Passwords have been in use since the dawn of time, or at least it feels that way. They are the most used form of authentication, but let’s face it, nobody likes them.
With the vast number of accounts people have, having a password to access each one is an annoyance at the very least. That’s why people tend to develop bad password habits like creating weak passwords, reusing the same password everywhere, and storing the passwords insecurely (how many of you have a sticky note on your monitor with your password?)
This behavior is natural, but it makes the entire password system weak and vulnerable to cyber-attacks. I hate to be the one to tell you this, but you’re the weakest link in the chain. That’s why the vast majority of breaches involve stolen passwords.
We seem to be stuck in this less-than great-system of passwords. Is there a way out?
Yes. It’s called a Passkey.
What is a Passkey?
Simply put, a passkey is a digital credential used for authentication. It differs from other forms of authentication by not requiring a person to input a username and password.
Instead, it authenticates using a combination of personal and device data. Some examples of personal information would be facial recognition or a fingerprint scan. Device data might be your specific device like a phone or a location.
Using the combination of two sets of those data points creates a cryptographic login that is unique for that person, device, and website/application. These credentials do not get stored on a server, never leave the device they were created on, and are useless if you have the device but are not the owner.
It is a highly secure system. It’s the “grown-up” solution to the digital world we live in rather than an afterthought slapped on in an attempt to make things secure.
Without geeking out too much, this security is based on FIDO (Fast ID Online) web authentication but then makes it more convenient by not restricting the credentials to a specific hardware device. Credentials can be shared with encrypted syncing to other devices. That means you can utilize your credentials on many devices (without having to prove your identity repeatedly) and use the credential on your mobile device to sign in on any other device, like a PC.
Let’s break that down a bit in comparison to the password system you are already familiar with.
These are the advantages of Passkeys over Passwords.
Passkeys are more secure.
Passkeys are significantly harder to hack. With your key being generated from biometric and device data, it makes it much harder for a hacker to spoof who you are.
Passkeys are more convenient.
You don’t have to remember and keep track of many passwords. You keep track of one code. That’s it. You use that code across all accounts, meaning you won’t ever forget it and take the time to reset your password. All of that spells out convenience when accessing all of your accounts.
That encrypted sync I mentioned means you don’t need to enroll every single device like you would with a standard hardware security device, like a Yubikey.
Passkeys are phish-resistant.
I say “resistant” and not “proof” because nothing is ever 100%. However, the comparison is clear. Phishing scams are all over the place because they are an effective way to steal passwords. That doesn’t work with a passkey though. They need the device passkey, which is in the presence of the owner, in order to breach the account.
This sounds too good to be true. So it must be, right? Well, sort of…
What are the disadvantages of Passkeys?
Passkeys are not widely adopted (yet).
Passkeys were announced just over a year ago, and all 3 tech giants; Microsoft, Apple, and Google are committed to their adoption.
It’s already available from Apple with iOS 16 and MacOS 13. Google has rolled it out to devices running Android 9 and higher and some Chrome OS versions. Microsoft plans on having it available to Windows 11 and 10 this year.
Still, adoption into every application and organization isn’t there yet. It will be, but it just isn’t everywhere.
Passkeys need investment.
Passwords are free. When you create an account anywhere you just make one up and you’re done.
Passkeys need more than that to get going. There is hardware or software required to generate and validate your codes. Deploying and managing this infrastructure has a dollar and time investment associated with it, as well as training your employees.
If you’re a business implementing for all of your employees, this can add up quickly. Mind you, that cost might be completely worth it for the added security, but compared to passwords there is a higher price of entry.
Should you switch to Passkeys?
That highly depends on your business, how your team operates, and your threat model. You’re probably looking for a broad yes or no answer though.
For that, I’d say YES you should switch – just not now.
Apple says that passkeys work alongside passwords. Google says that passkeys are stored in the Google Authenticator App. Password managers are adopting passkeys, but they will still store in the password manager. If you’re using an authenticator app and/or password manager today, there’s not much difference. At least not yet.
Wait until it develops further and gets adopted and incorporated into more of our day-to-day lives. Let the wrinkles get ironed out. This will make for a smoother implementation when you do switch over.
If you deal with sensitive data or have a very secure threat model, then I’d say adopt a hardware device policy today, where you can transition to a passkey tomorrow if you wish. Technically speaking hardware devices already incorporate FIDO security, they just lack the convenience feature of syncing across devices.
If you are going to wait, then you’re still stuck with managing passwords for now. For that, I highly recommend a password manager. They are absolute game changers. If you’re not using one then reach out, we have some resources available to help you decide on the best one for you.