How many of us have forgotten an account’s password? Probably all of us, right? That is one of the problems with the old-fashioned passwords we all use – in order to be safe, they need to be extremely complex these days, so they require an extraordinary memory muscle or, alternatively, the help of somewhat unsafe password manager apps.
But what if there was an even more secure way to access our accounts without having to remember passwords? Google believes passkeys are the answer.
A passkey is a digital credential that allows users to authenticate themselves and sign in to apps and websites without having to memorise a username and password, requiring only a biometric sensor (fingerprint or facial recognition), PIN or pattern.
Unlike passwords, this sign-in method does not require an additional authentication factor (like OTPs - One-Time Passwords). According to Google, this makes passkeys more user-friendly and 40% faster to use than passwords. Google also argues that passkeys are more secure, because of the type of cryptography they rely on.
This is why Google is officially making passkeys the default sign-in option for all users. So, what better timing than this for us to discover more about the advantages, risks, and challenges of passkeys?
First of all, why are passwords slowly dying?
When passwords were first invented – in the 1960s, by an MIT professor –, simple and memorable words were enough to prevent unauthorised access. Today, however, hackers are extremely quick to unveil complex combinations of characters, which makes passwords an unsafe and fragile sign-in method.
What happens is: most people either write down their passwords on a – physical or digital – sticky note (not the safest of options), or they use password manager apps, which are also easily corruptible. Proof of that is what happened to Last Pass, which was the target of a worrying cyberattack back in August 2022, and more recently to Okta, whose users’ data was compromised in October 2023.
It’s true that, recently, Multi-Factor Authentication (MFA) has greatly increased the level of security of this login method, but the fact is that you still need to remember the main password in order to move forward.
So, basically, passwords are no longer perceived as user-friendly or secure, which is leading to their decline.
The birth of passkeys
In 2012, the FIDO Alliance (Fast Identity Online) was founded by several leaders of companies in different sectors to work jointly on a passwordless authentication protocol.
The first version of the so-called FIDO authentication was completed and released in 2014, while FIDO2 saw the light of day in 2018, standardising FIDO strong authentication across all web browsers and related web platform infrastructure.
Generally speaking, the FIDO authentication relies on public key cryptography – the very foundation of passkeys. André Cortez, Alter Solutions’ Systems and Infrastructure Administrator, explains how it works: “Passkeys use encryption consisting of two keys: a public one that is stored on the service host; and a private one that is on the user’s device. After biometric approval, a public key is sent to pair with the service’s key and authentication is carried out. The private key is never sent.”
Are passkeys really more secure than passwords?
The answer seems to be yes. According to André Cortez, because of how passkeys’ encryption works, “there is no longer any risk of passwords being stolen or an identity being compromised even if the devices themselves are lost or stolen”, he ensures.
Elyes Chemengui, Alter Solutions’ cybersecurity expert, agrees with André, highlighting the fact that passkeys require physical device proximity. “Passkeys help mitigate credentials theft by using physical authentication. They are not susceptible to phishing or password breaches. It means that if someone obtains your username and password, they would still need the physical passkey to gain access to your account, significantly reducing the risk of unauthorised access and enhancing the overall security”, Elyes clarifies.
In short, our cybersecurity expert believes “passkeys can effectively mitigate various cyber threats”, namely:
- Credential breaches
“As passkeys don’t rely on passwords, they prevent the use of stolen login information in automated login attempts across different platforms.”
- Account takeovers
“Since passkeys provide an additional layer of security, they make it significantly harder for attackers to take control of accounts, even if they manage to obtain some login information.”
- Brute force attacks
“Passkeys aren’t susceptible to brute force attacks, where attackers attempt to guess passwords through automated methods, as they operate outside the password-based authentication system.”
Challenges of passkeys implementation
For companies specifically, when it comes to integrating passkeys with already existing IT infrastructure, our Systems and Infrastructure Administrator believes it shouldn’t be a concern nowadays. “Practically all mobile phones, tablets and laptops have biometric sensors, so it seems to me that these new methods can easily be adopted. On the user side, the infrastructure is guaranteed, with devices and systems capable of managing and recognising biometric records. It’s really up to companies to adapt their current infrastructures to accept passkeys.”
Elyes Chemengui, on the other hand, believes that process of “ensuring compatibility and smooth integration of passkeys with existing systems and software could pose challenges during the adoption process, potentially causing disruptions in workflows”. “It might require adjustments or updates to the current setup. A rollout plan can minimise disruptions”, he explains.
When it comes privacy and control policies, both Alter Solutions’ experts express some concern. “One of the benefits of passkeys is synchronisation between devices within the same ecosystem. While this is convenient for users, it’s a problem in terms of control, security and compliance. Personal devices and passkeys that synchronise with each other can lead to corporate credentials and data being shared with people outside the organisation”, André Cortez warns. And Elyes adds: “Biometrics and other advanced authentication methods involve collecting and storing sensitive user data. Ensuring the privacy and secure handling of this data is crucial.”
Apart from these challenges, our cybersecurity expert identifies a few more potential issues that companies should bear in mind:
- Dependency on physical devices
“Companies that use passkeys might face issues if employees forget, lose, or damage their keys. This dependency on a physical device could lead to access issues and potential downtime if replacements aren’t already available.”
- Cost and logistics
“Implementing passkeys across an organisation involves costs for purchasing and distributing these physical devices. Managing and replacing lost or damaged keys can also add logistical expenses.”
- Single point of failure
“While passkeys add security, if an attacker gains physical access to an employee’s passkey, they might bypass other security measures, posing a risk if not adequately mitigated.”
Passkeys best practices
According to our experts, when transitioning to a passkey authentication method, companies and their employees should keep in mind the following security measures:
- Secure storage
Safeguard the passkey as you would any valuable item. Store it in a secure place and avoid leaving it unattended or easily accessible to others.
- Reporting lost or stolen passkeys
Immediately report lost or stolen passkeys to IT or security personnel. This ensures swift action, such as deactivating the key to prevent unauthorised access.
- Regular software updates
Keep the passkey firmware and associated software up to date to benefit from security patches and improvements.
- Avoid sharing or lending passkeys
Encourage employees not to share their passkeys or lend them to others, as this compromises security. Make sure to provide comprehensive training on how to use passkeys, including best practices and what to do in case of loss or theft.
- Regulatory compliance
Ensuring that passkey systems comply with industry standards and regulations is necessary to avoid legal and compliance issues.
Implementing a robust system to monitor, manage, and replace passkeys, as well as ensuring timely updates and patches, is critical for ongoing security.
Who is using passkeys?
Besides Google, the following companies already support the use of passkeys as password alternatives:
- And others…
In the near future…
Despite having passkeys as the default sign-in method for all users, Google will continue to support the traditional passwords. This means users can continue to use them, if they prefer to, by simply disabling the option “Skip password when possible”.
However, industry experts in general agree that passkeys seem to be the future, not only because they are more secure, but also because they’re more user-friendly.
Despite the potential risks and challenges previously mentioned, our cybersecurity expert is clear to say: “Yes, I believe we will see a future without passwords.”