Many organizations and services have an existing user base that are utilizing authentication methods containing passwords or other shared secrets, such as TOTP 2FA.
Auth Armor can help you and your existing userbase convert to passwordless solutions with migration strategies.
To migrate users away from passwords, you first need to enroll the user in a passwordless authentication method. You can choose a few options, such as Magiclink Emails, WebAuthn, or our biometric push-based authenticator.
Before enrolling the user in a passwordless authentication method, you must first authenticate the user using the authentication method you currently use, such as passwords, or passwords + 2FA/MFA.
This should be done using the normal login and authentication flow that you already have in place.
It is very important to educate users about passwordless and the benefits it brings. Communication to users is key, especially for subjects such as account access and passwords. Here are a few things to focus on:
Better Security - Passwordless is much more secure than having passwords. Why? Passwords can be stolen by hackers anywhere in the world, remotely, anytime. Passwords can be cracked by super computers. Passwordless technology means there is nothing to forget, nothing to lose, and most importantly, nothing for hackers to steal.
Easier and Faster - Passwordless means you don't need to type in anything. You don't need to remember anything. There is nothing to write down, nothing to lose. Login and authentication is 10x faster without passwords.
After successfully authenticating a user using your existing authentication flow, you can present passwordless information and options to your user. This should include information about why passwordless is a great security option and how it makes authentication easy and secure without having to remember passwords. Your users should understand that going passwordless is easier and more secure.
At this time, you can present an option to the user to setup passwordless authentication methods, or to continue as normal.
There are a few strategies that can be used if the user continues as normal.
You could present a modal popup as the user skips presenting even more reasons why going passwordless is better, faster and more secure.
You could track how many times the user has skipped passwordless setup and require the user to setup passwordless after a certain number of skips.
You could setup a deadline date and if the user has logged in using legacy methods after this date, then the skip option is no longer available. It is best to communicate this deadline to users via email as well. Some users might not login very often and will never see the prompt in the first place.
It is important that all communication to users is on official templates or letter head. To prevent false positives on phishing emails and communications, it is recommended that you do not provide special links to switch accounts to passwordless. Links like these will often times be suspected of being a phishing email by some users. Your communications should only include links to your regular website, service or app, and once the user logs in, you can then start passwordless migration flows to the user.
Updated 4 months ago