Transition to passwordless technologies, A Comprehensive Analysis and Real-World Implementation

This thesis explores the transition to passwordless technologies, a critical subject I developed during my master's studies and further refined during an internship at Microsoft. While passwordless authentication is a growing area of interest, most studies focus on the individual technologies behind it, such as security keys, biometrics, and magic links. However, little attention has been paid to the integration of these technologies within existing architectures, which is essential for a successful transition from traditional password-based systems. To bridge this gap, the thesis presents a framework for effectively planning and executing a shift to passwordless authentication. It begins by defining the core services required to integrate various passwordless methods, followed by an approach to assess and design target architectures. The work then outlines a strategic plan that organizations can follow to facilitate this transition while understanding the increase in the security posture. Additionally, costs and risks associated with the shift in the authentication paradigm are described. A case study involving a large enterprise that, for privacy reasons, will be referred to as “GripGotham”, illustrates the application of this framework in a real-world setting. The study demonstrates the practical complexities of implementing passwordless technologies at scale and highlights the security improvements achieved through a methodical, well-planned adoption. The insights gained from this case provide valuable guidance for professionals and organizations navigating their own transition to more secure and user-friendly authentication practices.