Long before the invention of the internet, passwords have been the primary means by which users can verify their identity and gain access to digital services. As archaic as they are, this remains the case today. Indeed, according to Yubico’s Global State of Authentication survey of 20,000 employees, more than half use a username and password to log in to both their personal and work accounts.
However, passwords are far from a secure authentication method. The majority (81%) of hacking-related breaches stem from weak or reused passwords from cyberattacks like phishing. Once they have access to passwords, cybercriminals can easily circumvent outdated multi-factor authentication (MFA) systems, such as SMS-based verification, and gain entry to sensitive information. This highlights the growing consensus among security experts: passwords are an inherently flawed means of authentication and need to be left in the past once and for all. But what realistic solutions are there to replace passwords in the future?
The importance of secure authentication in the channel
Implementing secure authentication methods is vital for organizations across all industries, particularly those handling highly sensitive data, managing critical infrastructure, and subject to rigorous regulatory compliance, such as healthcare and financial services.
Channel partners working with organizations in these industries are no exception here, given the vast amount of customer data they handle, along with their access to vendor systems. Inadequate authentication tools, which are highly susceptible to cyberattacks like phishing, expose both data and systems to cybercriminals, leading to repercussions, such as data breaches, financial losses, and reputational damage.
Advanced phishing and sophisticated attack techniques are on the rise, which, coupled with the threat of AI-driven cyberattacks, exacerbate concerns for channel partners. Threat actors are taking advantage of AI tools to launch more attacks and improve the chances of success and impact of their efforts.
For example, bad actors are exploiting AI's ability to clone voices and likenesses from audio and video clips or images found online, known as vishing. Combined with tools that mimic caller ID, cybercriminals can fool targets by calling them and impersonating a family member, friend, or loved one seeking urgent assistance. With this technology making life easier for attackers, threat actors require less skill to carry out successful attacks against channel partners.
Moving on from passwords for good
Given the recent rise of sophisticated, modern AI-driven cyber threats, there has been a clear shift in how organizations view authentication and security. To protect both themselves and their employees from cyber threats, a global transition away from passwords and other outdated and insecure authentication methods, such as legacy forms of MFA, has taken place. As an alternative, enterprises across all sectors are moving towards stronger, more cyber-resilient technologies, in the form of phishing-resistant, passwordless solutions like passkeys.
For instance, last month, the UK government announced plans to roll out passkey technology for its digital services later this year, transitioning away from current SMS-based verification systems. The move is set to offer users a more secure authentication option, while also providing the government with a cost-effective solution that could save it several million pounds annually, as well as being key in transforming cyber resilience on a national scale.
Now, it is the turn of channel partners and managers to do their utmost to protect their organizations, vendor partners, and customers to the best of their ability.
The future of secure, phishing-resistant authentication: device-bound passkeys
Given the threat landscape, channel partners must step up their digital security, using more reliable, phishing-resistant MFA methods. This is where passkeys, such as device-bound passkeys, come in – quickly emerging as the de facto authentication solution to replace passwords and legacy MFA. These solutions operate by using something you know (a PIN) alongside something you have (a hardware security key), which is inserted into a device and physically touched, enabling users to access their accounts.
When compared to authentication offerings like passwords and even two-step authentication, hardware security keys are viewed as a far superior alternative, since they eradicate the need for users to recall or manually enter long character sequences that are difficult to remember. Instead, they seamlessly authenticate users via cryptographic security keys stored directly on a device, like a physical security key.
Passkeys stored on physical devices like security keys provide a superior level of security for channel managers since they not only require users to prove possession, but also their presence to log in. This inhibits passkeys from being shared or copied across the cloud, while remote attackers are unable to intercept or steal them, meaning only the key holder can gain access to their accounts. For instance, even if a user’s credentials are compromised, phishing-resistant device-bound passkeys prevent hackers from accessing information without having possession of the physical security key.
Utilizing high-level security like this does not just help channel partners maintain robust cybersecurity practices and enhance their cyber resilience. It also ensures compliance with regulations such as PCI DSS 4.0 and NIS2 – a vital consideration for channel partners in an ever-evolving regulatory landscape.
By implementing phishing-resistant MFA-like device-bound passkeys for all employees, channel managers can begin developing phishing-resistant users, enabling passkeys to fulfill their potential. Establishing such users is a proactive strategy channel partners can take to eradicate phishing threats by removing all phishable events from the user lifecycle.
To successfully achieve this, enterprises must implement phishing-resistant MFA for employees and establish secure, phishing-resistant processes for account registration and user recovery across the board. Purpose-built, device-bound passkeys provide the foundation for this high level of security.
-
What actions should channel partners take in response to DSPM growth?Industry Insights How can channel partners best support their customers when it comes to adopting DSPM?
-
Generative AI attacks are accelerating at an alarming rateNews Two new reports from Gartner highlight the new AI-related pressures companies face, and the tools they are using to counter them
-
Cyber attacks: Can the channel save the day?Industry Insights Channel partners are becoming the first – and often only – line of defence for businesses facing growing cybersecurity threats
-
Gen Z has a cyber hygiene problemNews A new survey shows Gen Z is far less concerned about cybersecurity than older generations
-
Hackers are using AI to dissect threat intelligence reports and ‘vibe code’ malwareNews TrendMicro has called for caution on how much detail is disclosed in security advisories
-
Non-human identities: Are we sleepwalking into a security crisis?Industry Insights Machine identities have exploded - yet security strategies remain human-focused
-
Anthropic admits hackers have 'weaponized' its tools – and cyber experts warn it's a terrifying glimpse into 'how quickly AI is changing the threat landscape'News Security experts say Anthropic's recent admission that hackers have "weaponized" its AI tools gives us a terrifying glimpse into the future of cyber crime.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
