Uncovering the power of passkeys and their resilience against phishing
Security. It’s a hard business. I’m not just talking about the endless patching, monitoring, and training. The constant sprint to remediate when a new CVE (Common Vulnerability and Exposures) notification drops, or the lingering fears that you’ll be called back to the office on your downtime to deal with a crisis.
No, it’s hard because it’s not a purely technical endeavor. Your success hinges on your ability to advise, communicate, and mentor. From a security perspective, the most effective organizations are those where everyone buys in, and not just those with a bunch of SANS certifications. Your human capital is your business’ first and most important line of defense.
But here’s the thing: Even the most well-intentioned people make mistakes. It just takes one wrong click or reused password to undermine your security measures. Training helps reduce the risk of this happening, but it only goes so far. Security teams have an onus to protect people.
That onus not only falls on security teams, the collective responsibility cascades to employees and customers.
From my experience, the most effective security measures are those that protect the organization or the individual but require little effort from the individual to use. Convenience breeds compliance, and thus, safety. And that’s where passkeys come in.
What are passkeys and why do they matter?
For over 50 years, we’ve used passwords to secure computer systems and applications from unauthorized use. They served their purpose; but as time drags on, their shortcomings are increasingly apparent.
Passwords can be stolen, guessed, or leaked. They’re a burden for individual users, with 47% of consumers describing the need to meet password complexity requirements as a source of frustration. The average consumer must manage over 100 passwords for the applications they use, making credential reuse a common issue. If one website leaks your credentials, an attacker can access every website or service you use.
In an ideal world, everyone would practice sound password hygiene, using strong and complex passwords for every service and website where they have an account. But we don’t live in an ideal world. And that’s why we need something better.
Enter passkeys. These are a way of enabling passwordless authentication in a way that’s inherently phishing-resistant, user-friendly, and efficient. Passkeys replace the traditional password with a cryptographic credential that lives on a person's device.
They can't be stolen or leaked. Passkeys live on the person’s device or a cloud account under their control, and they’re often tied to another element of the person (like their biometrics, such as a fingerprint or a facial ID scan), or something only they know, like the master PIN code for their phone.
Passkeys don't require a person to memorize a lengthy password, with the right amount of special characters and numbers, and because they’re mathematically generated—they can’t be “guessed” either.
But most of all, they're convenient. There’s nothing to remember, sure, but there’s also nothing to learn. If you’ve ever typed a PIN number into a smartphone, or signed into a banking app with FaceID, you know how to use a passkey.
Passkeys are discoverable FIDO credentials that can be synced across other devices in a given ecosystem. So, the same passkey used on a smartphone can be used on a tablet or laptop securely and conveniently. Security, in this case, doesn’t require you to be tethered to a single device for every app and service you use.
Why convenience matters to security professionals (and users)
Identity is often the root cause of a security breach. In 2022, the number of credential-related phishing attacks spiked by 61%. According to the latest Verizon DBIR (Data Breach Investigations Report) study, stolen credentials were responsible for 50% of all successful attacks. And that’s because passwords simply aren’t well-suited for today’s highly-networked world.
Passkeys are a secure replacement, certainly. But they’re also really simple to use. And it’s that convenience that makes them such a compelling alternative. Security professionals have long understood that if a policy or procedure is too complex or cumbersome, users will simply look for ways to circumvent them.
This was true in 2008, when an RSA survey found that while most corporate employees understand the reasoning behind their organization’s security policies, many were willing to bend the rules to get stuff done. And it was true in 2022, when the Harvard Business Review found that 67% of employees knowingly break security policy, with 85% citing productivity reasons.
And if people aren’t following security best practices at work, how likely are they to do so in their private lives, where the stakes are (seemingly) lower and there’s nobody to enforce the rules?
That, ultimately, underlines why convenience and ease of use are so important to infosec professionals. If someone's working towards a crushing deadline, violating the organization’s security rules may feel like an acceptable risk. On a psychological level, their immediate needs surpass your need to protect the company.
And, in the case of the consumer-facing apps and services used in our private lives, people might not feel like they’re sufficiently at risk to practice perfect password hygiene. It’s all too easy for someone to lull themselves into the false sense of security that they’re “too small to target,” but as a battle-hardened security veteran, you know the importance of constant vigilance.
It’s not enough to have stringent rules, high-quality and regular training, and a “security culture.” You need to disincentivize people from taking shortcuts that can ultimately harm the organization.
Obviously, passkeys only address one piece of the puzzle. But identity is a major part of an organization’s tapestry, particularly given the post-pandemic rise of remote and hybrid working, and the growing reliance on digital technologies (and thus, greater attack surface) in both our personal and working lives. And so it makes sense to focus on it.
Replacing passwords with passkeys for consumers is an easy win. It eliminates the need — and also the possibility — to practice poor password hygiene. Consumers are no longer burdened with the complexity (and cognitive load) of managing credentials for the innumerable apps, websites, and services they use as part of their daily duties. It also removes the potential for human error, which, according to Tessian and Stanford University, accounts for 85% of all security breaches.
I believe that people, rather than being a weak link in the security chain, can be an organization’s strongest line of defense against a dangerous online world. The problem is that, until now, people didn’t have the tools they needed to adequately protect themselves, and thus, the businesses they represent.
What about passkeys in the enterprise?
Passkeys present a major leap forward in consumer authentication online, but some CISOs are cautious about their use in the enterprise for employee identity needs. And, it all boils down to policy control.
One of the main benefits of passkeys for consumers is that they can sync across devices in the same ecosystem. While convenient for consumers, it’s a concern for an enterprise whose security and compliance needs require credentials to be tied to a single device.
Currently, some platforms do not allow businesses to enforce the creation of a device-bound passkey which limits their use in an enterprise setting. Shared personal devices and synced passkeys could mean corporate credentials being shared with non-employees. Not to mention needing to account for the different security postures of managed, unmanaged, existing, and new devices.
This is an evolving space and it’s still very new. But, there are ways to effectively use passkeys in your organization today, particularly for lower security assurance use cases. I’m confident we as an industry will have more answers on the use of passkeys in a workforce setting in the near future. For now, you should evaluate the use of passkeys based on your organization’s specific security, compliance, and regulatory needs.
I’d be remiss if I didn’t mention Okta FastPass (which I use daily) is an ideal enterprise solution designed to be phishing-resistant, device-bound, convenient, and device context-aware. We’ve gone 100% passwordless here at Okta and are actively sharing our experience to help more organizations eliminate passwords too.
As best practice, enterprises should enhance their access security controls (e.g. legacy 2FA or phishing-resistant MFA) with device assurance checks to achieve their desired outcomes. Okta FastPass also gets them there by combining phishing-resistant authentication with device context.
The road to our passwordless future
I hope that, eventually, passwords will be a distant memory. For a time, they served us well. But as with all obsolete technologies, they will be replaced by something better. And I believe that passkeys are that “something better.”
However, it’s important to be realistic. The transition to passkeys won’t happen overnight. While it wouldn’t be accurate to describe this technology as “bleeding edge,” given the rapid rate of industry adoption, they’re yet to achieve a critical mass.
The adoption of passkeys will be a gradual process that takes place over the coming decade — and perhaps beyond. And yet, for organizations, it’s time to start investigating and adopting passkeys because the foundational work is already done.
Google, Microsoft, and Apple all support passkeys in their latest desktop and mobile operating systems. A growing number of consumer and business apps have implemented passkeys support, including PayPal, eBay, CloudFlare, Dashlane, GoDaddy, and more. Each month brings greater adoption, and thus, brings us closer to mainstream acceptance.
Getting started with passkeys
Implementing passkeys in your own apps is also a completely attainable prospect. The Okta Customer Identity Cloud (powered by Auth0) allows you to implement passkeys in a matter of days, and it can happily coexist with other authentication methods while your customers or users make the transition.
Passkeys will ultimately lead to a more secure, more usable digital world. This is an exciting prospect. While the transition will take time, it’s worth remembering that as each app or vendor introduces support for the technology, your organization’s security improves as a result. And you’ve accomplished this in a way that’s easy for your customers and colleagues to embrace. To learn more about passkeys, download our whitepaper.
