Sign up for The Key Point of View, our weekly newsletter of blogs and podcasts!
Given the fact that there are billions of user passwords for sale on the dark web at any given moment, there is no doubt that simple passwords are an insufficient defense against cybercrime. Ever since device and software passwords took hold in the technology landscape, technology users have been pining for a better alternative. Password managers, multifactor authentication (MFA), single sign-on (SSO) platforms—all of them try to add an additional layer of security, but often at the expense of usability.
Well, it seems that big tech companies are finally coalescing behind one alternative: passkeys. Simply put, a passkey is a stored cryptographic token (or “key”) associated with a given device or service. When you set up a new device or register for a service that supports passkeys, a public key is generated and shared with that service. But like a username, that public key is worthless to a hacker without the companion piece: in this case, an encrypted private key stored on the device. That private key can be unlocked by a biometric entry (typically fingerprint or facial recognition on smartphones) or by a PIN or key sequence. The external public key and device-resident private key communicate to prove you are who you say you are and grant access. Security is enhanced not only through the two-key requirement, but also thanks to the fact that the private key information is very difficult to hack.
The passkey concept has been around for about a decade now, but what is new is the emergence of a standard championed by the FIDO Alliance, an industry consortium tasked with promoting authentication standards. Ars Technica reported that Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys, and that users of services including PayPal, Kayak, eBay, WordPress, and others would have the option of logging in using passkeys based on the new FIDO standard.
But before we crumple up that Post-it note where our passwords are jotted down, we figured we’d ask around to see if passkeys all they are cracked up to be. We got a mixed response.
The biggest stumbling block right now is the fact that passkey adoption in the tech arena is far from universal. Some sites and devices support it, some don’t—so you will still have to juggle various authentication schemes for years to come. Also, when it comes to smartphones, the passkey schema tends to rely on biometric authentication and assumes a persistent Internet connection (neither of which are always a given). Users will also need to be provided with a workaround “back door” should they lose the device with the private key, and that back door will be the weak link hackers use to gain entry.
The security experts we spoke with at Agile Cybersecurity Solutions (ACS), Keypoint Intelligence’s cybersecurity testing and services partner, also expressed some reservations. For example, while passkeys help to move us away from unsecure passwords, with the added ease to end users and benefits of linking them to other controls such as biometrics, there is a commensurate lowering of control for companies and users over whether the third-parties they deal with have adequate security in place to manage these passkeys. The question arises, can the specific passkeys be trusted? ACS agrees that passkeys (if securely managed by trusted parties) have the potential to give us a mechanism to move beyond passwords and reduce risks.
The experts also noted that passkeys do not universally guard against impersonation attacks associated with device misuse; for example, malware on a mobile device masquerading as a user or theft where the user no longer maintains control of the device. While the biometric requirement will often be sufficient to keep “layman” hackers from accessing your services, there will still be that back door (a PIN for instance) that a determined hacker could breach.
All of which is to say, while passkeys are a promising advance over passwords, they might not be quite the end-all-be-all they’ve been made out to be. Especially considering the lack of universal passkey adoption, current MFA solutions are the way to go for maximum security.
Log in to the InfoCenter for more information about cybersecurity in our Office CompleteView Advisory Service. If you’re not a subscriber, just send us an email at sales@keypointintelligence.com for more info.