Let’s face it – password security measures can be frustrating at times! Several examples probably spring to mind – forced password expirations, multiple Duo prompts per day, and even long lines to swipe at the parking garage. Occasionally, however, a technological advancement is introduced that dramatically improves both security and convenience. A powerful example of this is the promise of passwordless authentication.
Passwordless authentication, or simply passwordless, refers to a method of logging on without the need to enter a password or PIN. Here in the year 2025, you’re probably already very familiar with passwordless… but maybe not using that terminology—Fingerprints (e.g. Touch ID) and facial recognition (e.g. Face ID) are modern examples of how your mobile device lets you in without a password. Now imagine that same ease of use when logging into computers and websites at SMU! That day is approaching!
Duo Was a Start
Traditionally, there are four types of authentication:
- Something you know (knowledge)
- Something you have (possession)
- Something you are (inherence)
- Something you do (behavior)
The weakest option is employing things you know, like passwords. Why? Because they tend to be forgotten, and are the easiest to be given away or stolen and used by someone else. The introduction of Duo at SMU, back in 2016, was to help curb a growing problem organizations were facing with stolen passwords leading to costly security compromises. For the first time at SMU, the use of Duo combined two types or factors of authentication: Duo requires something you know and something you have. This is known, of course, as multifactor authentication or MFA, because it uses more than one of the authentication types. The use of Duo at SMU has been extremely effective at fending off security compromises and has helped to virtually eliminate internal spam.
Looking Forward to Passwordless
OIT is looking forward! The next step at SMU beyond Duo MFA is passwordless authentication. Passwordless combines something you have and something you are. In some cases, it also includes something you do. For example, it might leverage stored secrets on a device you already have, rather than asking you for input. There are multiple passwordless options, and some of them are more suitable than others for certain users. For example, Windows Hello for Business may be a great fit for employees, but not for students or Mac users! One thing is certain – all of the various passwordless options are designed to be more convenient to use and also offer more security than traditional Duo MFA. Oh, and passwordless methods don’t expire!
Some passwordless methods are easy to understand and configure, but slightly more susceptible than others to attacks. While these are still a big step forward over passwords in both security and convenience, other more advanced methods are on the way. These are known as Phishing-Resistant MFA. These are almost impossible to compromise, but are also more difficult for a typical user to configure. These will be a topic for a future blog post.
A Passwordless Future is on the Horizon
As we prepare to move to passwordless authentication, this will help shepherd SMU into a future where logins are easier and more secure and passwords are all but eliminated from most users’ lives. While we don’t have a current delivery date for this functionality, it is being reviewed and planned for in the near future. More details will be shared once a more definitive schedule is available.
Until then, we recommend users enroll in the Password Reset Tool. It will allow you to change or reset your password 24/7—without assistance from the IT Help Desk. To enroll, just go to smu.edu/password.
