Passwords are an age-old problem. People forget them, they are exposed in breaches and they can often be cracked by cyber-criminals due to poor password hygiene.
Businesses have so far tried to solve this issue with two-factor authentication (2FA) or multi-factor authentication (MFA) – additional layers of security such as a biometric or physical key to protect systems and data. But a new method of authentication has emerged that doesn’t require a password at all, called passkeys.
Passkeys are being hailed as the answer to robust authentication by big tech firms including Google, Microsoft, Amazon, and Apple. So much so that in October, Google announced passkeys would be the default sign-in credential for personal accounts.
Google is calling passkeys “a major step towards a passwordless future”. They’re easy to use: As Apple points out, they're faster to sign in with and more secure than traditional passwords – and passkeys are resistant to phishing attempts.
This all sounds good, in theory, but as the passkey rollout is accelerated by the big tech firms and used in consumer settings, are businesses ready?
What is a passkey?
Passkeys are built on the WebAuthentication (WebAuthn) standard which uses public key cryptography. When a user registers an account, the operating system will create a unique cryptographic key to pair with the app or website. The keys are generated by the device, securely and uniquely for every account.
With the right security solution, you can confidently make quick decisions and bold moves that will increase the prosperity of your business. Find out more >
One of the keys is public and stored on the server, while the other is private and required to sign in. “The public key is held by the online service you sign up for, while the private key never leaves the device you’re using to access the site,” says David Emm, principal security researcher at Kaspersky. “Each time you log in, the public key is used to authenticate you. Since your private key is never shared, there’s nothing for the phishers to capture.”
He calls the technology “a secure and simple way of authenticating accounts,” because there is nothing to remember or expose. It is, for all intents and purposes, multi-factor authentication, he says: “Something you have – your device – and something you are, the biometric to unlock your device or something you know if you’re using a PIN or passcode.”
The business benefits of passkeys are numerous, as they remove the need for password resets and prevent employees from reusing the most common passwords says Andrew Shikiar, executive director at FIDO Alliance, the organization pushing for an end to passwords. For businesses, it means “addressing the major culprit of data breaches,” he says, pointing out that compromised credentials are at the heart of around 80% of attacks per Norton research, “not to mention ransomware and account takeovers”.
Shikiar explains how the big tech firms are working with the FIDO Alliance to make sure passkey implementations are “compatible cross-platform and can work on as many devices as possible”.
Are passkeys available now?
Passkeys are already used across consumer apps and services. Mark Taylor CTO at Chorus explains how he is using passkeys on his personal iPhone for big-name brands including Amazon, Google, and PayPal. Taylor thinks the setup and use of passkeys is “a relatively straightforward experience”.
However, he says, much of the business world is not quite ready for passkeys. This is partly because in the corporate space, a significant portion of the market uses Microsoft Entra ID as its core identity platform. “Microsoft has been very clear that it will support passkeys – and some Microsoft systems already do. However, the core work identity in Entra ID does not yet support the easy use of passkeys”.
Taylor thinks this will change “fairly soon”, however, businesses “need a little longer to figure out the nuances associated with changes of this scale”, he says. “We will always be just behind the pace of the likes of Amazon and Google for individual users.”
Another factor preventing passkeys from becoming more mainstream is that not all browsers and password managers support them, says Emm. The passkeys.directory lists the number of sites that currently support passkeys at just over 70, he points out.
Implementing passkey-based authentication systems requires changes to the login, MFA, and password recovery process on existing websites, which is “challenging for some service providers to undertake”, explains Darren Guccione, CEO and co-founder of Keeper Security.
Meanwhile, users are accustomed to passwords and might be hesitant to adopt a new authentication method, especially if they are not familiar with the security benefits, Guccione says.
Are businesses ready for passkeys?
Despite the challenges for business adoption, Shikiar says the technology for passkeys is “ready” and “rolling out today across companies”. He points to the FIDO Alliance’s 2023 Workplace Authentication Report with LastPass, which found 92% believe passkeys will benefit their overall security posture. Meanwhile, nine out of 10 IT leaders expect passwords will represent less than a quarter of their organization’s logins within five years or less.
“We’re already seeing deployments at scale,” says Shikiar – although he concedes “there’s a journey still in refining the user experience”.
Some businesses could face challenges around sync capabilities and cloud access, depending on their own infrastructure or security requirements, says Shikiar. “So, for example, if the iCloud keychain isn’t allowed in a company’s security settings, it would prohibit users from having passkeys readily available across devices or operating systems.”
In that case, he says companies should instead consider device-bound passkeys – also known as security keys – which many firms operating in high-security environments already use.
Indeed, while the goal is that passkeys will offer access to all digital services, they won’t be suitable for all types of business. Some services, especially in heavily regulated verticals such as finance, healthcare, or government, may require a higher level of security, says Pedro Martinez, an identity and access management expert at Thales. “These firms may see more of a potential security issue in passkey synchronization than a user experience benefit.”
Passkeys are certainly here and most experts think business adoption in the relevant sectors is just a matter of time. Yet for many firms, it’s a good idea to wait a bit longer and use the technology in your personal set up to get an idea of how it could fit into a corporate environment.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.