Unlocking Identity: Implementing Passwordless Authentication at Harvard

Wednesday, April 29, 2026 | 4:00PM–4:30PM PT | Pacific Ballroom B, Second Floor
Session Type: Breakout Session
Delivery Format: Presentation/Panel
Passwords have long been a weak point, and MFA is proving to be a patch that can no longer hold the line. Techniques like prompt bombing, SIM swapping, and attacker-in-the-middle phishing kits are driving account compromise, increasing institutional risk, and forcing security leaders to rethink authentication practices. Phishing-resistant passwordless authentication eliminates passwords and the attacks that target them. But are our users and organizations ready to go passwordless? Recognizing this challenge, Harvard University undertook a multiyear effort to modernize authentication and enable passwordless. Today, passwordless is available to the entire community, adopted by 60% of active users—nearly 50,000 people monthly—and required for high-risk populations. We will examine why traditional MFA fails against modern attacks, common friction points, and how design and deployment decisions shape long-term success. Topics include pushback related to privacy, accessibility, shared and unsupported devices, user change capacity, and how those concerns were addressed through flexibility, user-centered technical design, phased deployment, and deliberate change management. Attendees will leave with a clear understanding of why we must move beyond passwords, along with practical guidance to assess readiness, anticipate friction, and design rollout and enforcement strategies that reduce risk without eroding trust across campus communities.

Presenters

  • Erin Courville

    Sr. Specialist - PrivSec Education and Awareness, Harvard University

  • Nathan Hall

    Deputy Chief Information Security and Data Privacy Officer, Harvard University

Resources & Downloads

  • Unlocking Identity Implementing Passwordless Authentication at Harvard Presentation Slides

    Updated on 6/11/2026