Skip to main content

The Bad "P" in Authentication

 Here's a scary word for you! If you are squeamish, you may want to look away. Now that you've been warned I am going to tell you the word:

Passwordless

BOO. Scary right? Well, you won't believe how many people actually think the worst of this word and do not realize what it actually means or what it entails. There's more to Passwordless than meets the eye, in which we'll talk about in this post. Here's how you can begin adopting passwordless in your organization!

What is Passwordless?

Passwordless authentication can be simplified into a singular idea: remove the password from the equation. As cybersecurity evolves and now with the rise of quantum computing, passwords are becoming obsolete. The only problem is that passwords are still the norm for a variety of systems, which introduces a barrier to adoption. This is just one of several barriers that prevent organizations from adopting passwordless authentication, with other reasons consisting of (but not limited to):

  • Changing paradigms from passwords to passwordless can introduce knowledge gaps

  • Some users are used to passwords and unwilling to change unless necessary

  • For some systems, passwordless is still not possible, resulting in an auth mix

  • Some users do not have a mobile device, or do not wish to install an authenticator app

  • There is still a lack of understanding around passwordless authentication.

The Passwordless Adoption Framework


The Passwordless Adoption Framework (PAF) consists of five key areas:

  • Requirements Gathering and Analysis

  • Phased Implementation

  • Phased Testing

  • Rollout and Adoption

  • Maintenance and Improvement

You may also notice that this process also follows common change management principals. This is by design, as the journey to passwordless isn't a straight path. Rather, it is a multi-faceted initiative that requires careful planning and understanding before rolling out.

Requirements Gathering and Analysis

In this phase of the framework, we want to establish why we are going passwordless. Is it so that we can strengthen our security posture? Are we trying to get more people to use stronger authentication methods? Maybe we want to try Windows Hello for Business? It is important that when planning for this change that you understand why we want to make this change. For this phase, we're trying to determine the end goal of going passwordless and what will transition to this form of authentication. Additionally, we also want to establish what authentication methods will be used, what the user flow will look like, and any potential roadblocks that may occur as well as how to overcome them. Once we're done these checks (but certainly not limited to), we can move onto implementation.

Phased Implementation

The keyword here is phased. Rolling out a passwordless initiative is not an overnight endeavour. Rather, it is something that should be done in phases. I recommend that when rolling out passwordless to your organization that it be done in a way that allows you to approach it from the following angles:

  • Start with a controlled pilot Begin with a small, low‑risk group or department to validate your initial configuration and user experience.

  • Introduce passwordless methods incrementally Roll out one authentication method at a time—such as FIDO2 keys, Windows Hello for Business, or an authenticator app—so users aren’t overwhelmed.

  • Target low‑impact systems first Enable passwordless on applications or services where issues won’t disrupt critical operations.

  • Expand in waves across the organization Move from early adopters → technical teams → general staff, adjusting your approach based on feedback from each wave.

  • Monitor sign‑in telemetry and user behavior Track success rates, fallback usage, and error patterns to identify friction points early.

  • Refine policies and configuration as you go Tune Conditional Access, enrollment flows, device requirements, and authentication policies based on real‑world results.

  • Prepare support teams before each phase Ensure helpdesk staff understand the new authentication flow and can troubleshoot common issues.

  • Document lessons learned after each rollout stage Capture what worked, what didn’t, and what needs refinement before expanding further.

Phased Testing

Now that we have completed the phased implementation, we can now focus on testing. The ideal way to begin testing your passwordless deployment is to choose your department first, and select a few machines that you can keep a close eye on. Once you are satisfied as to it working on your department's machines, you can then begin testing with a select smaller group. During this time, you'll want to be taking feedback from the group such as any difficulties encountered, lack of understanding(s), or any feedback that they may present. I recommend doing this approach with a couple of groups, one that is technical and one that is non-technical, that way you get both perspectives.

During this time, creating materials and training based on the feedback gathered will allow for smoother transition into a passwordless environment when rollout begins.

Rollout and Adoption

At this point, we're ready to go live with the change. This is when you'll want to issue org-wide announcements of the upcoming change and provide the training as well as adoption resources that I've mentioned above. Provide a timeline in which users can expect this change on their end, so that way they're not caught off guard by the change. Like the phased testing, break the rollout down into smaller groups, that way you can roll back easier should it be required. Throughout this time, you want to champion passwordless and ensure that your org is educated on it and empowered to use it. Knowledge is half the battle.

Maintenance and Improvement

As always, there will be maintenance and improvements required. Bake this into your overall project goals as a ongoing effort, as there will always be work to do in order to keep it running on an org-wide and user level. At this point, users should be aware and using passwordless solutions, and your staff should know how to handle common issues and requests. If not, now is a great time to work on it!

Final Thoughts

If you read through this article in it's entirety, you'll probably notice that this was pretty non-technical. The reason for this was because I wanted to appeal to both the technical and non-technical sides of the house and show that passwordless is achievable with the right steps and procedure. As we shift to a world where AI is allowing attackers to exploit and harm systems much faster, and quantum computing is making passwords obsolete, passwordless is becoming a prevalent solution to address this evolving problem.

Until the next post folks!


Labels:

test

Using Power Automate to Update Contact Information

 We've all been there- you have a large organization who has out-of-date contact information. What do you do? You could go around to each department and ask them nicely to update their information, or send out an org-wide email prompting people to do so. However, this is tedious and oftentimes a pointless task. By the time you update one department, you're running to fix another. What if you could put the power back in the department's hands to do so? This is a struggle I faced recently as I was trying to find was I could conjure up some updated contact information for each department. As I did my research, I found that I was not alone in this endeavour as it seems that many IT professionals would love to make this process a little bit less painful. With this in mind, I introduce to you my latest flow! This flow will allow you to encourage users to update their contact information, without the overhead that comes with manual effort. In addition to this, this flow utilizes t...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part One

Happy June folks! I come to you with another post, but this time I wanted to change it up and show you something else I have just finished working on. As a SysAdmin, one of the most common issues we run into is managing licenses. Working at a post-secondary institution makes this an even greater challenge, as you have both students, staff and faculty constantly coming as well as going. Managing to keep up with this constant change can introduce great administrative overhead which takes away time from important upkeep of other systems and initiatives. You may also notice this same issue in large corporations or in other government organizations. To help combat this, I wanted to create a flow that can do the following: Get the user and their licenses Determine their last sign-in and the date Conditional to determine if the user is past the "cutoff" date Remove the user from a group where the license is assigned The only problem with doing this is that Power Automate does not ha...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part Two

Hello again! Didn't I promise you that I'd be back to wrap this up? Well, here I am to give you the second tidbit of information that you need to get this started. If you haven't already, take a look at my previous post where I go into depth about creating a custom connector in Power Automate to retrieve the latest sign-in and also gather the user's licenses. Now that we have the custom connector ready, we can now get into the meat n' potatoes of this series. In this post, I will show you the flow that makes this possible and how you can use the custom connector you have created to tie it all together! Hope you enjoy. Understanding the Logic Before we can begin creating the flow, we should first understand how the flow will work. I designed this to flow to be triggered manually, but you may want to schedule it or use another trigger. The trigger will depend on your organization's policies, so please adjust accordingly. Once triggered, the flow will use the Entra...
Read more