Passkeys: The Future of Authentication
Cybersecurity professionals all agree that when it comes to business IT security, passwords tend to be the weakest link. For one thing, getting employees to follow password hygiene alone is often an uphill struggle. Additionally, sophisticated phishing attempts can trick even the most security-conscious employees to divulge their credentials. That is why as many as 80% of all data breaches now stem from password-related security vulnerabilities.
The vulnerability of passwords is so severe that some of the tech industry’s biggest names—Microsoft, Apple, and Google—have made replacing them a top priority. They have all put their weight behind the cooperative FIDO Alliance. The result was the co-development of passkeys, which are a new authentication technology meant to eliminate passwords once and for all. It is a new approach to authentication that marries hardware-based trust and cryptography to eliminate the vulnerabilities which make conventional passwords so problematic. In this article we do a deep dive into the subject of passkeys, including how businesses can begin implementing them into their technology stack.
The Vulnerabilities of Passwords
Before delving into passkeys and why most experts expect them to be the primary successor to passwords, it is useful to go over the many vulnerabilities inherent in password-based authentication. That will help to illustrate just why the development of passkeys is so significant. The most obvious of these is, of course, the use of weak or easy-to-guess passwords.
As evidence of this, consider that year after year, researchers catalog the most commonly-used passwords, and year after year, the results illustrate why password authentication is so prone to security issues. Users simply cannot break the habit of using almost comically weak passwords.
It seems that no matter how much effort businesses and cybersecurity advocates put into educating end users on the virtues of choosing strong passwords, they continue opting for whatever password they have the easiest time remembering. The trouble is this makes countless password-protected accounts easy-pickings for hackers.
On the other hand, when businesses force users to create unique, complex passwords to improve security, they encounter a new problem—employees that constantly forget, or worse, write down their passwords. This creates an all-new kind of vulnerability, plus the additional work necessary to manage an inevitable uptick in password reset requests.
Finally, even when businesses manage to get employees to choose complex passwords and remember them, hackers engage in shockingly effective phishing campaigns to trick users into divulging them. Last year, around 83% of all companies reported suffering at least one phishing attack in the previous calendar year. These vulnerabilities make passwords a security liability that is embedded in every business’s infrastructure.
What Are Passkeys?
A passkey is a new type of authentication measure that relies on a combination of physical devices like smartphones or PCs and public-key cryptography. The way they work is simple enough to understand. First, a user must set up a public/private encryption key pair. This enables anyone with access to the public key to encrypt messages that only the holder of the private key can decrypt.
Passkeys use the public/private key pair to establish a trust relationship between the device housing the private key and sites or platforms with the public key. Then, the user can authenticate using a PIN, biometric data, or other method right on their device. This is an arrangement with a variety of security benefits.
The first benefit is that there is nothing—except a short PIN, in some cases—for a user to remember. All they need is access to the device that stores the private key. As a result, passkeys defeat phishing attempts because there is nothing for the user to divulge. An attacker would need to physically steal the user’s device and get past their secondary authentication step to compromise a passkey-protected account.
Another benefit of passkeys is that they are cloud-enabled. This means users can access their passkeys from more than a single device. That way, they do not lose access to accounts if they lose their smartphone, for example. Since passkeys automatically sync between user devices, there is always a backup available for use if necessary.
Best of all, passkeys eliminate the threat of a data breach of a single platform or site compromising the security of a business’s whole infrastructure. Since sites and platforms only store public keys, an attacker could not use a single breach as a pathway toward a wider network attack.
How Well Do Passkeys Perform in the Real World?
Although passkeys are still new, there is already voluminous data to prove that they will offer major benefits to businesses which use them. For example, PNC Bank recently adopted passwordless authentication based on FIDO Alliance standards. So far, they have reported positive results with zero reported security incidents and high customer satisfaction since the change.
So too has the financial software firm Intuit, which began moving to FIDO standard passwordless authentication back in 2018. Since then, they report having over 77 million users registered to use their sites and services with a passkey. Critically, they have also seen a spike in successful authentications and no major associated security incidents over the same period.
How Can Businesses Adopt Passkeys?
The developers of the passkey technology made every effort to ensure they are easy for businesses and other organizations to adopt. For starters, the key backers of the technology, Microsoft, Apple, and Google, all added passkey support to their various apps and platforms. This means a variety of platforms and software businesses already in use now have passkey support right out of the box. Additionally, Amazon’s AWS and most other large cloud services offer simple means of integrating passkey support into sites and services running on their platforms.
Major business password management service providers like 1Password and Dashlane already support passkeys. So do a variety of single sign-on (SSO) platforms, with more offering support every day. This means most businesses can already start migrating their legacy password-based authentication over to passkeys right now. Also, it is possible to deploy passkeys using hardware security keys within organizations that do not want to depend on employee-owned smartphones and the like for their authentication needs.
Every business is likely to encounter passkeys soon as more major service providers add them to their platforms. Considering the inherent security benefits provided by passkeys, businesses should begin making plans to upgrade their own authentication services to use passkeys as soon as possible. Getting ahead of the technology curve will position them well to reap the security benefits early while other firms continue to serve as easy targets for would-be hackers.
Outsource IT can help businesses interested in implementing passkeys. Our cybersecurity experts have years of experience in implementing the most secure authentication protocols for business organizations regardless of the size. To learn more, contact one of our knowledgeable account managers and ask about our business IT security offering today.