2. Do a Risk Assessment to Develop Authentication Requirements
Analyze the risk associated with each information system used in your environment to determine the probability and the impact of a potential breach. This will help you develop authentication requirements for each system commensurate with the level of risk they present. It will also help to prioritize your work, focusing first on the highest risks.
3. Cut Down on the Number of Times Users Must Enter Passwords
Users are conditioned to enter their passwords dozens of times per day. Removing those requirements dramatically improves the user experience by allowing them to seamlessly move from system to system and gets them out of the habit of using passwords routinely. Once you’ve minimized the number of times that users encounter password prompts, you can transition to a truly passwordless environment.
4. Eliminate Passwords from the Identity Directory
This is the ultimate goal of a passwordless strategy, but you won’t be able to take this final step until you’ve modernized every legacy system that relies on password authentication. Once you’ve removed passwords entirely, you’re safe from password theft attacks because there simply are no passwords to steal.