According to Reader’s Digest, 123456 is the most common password in use today, ahead of 123456789 and 1234567890.
It is no wonder that 80% of breaches on the web today are a result of stolen credentials. We make it so easy. Unfortunately, human nature suggests this habit is not going to go away.
Andrew Shikiar, executive director of the FIDO Alliance, says passwords pose a significant risk to businesses and consumers.
The context of his argument is that most data breaches and credential attacks are caused by passwords, i.e., they are too easy for hackers to manipulate.
“Simply put, passwords just aren't suitable for today's connected society,” he concluded.
Acknowledging that passwords are notoriously insecure, Ian Hall, head of client services SIG for APAC at Synopsys, doesn’t see passwords going away because they are convenient and easy to implement. It is these same characteristics that lend to their ease of cracking.
“Password fatigue further exacerbates the problem, with users reusing the same password across multiple applications, websites, and systems,” added Rohan Ramesh, director of identity and access management at Entrust.
The good news is that efforts are underway to find suitable alternatives to securely access applications and data other than passwords. One such approach is the use of Passkeys.
What is a Passkey
Hall says a passkey is a cryptographic replacement of a password that is based on open standards from the FIDO Alliance (FIDO is Fast ID Online).
“Instead of using a password, a cryptographic keypair is generated for every website that you need to authenticate with (think of this as a unique, extremely complicated password for each website).
“A difference though is that half of the keypair (the public key) is shared with the website and the other half of the keypair (the private key) is stored securely on your own device which could be a mobile, tablet or computer.
“When you log on to a website, a challenge is performed using the keypairs and since mathematically, only the private key can pass that challenge, the website can be assured you are whom you say you are – you are authenticated,” explained Hall.
Shikiar adds that passkeys don't always need to be synced across an operating system cloud.
“Single device passkeys (such as those available on FIDO security keys) can also be used for passwordless sign-ins — this is critical for use cases that may require higher security or have specific regulatory requirements."
Andrew Shikiar
What makes Passkeys better
Ramesh claims that passkeys eliminate the potential for attacks that traditional passwords are susceptible to such as phishing or adversary-in-the-middle (AiTM).
He also claimed that with passkeys, there is no password fatigue, as every application creates a unique key pair, and every authenticating device is assigned a device-bound key with multi-device passkeys.
Best use cases for passkeys
Shikiar claims that passkeys are better suited for authentication than passwords in just about every scenario.
“We believe that passkeys will be immediately applicable to the vast majority of consumer use cases where requiring a password is both an inconvenience for the consumer as well as a risk and liability for the service provider,” he added.
Hall adds that passkeys simplify the process for end-users because they no longer need to remember a new password for every website.
“Since the passkeys are stored securely on the user’s device, they simply unlock it in the same way they normally do – perhaps using facial recognition, fingerprints, or a device PIN. It is also more secure since it is based on cryptography without the need for a secret to be stored by the website, making it resistant to phishing attacks.”
Ian Hall
“There is also a matter of convenience since the passkeys are securely synchronized between devices in the event a user loses their mobile device, they can recover the keys and continue logging on to websites,” he added.
Anything better than passkeys
Shikiar noted that while passkeys deliver increased security and a more frictionless user experience, it has only recently gained support from major platform vendors – which means applications and systems need to be updated to support passkeys.
Hall begrudgingly said that older devices will need to be upgraded – and this will take time.
What needs to happen to passkey adoption
Shikiar believes that the superior usability of passkeys in and of itself will create demand for companies to support passkeys.
Hall noted that passkey adoption is something that all organisations should be looking at since their data and their customer’s data is extremely important.
“With all the hacks and data breaches in the news, they should be asking themselves, what are the basic steps that we should be doing to protect that data? If organisations are already using single sign-on tools such as Azure AD and Okta, they provide an easy way to migrate to FIDO credentials such as passkeys,” he added.
Ramesh concedes the challenges that organisations will face in adopting them as the default authentication mechanism.
For starters, passkeys are managed and stored by platforms, such as Apple, Google and Microsoft, and this may go against compliance or organisations’ policies. In addition, passkeys are synced to users’ cloud accounts managed by platform vendors (i.e., iCloud, etc), which can violate company policy,” he added.
How to successfully adopt passkeys
Ramesh believes that the successful adoption of passkeys, especially in the customer identity access management (CIAM) space, will require organisations to incorporate user-friendly user experience changes.
“To help minimise disruption during onboarding, it’s important to have the option to sign in securely using passkeys, along with proper documentation on the benefits of using the passwordless option. In addition, getting rid of unwanted steps such as validating emails and requiring usernames when signing in will make the process more seamless and increase adoption."
Rohan Ramesh
Hall is both optimistic and wary of the (adoption) process.
“The onboarding process is relatively simple and can be done following authentication using any existing password-based mechanism. Since Windows/Mac/iPhone/Android will all support this very soon, separate devices will not need to be rolled out to users. I still remember the huge collection of OTP dongles that I collected years ago and would really like to avoid that repeating,” he concluded.
