Passkeys Can Make Passwords a Thing of the Past – Source: securityboulevard.com

We all seem to have a love/hate relationship with passwords. Over time, we have learned to live with them–even when, time and again, they show how bad they are at securing our most sensitive data. The number of data breaches increases almost daily–and in recent weeks, a leading password manager vendor, an internet hosting provider and a cell phone provider experienced targeted phishing attacks that involved the misuse of user credentials.

Verizon’s latest data breach investigations report stated that 80% of successful account takeovers and breaches begin with a phished account where account credentials, including passwords, are stolen and used to get inside the enterprise. User credentials are the keys to the kingdom. Once an attacker gains access to someone’s credentials, they are inside the company’s network and are able to find other weaknesses to exploit.

Attackers are becoming savvier at finding ways to gain access to someone’s credentials and exploit environments where a company’s most sensitive data lives. While the industry has been hard at work trying to combat cybercrime for decades, it’s only getting worse and more complex.

What continues to be at the root of this problem? Passwords. The continued use and reliance on passwords is at the root of the problem. That is why we’ve seen other technologies aimed at replacing passwords gain traction, such as passkeys, biometrics and two-factor authentication, to name a few.

Passkeys is a recent development supported by major industry participants. Given all the recent hype about passkeys, let’s dig into what they are (and what they are not).

Passkeys: Interoperability Trade-Offs

First, sharing passkeys in a multi-vendor world isn’t easy, and it means accepting some security and usability tradeoffs. Part of the utility of passkeys is enabling these credentials to interoperate across multiple devices. We live in a world where it is common to have an Apple iPhone and a Google Chrome browser on your Windows laptop connecting to a Microsoft 365 cloud account (e.g., a user uses Apple, Google and Microsoft devices and/or software). Google has been able to enable passkeys across its ecosystem because they own all the various required elements (browser, cloud-based accounts and hardware).

But the real world requires users to be able to use multiple vendors with interoperable security. Today, getting interoperability with all of these key software, services and hardware elements and connections with passkeys requires a robust authentication solution that eliminates this complexity and enables deployment simplicity.

Enterprise Drawbacks

Second, access to passkey technology is not yet as readily available and secure as security key(s) given to employees so organizations can “attest” that a user is who they say they are and meet security compliance and regulatory requirements. Currently, “there is no mechanism for an enterprise to say, ‘Hey, I want to protect my organization’s private keys with an encryption mechanism I control,’” said Winsmarts’ Sahil Malik.

Finally, ensuring that backups and restorations of passkeys can happen securely and with minimal user friction also depends on how security keys are stored and handled. We realize that this granularity is significant and could be a challenge for enterprise passkey adoption.

Cross-Device Fragmentation

The challenge is that today’s environment of laptops, desktops and mobile devices, coupled with both web and distinct applications, is a complex one that isn’t yet completely addressed by passkeys for most of our situations.

Passkeys are an important step toward the total elimination of passwords. That said, as an industry, we still have our work cut out for us. Making passkeys ubiquitous, regardless of platform or device, is not going to happen overnight.

The Future of Passkeys

So what should enterprise security managers do today?

For now, a good place to start with passkey implementation is with your mobile-first end users. The work done by Apple and Google has focused on smartphone support for passkeys, leveraging touch and facial recognition sensors in their phones.

FIDO-ready hardware keys are a good option for your most sensitive personnel. The New York Times Wirecutter recommends Yubico keys, for example.

Finally, investigate the various third-party authentication solutions that can simplify deployment complexity among the different platform providers and can support a wide range of applications and authenticators.

Passkeys by themselves are not a one-size-fits-all solution. Passkeys have a lot to offer across industries, particularly for individual end users, but they have a long way to go as each industry has its own unique requirements to satisfy and challenges that they will need to overcome. But, believe me, we are almost there!