Will Passkeys Finally Allow Us to Eliminate Passwords?

Will Passkeys Finally Allow Us to Eliminate Passwords?

The password has been a linchpin of security for centuries but it is easily the weakest link in IT security today. As a result, organizations across the globe are stepping up efforts to eliminate passwords once and for all. More than two-thirds of respondents to a Forrester Research survey say they are in the process of adopting passwordless authentication for their employees and partners.

Passkey technology has emerged as the frontrunner for enabling a common passwordless sign-in standard. Passkeys use standard public key cryptography techniques to allow users to authenticate to web services and applications without having to enter a username or password or provide any additional authentication factor.

What are Passkeys?

Passkey technology was developed by the FIDO (Fast Identity Online) Alliance to address chronic password weaknesses and the lack of interoperability among strong authentication technologies. Widespread adoption is likely with the recent announcement that Apple, Google and Microsoft are working with the FIDO Alliance and the World Wide Web Consortium (W3C) to ensure passkeys are implemented in ways that work across multiple platforms.

Passkeys essentially turn a user’s smartphone into a security key. During registration with an online service, the user’s device creates site-specific public and private keys. The private key remains on the device while the online service keeps the public key on its server. During login, the online service challenges the user to log in with a previously registered device that matches the stored public key.

The benefit of this approach is that it removes the burden of authentication from individual users — the device handles the process. Users just sign in through the same action they take multiple times each day to unlock their devices, such as a simple verification using their fingerprint or face or typing in a device PIN. That represents a significant improvement over traditional password-driven authentication methods.

Easier User Experience

For years, users have had to shoulder much of the responsibility for better password hygiene. Best-practice guidelines have largely focused on what users must do to improve security — create stronger passwords, use a unique password for each account, change passwords frequently, and never reuse them, share them or write them down.

However, those recommendations are increasingly unrealistic given the sheer number of passwords required today for a growing array of network and online assets. Business users commonly have 100 or more online accounts requiring passwords. Most reuse passwords across dozens of different accounts to reduce the number they have to remember, which creates additional risk. If an attacker gets credentials for one site or service, they may also be able to use it to access the user’s corporate network, email, banking site or other high-value targets.

More Secure

On the other hand, passkeys are virtually impossible to compromise. Even if hackers breach a site’s passkey server, they’ll only have public keys. Without access to the matching private keys stored on user devices, there’s no way for hackers to authenticate an account.

Apple, Google and Microsoft are working to make the passkey user experience even easier. Previously, users with devices from different manufacturers had to sign in to each site or service with each device to gain passwordless functionality. With the cooperative effort of the three tech giants, users will soon be able to authenticate multiple devices without re-enrolling each one.

Passkeys enable more secure sign-in methods, improve the user experience and eliminate the vulnerabilities of passwords. Contact us to learn more about these solutions and other good password hygiene practices.


Just released our free eBook, 20 Signs That Your Business is Ready for Managed ServicesDownload
+