) architects
True passwordless authentication keeps out those who shouldn’t have access
Security teams
while making sure the right people can get in seamlessly — and it’s the single
strongest security measure you can implement to keep your organization, your CIOs
users and your customers safe. CISOs
But the passwordless authentication landscape can be challenging to navigate. Anyone interested in better security
Not all solutions are created equal, and terminology can be confusing or even
misleading. Some don’t meet compliance requirements. Some may meet
What You’ll Learn:
technical definitions but are still vulnerable to attack. And many have hidden
costs in the form of lengthy and complex deployment, extensive and time- The biggest authentication security risks
consuming training and support and vendor lock-in.
A comprehensive set of criteria to evaluate
passwordless solutions
Gartner calls passwordless authentication a critical information Alignment of password authentication with
security technology to adopt now.1 compliance, certification, and standards

Advancing your Zero Trust security model with

passwordless authentication

How to determine your total cost of ownership (TCO)

2 www.hypr.com | Passwordless Security Evaluation Guide

Where Do You Start?
Before you begin evaluating passwordless authentication vendors and solutions, it’s critical to assess both your
current and future security needs. As with any tool in your security stack, you need to weigh the risks, costs and
your specific requirements. Consider these questions as a starting point.

Requirements Risks Cost

Are you in a highly regulated industry How much business disruption would How much have you budgeted to cover
or sector? be involved in making the switch to the costs for multi-factor authentication
passwordless authentication? (MFA)?
Does your cyber insurance require you
to have MFA? Will users embrace the new technology Have you included the intangible costs
or resist it? of deployment, such as implementation
What kind of sensitive data does your
time IT resources needed and a potential
organization handle? To what extent do you want your
slowdown in user productivity?
passwordless authentication to protect
Do you have multiple identity providers?
against specific threats, such as credential How much do fraudulent transactions
Do you employ a hybrid or remote
phishing and push attacks? and attack mitigations cost you
workforce?
currently?
How developed is your cloud infrastructure,
Does your organization interface with
and how do passwords and shared secrets
customers online?
make your organization vulnerable?

3 www.hypr.com | Passwordless Security Evaluation Guide

Introduction
As any security professional can tell you, credentials and the people that With automated hacking tools that can bypass MFA and massive
use them constitute one of the biggest security risks. Yet, organizations credential leaks now ubiquitous, attacks will continue to rise unless
are still heavily reliant on password-based methods to protect access to organizations evolve their strategies. Passwordless authentication
digital accounts, data and other resources. According to Forrester, more completely eliminates the biggest attack vector and the biggest target of
than 55% of organizations continue to use passwords as the primary hackers: credentials.
authentication method.2 If you are looking at including passwordless authentication in your
security arsenal, be aware that there are significant differences among
Approximately 65% of people reuse passwords across accounts, passwordless products and vendors. This guide outlines the major
and nearly half hadn’t changed their passwords in over a year, features and capabilities you should be looking for, along with questions to
even after a known breach.3 ask potential providers. The relevance of each of these capabilities in your
own evaluations will depend on the nature of your systems and business,
compliance requirements and ongoing or planned strategic initiatives,
The pervasiveness of lax password practices makes account takeover
such as Zero Trust.
trivial. It’s no wonder that credential theft, is at an all time high. There’s
currently more than 15 billion stolen credentials for sale on various
hacking forums.4
Credential-based attacks span a variety of methods — from phishing 34%
campaigns and credential stuffing to man-in-the-middle attacks. The of organizations reported
Verizon 2021 Data Breach Investigations Report, found that 61% of all credential stuffing attacks
breaches exploit credential data and 60% of ransomware attacks begin
with a compromised credential.5

Many organizations are adopting two-factor authentication (2FA) or

89%
MFA to strengthen their security posture, meet regulatory requirements of organizations experienced at
and qualify for cyber liability insurance. While MFA certainly provides least one phishing attack.
more security than passwords, it still falls short. Traditional MFA is often
unwieldy, adding friction for users and IT teams. And, credentials remain
at the core of most MFA solutions, making them vulnerable to attack. Source: HYPR State of Passwordless Authentication 2022

4 www.hypr.com | Passwordless Security Evaluation Guide

Top 10 Authentication Security Risks
Attackers use multiple methods to bypass passwords and traditional MFA
security. These are the most common threats you need to guard against.

Phishing Push attacks

SMS hijacking Credential stuffing

Sharing of passwords Sniffing/keylogger

and tokens by users malware

Automated attack tools Password spraying

(e.g., Modlishka)

Man-in-the-middle attacks Brute force/cracking

5 www.hypr.com | Passwordless Security Evaluation Guide

Core Capabilities to Look for
1. No Passwords or Shared Secrets Anywhere 2. Passwordless MFA for Desktop Login
Contrary to what you’d expect, passwordless authentication does not always Secure application login is important, as it ideally enables passwordless
eliminate passwords and shared secrets. Some approaches remove the authentication from anywhere — any location and on any device. But if a
password from the user’s login experience for the sake of convenience, but passwordless authentication solution works only for applications, it leaves
centrally stored passwords remain part of the infrastructure. For example, they open a critical security gap for your workforce.
may use a biometric feature, such as Touch ID or Face ID for the login, but this The initial authentication point for most of your employees is the laptop,
simply unlocks and forwards a stored password for validation on the backend. desktop or workstation itself. Desktop authentication is now one of your most
Other solutions may send a one-time password (OTP) by SMS or email as part critical legal and business imperatives. Multiple regulatory bodies, including
of their MFA flow. None of these solutions are truly passwordless multi-factor the NYDFS, CISA and the Federal OMB, are requiring affected organizations
authentication (PMFA). Whenever there is a secret shared for verification, even to implement MFA, and many cyber insurance companies insist on it as a
if temporary, it is vulnerable to phishing and interception. Moreover, anytime requirement to obtain coverage.
there is a database of stored credentials, it will be a target for hackers.
Your passwordless authentication solution should offer several secure
True PMFA solutions are based on public key encryption. They use a private- authentication options for desktops, ideally with the same user login
public cryptographic key pair to authenticate a user’s identity. The private key experience as for applications. If you have cases where an employee logs into
is stored in a secure enclave on a user device — a mobile phone, smart card multiple desktops or multiple employees share the same computer, make
or security key — while the public key is registered with the authenticating sure the solution can address these situations. In addition, a secure roaming
server. This ensures that user accounts and data stay safe, even if the server is authentication capability is essential when employees are traveling or unable
breached. These systems also may include other verification factors, such as to connect to the internet.
biometric recognition, local to the device.

65% of organizations’ “passwordless” solutions actually require a

shared secret, such as an underlying password, OTP or SMS code.6

Buyer’s Tip: Buyer’s Tip:

Your passwordless solution should never use Secure authentication for applications is not enough.
shared secrets, including during enrollment and To secure your workforce, you need passwordless
account recovery. authentication that begins at the desktop.

6 www.hypr.com | Passwordless Security Evaluation Guide

3. Support for Remote and Hybrid Workers 4. Integration with Your Systems, Identity Providers and Devices
Flexible workplace policies are the norm today and nearly all organizations As part of your preparation for passwordless authentication, you’ll want to
have a responsibility to secure their remote or partially remote and map out all the places your workforce uses passwords. Include device types
traveling workforce. (examples: Android, iOS, macOS, Windows, Linux) and login locations in
addition to your identity providers (IdPs), virtual desktop infrastructures (VDIs),
Remote working means that large numbers of employees access
applications, proprietary programs and cloud services.
corporate resources through virtual private networks (VPN), virtual desktop
infrastructure (VDI) and remote desktop protocol (RDP), which makes Many passwordless solutions either work only with specific IdPs or attempt
them susceptible to attacks and breaches of network security. Hardening to leverage their product to lock in organizations to their own IdP. This creates
your defenses at the point of access to these systems, such as through a disjointed user experience and can hamper cloud transformation initiatives.
advanced PMFA capabilities, goes a long way toward securing your remote The passwordless authentication solution you ultimately end up selecting
and hybrid workforce. should integrate with all the major IdPs (such as Okta, Ping Identity, Azure AD,
ForgeRock and others).

It should also support open standards (such as SAML or OIDC) to easily

Forrester found that 75% of organizations experienced
integrate with the secure single sign-on (SSO) service of your choice. Flexibility,
cyberattacks stemming from insecure technology deployed
portability and forward compatibility are essential.
to cope with remote work.7

Secure offline access is another important consideration for remote and

hybrid workers. Working remotely increases the need to unlock devices
when internet coverage is patchy or inaccessible. Some methodologies,
such as decentralized offline PINs available through an authenticator
app, let users securely identify themselves offline and gain access to the
devices they need to do their jobs.

Buyer’s Tip: Buyer’s Tip:

Ensure that your passwordless authentication Your authentication should be decoupled from
solution provides secure remote access, even your identity provider and integrate with a wide
when offline. range of devices and services.

7 www.hypr.com | Passwordless Security Evaluation Guide

5. Resources Required to Deploy and Manage the Solution 6. The User Experience
An important step in planning your move to passwordless authentication In this digital age, a consumer-grade experience is critical to business
is determining whether your in-house staff possesses the knowledge and success — for both customers in a B2C setting and for the workforce. A
skills to properly implement the solution. Depending on the solution and recent report found that 67% of organizations say that improving user
your team, you may need to engage professional services to support, experience is a key factor in adopting passwordless authentication.9
install and test the solution and necessary integrations. User comfort with any security system plays an essential role in its
successful adoption and makes it less likely that people will seek
According to a recent poll, 67% of organizations contend that their workarounds for expediency or ease. Solution providers need to make the
staff doesn’t have the needed skills and teams for adoption of passwordless authentication experience fast, intuitive and convenient.
passwordless authentication.8 Ideally, there will be a single login flow — from the desktop through to cloud
applications — with a consistent experience across devices and systems.
Choosing the right solution can make deployment, integration and When you evaluate various passwordless authentication vendors, check to
management faster, easier and less expensive. Make sure you consider see whether their solutions can accommodate different requirements and
the following questions as you evaluate solutions: user preferences across different demographics, verticals and industries. A
Does the solution follow a standards-based approach? If that’s the sound passwordless authentication solution should provide alternatives for
case, it should be trivial to integrate it with your current SSO providers. those who cannot or choose not to use biometrics. Ideally, the vendor will
offer multiple secure authentication methods, including smartphone apps,
Is there a robust software development kit (SDK) that allows
Windows Hello, QR codes, hardware security keys and decentralized PINs.
development teams to integrate the solution with custom or legacy
applications not connected to your SSO? User experience is inextricably linked to productivity. Whether applied to the
workforce or for B2C applications, 73% of organizations believe that
If regulatory obligations such as the PSD2 Strong Customer
the most user-friendly and convenient method for MFA is smartphones.10
requirement impact your business, do the SDKs include built-in security
controls and functions to help you meet them?

How long will it take to deploy and enroll each user?

Buyer’s Tip: Buyer’s Tip:

Do your due diligence in determining resources A positive and frictionless experience for every
needed to rollout and manage a solution on an user should be a top priority.
ongoing basis.

8 www.hypr.com | Passwordless Security Evaluation Guide

7. Cloud Solutions: Availability, Security and Operational Processes
A security solution is only as valuable as it is available and resilient against
security incidents and downtime. Some enterprises sometimes choose to deploy One good test of a vendor’s resilience is how quickly they
on-premises authentication solutions, believing they offer greater security control. respond to widespread security incidents like the recent Log4j
However, such solutions are often less secure as it’s more difficult to deploy vulnerability, which exposed all applications using the popular
urgent security patches. Java-based utility to attacks that could steal data, hijack servers
Cloud-based authentication provides high scalability, flexbility and better and deliver ransomware or other malware.11 Find out how long
integration with modern organizations’ cloud applications and services. Make it took for vendors under consideration to test, remediate any
sure your passwordless provider maintains their solution independent from exposure and communicate the mitigation to their customers.
your systems. That way, even if you are breached, access to your applications is
still securely managed by your provider. Check that it has mature and proactive
monitoring capabilities, including automated anomaly detection.

If your business is subject to data privacy regulations, such as the EU General 8. Secure Storage of Private Keys
Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), A passwordless authentication solution can still be vulnerable to
make sure the solution does not share or store sensitive or personally identifiable device-side attacks by hackers, even if it uses public key cryptography.
information (PII) in the cloud, or send users SMS codes. Any security-relevent Malware, side-channel attacks and reverse engineering are among the
data should be encrypted (AES-256 or stronger), with each tenant’s data stored many techniques available to attackers who want to steal the private
in a segregated database invisible to other tenants. keys of a cryptographic system. To ensure key safety on mobile devices,
Make sure your vendor has a failover process in place, with service distributed authentication systems should utilize hardware-based security, such as
geographically and across multiple providers and power grids.Ideally, your ARM’s TrustZone technology, Android’s Trusted Execution Environments,
vendor should guarantee 99.99% uptime, backed by strong service level the iOS Secure Enclave or Samsung KNOX to store keys and perform
agreements (SLAs). cryptographic operations.

Buyer’s Tip: Buyer’s Tip:

When assessing cloud-based solutions, ask about Ask if the solution uses a device-level Trusted
solution hardening against vulnerabilities and breaches, Platform Module (TPM) to store private keys and
data privacy compliance and uptime guarantees. other sensitive data.

9 www.hypr.com | Passwordless Security Evaluation Guide

9. Certifications and Compliance 10. Total Cost of Ownership
If your organization handles sensitive personal or payment data, make As you contemplate the move to passwordless authentication, another area
sure your passwordless solution meets relevant privacy and security that needs to be considered is the total cost of ownership (TCO). The TCO
compliance requirements, such as GDPR, CCPA, HIPAA, PCI DSS, NIST encompasses deployment resources and management costs in addition to
800-63B and others. the initial dollar investment.

In addition to adhering to compliance regulations, find out if the vendors Other points to consider are productivity impact for employees and how
under review hold up-to-date independent certifications. This provides successfully the solution reduces authentication-related help desk issues.
assurance of their commitment to security and privacy standards and For example, solutions that utilize a smartphone-based authenticator app
will enable you to obtain proof-of-compliance reports for your auditors. generally have fewer help desk calls as users are less likely to forget or
Vendors with SOC 2 Type 2 certification have had their security procedures lose their smartphone.
and controls fully vetted by a third-party, independent auditor. Another critical question to ask a vendor is whether their passwordless
Various ISO certifications provide additional assurance regarding controls authentication solution integrates with your legacy systems and preferred
to ensure the confidentiality, integrity and availability of customer identity provider(s). Will the solution enable you to integrate and streamline
information; measures that reduce risk in the cloud; and data privacy and fragmented authentication processes and identity systems?
protection of personally identifiable information (PII) in cloud computing. Authenticator costs are another TCO consideration. Do you have to
Finally, to further aid your organization with compliance audits, ask your purchase, manage and administer hardware authentication devices?
vendor if they create an audit trail that reports data on authentications For mobile authenticators, confirm if there is any per-device cost or if an
across mobile devices and workstations, along with errors that may unlimited number of enrolled devices is permitted for each user license.
have occurred. Data center costs are an often-overlooked expense of an on-premises
authentication solution. With a cloud-based solution, you don’t have to
absorb the associated management costs.

Buyer’s Tip: Buyer’s Tip:

Ask your vendor to supply up-to-date certifications Get a general idea of costs in your initial
and reports on their compliance with current exploration and really dig into details when it
regulations. comes time for a request for proposal (RFP).

10 www.hypr.com | Passwordless Security Evaluation Guide

11. Use of Open Standards Throughout
The FIDO (Fast IDentity Online) Alliance aims to improve cybersecurity
with open standards that are more secure than passwords, SMS and How Critical Is FIDO?
OTPs, simpler for consumers to use, and easier for service providers to Today, FIDO standards are the most
deploy and manage. The Cybersecurity & Infrastructure Security Agency widely adopted standards in the
(CISA) considers FIDO the gold standard for MFA. A FIDO Certified solution passwordless industry. Advocates
leverages public key cryptography for authentication and adheres to include Mastercard, Apple, 96%
usability and interoperability standards to aid user adoption and ensure Microsoft, Samsung and others. say FIDO is important
compatibility with other FIDO Certified products.
Source: HYPR State of Passwordless
Some vendors claim that they are FIDO compliant or support FIDO, but this Authentication 2022
does not guarantee the same security, usability and interoperability as FIDO
certification. It’s also possible for a provider to have FIDO certification for
its validation server, but not for its authenticator. This means their server
Buyer’s Tip:
has the ability to accept external FIDO Certified authentication verifiers but
that the solution’s client itself does not meet FIDO standards. Make sure your vendor is fully FIDO Certified
across all solution components.
FIDO standards match guidance from these organizations and
cybersecurity statutes, ensuring built-in compliance:

NIST (800-63B)

Federal Financial Institutions Examination Council (FFIEC)

U.S. Federal Office of Management and Budget (OMB)

PSD2 Strong Customer Authentication

Using a solution that is FIDO Certified on all of its components helps

future-proof your authentication strategy. To determine a passwordless
authentication solution’s certification status, you can check FIDO’s registry
of certified technologies here.

11 www.hypr.com | Passwordless Security Evaluation Guide

12. Zero Trust Best Practices
Zero Trust is a security model that has gained tremendous traction FIDO Certified passwordless authentication helps your organization enact
worldwide. The core concept is simple: never trust anyone or any device. Zero Trust principles, without a negative impact on the user experience. It
Zero Trust requires that the identities of all users and devices that try builds trust into the user’s identity, ensuring that authentication processes
to access resources on a corporate network always be verified and that align with the highest level of assurance (NIST 800-63B AAL3) for Zero Trust
access needs are limited to the appropriate role. initiatives. CISA, the Federal OMB and other compliance regulators strongly
recommend technology based on FIDO and WebAuthn standards.
A cornerstone of any Zero Trust initiative is phishing-resistant MFA.
Under Zero Trust, MFA is the network gatekeeper — and the strength of If Zero Trust is part of your security strategy, true passwordless
that gatekeeper affects the security of the entire Zero Trust architecture. authentication can bring this transformation about more quickly, at a
Unfortunately, some organizations find gaps in employee MFA adoption, lower cost, using fewer resources and with stronger, more reliable levels
especially among those who work remotely or travel often. The friction of security and compliance.
of forcing employees to juggle multiple authentication steps creates
adoption hurdles that slow down the Zero Trust initiative as a whole. Buyer’s Tip:
Even if your organization has no plans for a formal Zero
Trust initiative, you should implement the framework’s
widely accepted best practices for authentication.

12 www.hypr.com | Passwordless Security Evaluation Guide

Additional Factors HYPR Checks All the Boxes and Then Some
You now have a solid basis for evaluating the ideal passwordless HYPR’s True Passwordless™ multi-factor authentication (PMFA) platform
authentication solution for your organization. Once you have asked the hard is designed to eliminate the traditional trade-off between security and a
questions about everything from capabilities to compliance to costs, there seamless user experience. It turns an ordinary smartphone or other device
are still a few important things to consider. After all, you will be entering into into a PKI-backed security key for frictionless, phishing-resistant login from
a critical, long-term security relationship, so make sure you examine the desktop to cloud. Think of it as a hardware token like a YubiKey inside the
vendor as thoroughly as the solution. device you already use.

Research the vendor’s reputation. Check analyst research from Gartner, A fully FIDO Certified authentication system, HYPR also serves on the board
Forrester and other industry experts to compare how the vendor rates of the FIDO Alliance and is 100% committed to improving security and
against competitors and what their strengths and weaknesses are from an system interoperability. Our cloud-based solution is architected for 99.99%
independent third-party perspective. availability, and we deliver 100% monthly uptime for the majority of our
customers. HYPR has been recognized by Gartner in its “2021 Market
Make sure the vendor provides regular release updates and has a proven
Guide for User Authentication” and its 2022 “Emerging Technology
track record of responding to customers’ needs in terms of fixes, features,
Horizon for Information Security” as a leading supplier of passwordless
protections and system coverage.
authentication. Additionally, HYPR holds SOC 2 Type 2 and ISO 27001,
Ask your vendor for customer references that you can contact directly to 27017 and 27018 certifications.
gain insights on their experiences with the company and the solution. Talk to
HYPR dedicates itself to the success of its customers and believes in
their customers about the responsiveness of the vendor’s technical support
providing a positive and productive experience — from initial deployment
and development teams.
to ongoing technical support. Onboarding is straightforward and streamlined
Also, find out about speed of deployment and the time and resources — new employees can be productive their first day on the job.
involved in management and maintenance. Can and will your chosen vendor
help you navigate the optimal deployment for your organization? Does
your vendor have extensive, proven experience and skills in the field and “After looking at countless authentication products, we
especially in your industry sector and environment? decided that the best way to address our cybersecurity
issues was HYPR’s passwordless multifactor solution.”
Buyer’s Tip:
Inquire about customer satisfaction scores and retention Joe Kynion, VP/Information Technology Officer
rates. If a provider keeps their customers happy, it’s First Citrus Bank
a good indication that they will be a reliable security
partner for you.

13 www.hypr.com | Passwordless Security Evaluation Guide

Sources:

1 Gartner, Emerging Technology Horizon for Information Security, Published 16 November 2021

2 Using Zero Trust To Kill The Employee Password, Forrester Research, Inc., August, 2021

3 Psychology of Passwords, LogMeIn, August, 2021

See how passwordless MFA
4 From Exposure to Takeover: The 15 billion stolen credentials allowing account takeover, July, 2020 can secure your workforce
and customers.
5 https://www.verizon.com/business/resources/reports/dbir/

6 The State of Passwordless Security 2022, HYPR, January, 2022

Visit: hypr.com/demo
7 Forrester, Beyond Boundaries: The Future Of Cybersecurity In The New World Of Work, September

2021

8 https://www.forbes.com/sites/forbestechcouncil/2021/11/23/whats-blocking-the-adoption-of-
passwordless-authentication/

9 The State of Passwordless Security 2022, HYPR, January, 2022

10 2021 State of Passwordless Security Report, HYPR, February, 2021 About HYPR
11 https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
HYPR fixes the way the world logs in. HYPR’s true passwordless
multi-factor authentication (PMFA) platform eliminates the
traditional trade-off between uncompromising assurance and a
consumer-grade experience so that organizations decrease risk,
improve user experience and lower operational costs.

©2022 HYPR. All rights reserved.

14 www.hypr.com | Passwordless Security Evaluation Guide