Uncovering the power of passkeys and their resilience against phishing
Security. It’s a hard business. I’m not just talking about the endless patching, monitoring, and training. The constant sprint to remediate when a new CVE (Common Vulnerability and Exposures) notification drops, or the lingering fears that you’ll be called back to the office on your downtime to deal with a crisis.
No, it’s hard because it’s not a purely technical endeavour. Your success hinges on your ability to advise, communicate, and mentor. From a security perspective, the most effective organisations are those where everyone buys in, and not just those with a bunch of SANS certifications. Your human capital is your business’ first and most important line of defense.
But here’s the thing: Even the most well-intentioned people make mistakes. It just takes one wrong click or reused password to undermine your security measures. Training helps reduce the risk of this happening, but it only goes so far. Security teams have an onus to protect people.
That onus not only falls on security teams, the collective responsibility cascades to employees and customers.
From my experience, the most effective security measures are those that protect the organisation or the individual but require little effort from the individual to use. Convenience breeds compliance, and thus, safety. And that’s where passkeys come in.
What are passkeys and why do they matter?
For over 50 years, we’ve used passwords to secure computer systems and applications from unauthorised use. They served their purpose; but as time drags on, their shortcomings are increasingly apparent.
Passwords can be stolen, guessed, or leaked. They’re a burden for individual users, with 47% of consumers describing the need to meet password complexity requirements as a source of frustration. The average consumer must manage over 100 passwords for the applications they use, making credential reuse a common issue. If one website leaks your credentials, an attacker can access every website or service you use.
In an ideal world, everyone would practice sound password hygiene, using strong and complex passwords for every service and website where they have an account. But we don’t live in an ideal world. And that’s why we need something better.
Enter passkeys. These are a way of enabling passwordless authentication in a way that’s inherently phishing-resistant, user-friendly, and efficient. Passkeys replace the traditional password with a cryptographic credential that lives on a person's device.
They can't be stolen or leaked. Passkeys live on the person’s device or a cloud account under their control, and they’re often tied to another element of the person (like their biometrics, such as a fingerprint or a facial ID scan), or something only they know, like the master PIN code for their phone.
Passkeys don't require a person to memorise a lengthy password, with the right amount of special characters and numbers, and because they’re mathematically generated—they can’t be “guessed” either.
But most of all, they're convenient. There’s nothing to remember, sure, but there’s also nothing to learn. If you’ve ever typed a PIN number into a smartphone, or signed into a banking app with FaceID, you know how to use a passkey.
Passkeys are discoverable FIDO credentials that can be synced across other devices in a given ecosystem. So, the same passkey used on a smartphone can be used on a tablet or laptop securely and conveniently. Security, in this case, doesn’t require you to be tethered to a single device for every app and service you use.
Why convenience matters to security professionals (and users)
Identity is often the root cause of a security breach. In 2022, the number of credential-related phishing attacks spiked by 61%. According to the latest Verizon DBIR (Data Breach Investigations Report) study, stolen credentials were responsible for 50% of all successful attacks. And that’s because passwords simply aren’t well-suited for today’s highly-networked world.
Passkeys are a secure replacement, certainly. But they’re also really simple to use. And it’s that convenience that makes them such a compelling alternative. Security professionals have long understood that if a policy or procedure is too complex or cumbersome, users will simply look for ways to circumvent them.
This was true in 2008, when an RSA survey found that while most corporate employees understand the reasoning behind their organisation’s security policies, many were willing to bend the rules to get stuff done. And it was true in 2022, when the Harvard Business Review found that 67% of employees knowingly break security policy, with 85% citing productivity reasons.
And if people aren’t following security best practices at work, how likely are they to do so in their private lives, where the stakes are (seemingly) lower and there’s nobody to enforce the rules?
That, ultimately, underlines why convenience and ease of use are so important to infosec professionals. If someone's working towards a crushing deadline, violating the organisation’s security rules may feel like an acceptable risk. On a psychological level, their immediate needs surpass your need to protect the company.
And, in the case of the consumer-facing apps and services used in our private lives, people might not feel like they’re sufficiently at risk to practice perfect password hygiene. It’s all too easy for someone to lull themselves into the false sense of security that they’re “too small to target,” but as a battle-hardened security veteran, you know the importance of constant vigilance.
It’s not enough to have stringent rules, high-quality and regular training, and a “security culture.” You need to disincentivise people from taking shortcuts that can ultimately harm the organisation.
Obviously, passkeys only address one piece of the puzzle. But identity is a major part of an organisation’s tapestry, particularly given the post-pandemic rise of remote and hybrid working, and the growing reliance on digital technologies (and thus, greater attack surface) in both our personal and working lives. And so it makes sense to focus on it.
Replacing passwords with passkeys for consumers is an easy win. It eliminates the need — and also the possibility — to practice poor password hygiene. Consumers are no longer burdened with the complexity (and cognitive load) of managing credentials for the innumerable apps, websites, and services they use as part of their daily duties. It also removes the potential for human error, which, according to Tessian and Stanford University, accounts for 85% of all security breaches.
I believe that people, rather than being a weak link in the security chain, can be an organisation’s strongest line of defense against a dangerous online world. The problem is that, until now, people didn’t have the tools they needed to adequately protect themselves, and thus, the businesses they represent.
The road to our passwordless future
I hope that, eventually, passwords will be a distant memory. For a time, they served us well. But as with all obsolete technologies, they will be replaced by something better. And I believe that passkeys are that “something better.”
However, it’s important to be realistic. The transition to passkeys won’t happen overnight. While it wouldn’t be accurate to describe this technology as “bleeding edge,” given the rapid rate of industry adoption, they’re yet to achieve a critical mass.
The adoption of passkeys will be a gradual process that takes place over the coming decade — and perhaps beyond. And yet, for organisations, it’s time to start investigating and adopting passkeys because the foundational work is already done.
Google, Microsoft, and Apple all support passkeys in their latest desktop and mobile operating systems. A growing number of consumer and business apps have implemented passkeys support, including PayPal, eBay, CloudFlare, Dashlane, GoDaddy, and more. Each month brings greater adoption, and thus, brings us closer to mainstream acceptance.
Getting started with passkeys
Implementing passkeys in your own apps is also a completely attainable prospect. The Okta Customer Identity Cloud (powered by Auth0) allows you to implement passkeys in a matter of days, and it can happily coexist with other authentication methods while your customers or users make the transition.
Passkeys will ultimately lead to a more secure, more usable digital world. This is an exciting prospect. While the transition will take time, it’s worth remembering that as each app or vendor introduces support for the technology, your organisation’s security improves as a result. And you’ve accomplished this in a way that’s easy for your customers and colleagues to embrace. To learn more about passkeys, download our whitepaper.