Passwords out, passkeys in: The future of secure authentication

Since the inception of the internet, passwords have been the primary authentication factor to gain access to online accounts. Yubico’s recent Global State of Authentication survey of 20,000 employees found that 58 percent still use a username and password to login to personal accounts, with 54 percent using this login method to access work accounts.

This is despite the fact that 80 percent of breaches today are a result of stolen login credentials from attacks like phishing. Because of this, passwords are widely understood by security experts as the most insecure authentication method that leaves individuals, organizations and their employees around the world vulnerable to increasingly sophisticated modern cyber attacks like phishing.

In fact, even passwords which are considered ‘strong’ by websites – i.e., they contain more than a dozen characters comprising uppercase and lowercase letters, numbers, and symbols – can still be easily guessed or stolen by bad actors. Once they obtain the password, they can then bypass all legacy multi-factor authentication (MFA) systems and access individuals’ personal details with ease. Combined with the fact that people tend to reuse passwords across multiple accounts – which gives hackers the ability to breach multiple accounts with a single login – it becomes abundantly clear that passwords as an authentication method are flawed and extremely insecure in countless ways.

Surprisingly, there remains a lack of awareness regarding best practices for authentication: according to the same Yubico survey, 39 percent of individuals believe a username and password is the most secure form of authentication, while 37 percent consider mobile SMS one-time passcodes (OTPs) the most secure authentication method. While any form of MFA is superior to relying solely on a password, it’s important to recognize that not all MFA methods offer the same level of security. Traditional MFA techniques, including SMS-based OTPs and mobile authenticator applications, have significant vulnerabilities, with cyber criminals displaying an ability to easily circumvent these through phishing attacks.

As individuals and organizations become increasingly aware of the cyber risks associated with passwords and legacy MFA, enterprises have started to transition away from outdated authentication methods and move towards stronger, more cyber resilient technologies, in the form of phishing-resistant, passwordless solutions like passkeys.

A passwordless future with passkeys

Understanding the risks that passwords bring, organizations and individuals around the world are looking for a solution that provides improved security and a better user experience. Passkeys have taken the world by storm as the de facto authentication solution across apps and websites to replace passwords – helping both individuals and enterprises achieve this easily. Passkeys seamlessly authenticate users by using cryptographic security “keys” stored on their computer or device. They are considered a superior alternative to passwords since users are not required to recall or manually enter long sequences of characters that can be forgotten, stolen or intercepted.

As passwordless-enabled FIDO credentials, passkeys deliver phishing resistance and accelerate a move away from problematic passwords that are easily breached. Passkeys are utilized for logging into applications and services efficiently and safely, thereby improving both productivity and online security. For example, passkeys require verification of possession as well as the user's physical presence during the login process, which effectively safeguards them from interception or theft by remote cyber criminals.

Beyond enhanced security, accessibility is also improved significantly by using a passkey – highlighted by two different forms of passkey options: authentication protocols can either be stored in the cloud (synced passkey) or on a device like a hardware security key (device-bound passkey).Then, it is then exchanged effortlessly at login via a swipe, press, tap, or biometric gesture.

From a security perspective, passkey login makes it far more challenging for malicious actors to exploit credentials and gain unauthorized access since it utilizes public key cryptography based on mathematical principles. They can also be conveniently, and securely stored on hardware security keys, which offers a higher level of security as it prevents the passkey from being copied or shared across the cloud and other devices. However, each passkey option brings different benefits – and it’s important to understand which type is right for your situation and threat model.

The right passkey strategy for you

Firstly, it is important to establish the difference between synced and device-bound passkeys. Synced passkeys are primarily designed for broad consumer use rather than enterprises, and are stored in the cloud. This means the credentials can be copied across all the devices connected to a user’s account. For individuals and families sharing devices and accounts, this can be a big advantage. However, for organizations, this can create some concerning failure points and expose major flaws in key enterprise scenarios such as remote working and supply chain security.

Device-bound passkeys offer greater manageability and control of their FIDO credentials than synced passkeys - making them better suited for security savvy and high-risk individuals, as well as businesses. Device-bound means that authentication must originate from one particular piece of hardware separate from everyday devices, where the passkey cannot be copied or shared. Despite the lack of flexibility that comes with having to register each device separately, these solutions deliver higher security assurance as the only method of authentication is to possess a specific, previously registered device.

However, even within device-bound passkey options there are important differences: some options are located in general purpose everyday devices like smartphones and laptops, and others that reside in hardware security keys, that are recognized as offering the highest security assurance. Hardware security keys equip organizations with reliable credential lifecycle management and the necessary proof to validate the security of their credentials, ensuring enterprises can achieve optimal security and remain compliant with the most rigid requirements across different industries.

In cybersecurity, finding a balance between accessibility and security is imperative – and it is no different when considering passkeys. Enterprises should opt for a passkey solution that provides security and convenience in equal measure. The solution ought to enhance the security of online accounts and sensitive data, as well as protect users and the wider organization against phishing and unauthorized access, while at the same time allowing employees to take advantage of a seamless login experience.

As we navigate the ever-evolving cybersecurity landscape, the integration of passwordless authentication, particularly through the widespread implementation of passkeys, will prove to be instrumental in protecting our digital identities and securing the systems and services that are integral to our daily lives.

We've featured the best identity theft protection.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here : https://www.techradar.com/news/submit-your-story-to-techradar-pro