Should we not be commemorating a Word Passwordless Day, or better still, not even be needing such a redundant event?
In the sixty years since the password became the guardian of our security, the world has changed significantly. Technology has advanced exponentially, and the number of services and accounts to which users across the globe are required to log into has boomed.
Once the standard for secure authentication, passwords have become an easy target for phishing attacks.
That is why, with support from big tech and businesses around the world, passkeys are on track to replace passwords altogether. They have been around for a while now, but the ability of passkeys to transform how users protect themselves online is increasing their adoption rapidly.
Imminent end of the password era?
What makes the persistence of passwords as the world’s leading method of digital authentication remarkable is that they are broadly despised, by both users and cybersecurity professionals, for a variety of reasons between bad user experience and extremely low security.
Security policies requiring passwords to be increasingly complex and more regularly updated have required users to have incredible memories. Users may also be tempted to write them down or use the same password across multiple accounts — but just one stolen password can threaten the entire online life of a user and their organization. Gartner estimates that 40% of all helpdesk calls are related to passwords, such as resetting employees’ forgotten passwords.
Once a password is stolen, cybercriminals can successfully bypass many legacy forms of multi-factor authentication, so reliable protection requires modern, phishing-resistant tools like passkeys.
Other surveys have suggested that the way enterprise authentication is managed has not changed fast enough. Unfortunately, the use of a username and password (single-factor authentication) is still the most common form of authentication, which is also the least secure form of authentication.
It is clear that major changes need to happen globally in order to adapt to the increasingly digital age we live in, and ensure all online users are secure from sophisticated cyber threats.
The rise of passkeys
The Fast Identity Online Alliance (FIDO) — a broad collaboration of technology leaders seeking to reduce the world’s reliance on passwords — had earlier created its Universal 2-Factor (U2F) authentication, a system that could co-exist with passwords.
Since the group’s ambition was to create open, interoperable global protocols that could entirely replace passwords, they subsequently rolled out FIDO2/WebAuthn, which became an official web standard in 2019. The most prominent form of FIDO2/WebAuthn credentials is passkeys.
In 2020, Apple, Google and Microsoft announced they would work to support passkeys on their platforms. Today, passkeys are available as an authentication method for a growing number of popular online services.
Unlike passwords, which rely on shared secrets intended to be remembered, passkeys are either stored in the Cloud by a platform provider (syncable passkeys) or are stored on users’ devices (device-bound passkeys) – including phones, computers or hardware security keys. Also:
- Each passkey is a combination of a public key and a private key, both very large numbers that are linked together by complex mathematical formulas.
- The public key is stored by the site or application, while the private key is stored on the user’s device.
- When logging in, successful authentication relies on a validation and “handshake” between the two keys, which solves many of the problems inherent with passwords.
- Passkeys are phishing-resistant and cannot be intercepted or stolen by remote attackers. Each passkey is linked to a specific website or app, so user credentials will not be sent to imposter phishing sites, even if a user is fooled.
Adopting passwordless authentication
The best practice for an app or service that needs to incorporate passkey support is to allow users the option of both synced and device-bound passkeys.
The passkeys currently offered by platform providers like Apple, Google and Microsoft can be synchronized between devices and, in some cases, shared. This adds convenience for consumers but, while still much safer than passwords, may offer opportunities for cybercriminals if devices are stolen or synced too freely.
Using device-bound passkeys stored on security keys offers a higher assurance solution for consumers and businesses focused on security or bound by strict compliance regulations. Hardware security keys are the most secure form of device-bound passkeys as they are separate from users’ digital devices and require the user to insert or tap the key to the device and then a physical touch of the finger.
In summary, passkeys are well placed to transform how the world authenticates securely. The age of passwords has lasted long enough and it is a matter of urgency for more platforms and services to enable support for this technology and create a more secure internet for everyone.
