Thales | Cloud Protection & Licensing Solutions
More About This Author >
Thales | Cloud Protection & Licensing Solutions
More About This Author >
Traditional security measures like passwords are no longer enough in the modern threat landscape. As we celebrate Change Your Password Day on February 1st and 2FA Day on February 2nd, there’s no better time to rethink and upgrade how we protect our digital lives. 2025 must be the year we adopt modern security practices, such as passkeys, phishing-resistant 2FA, and password managers, to ensure safer, stronger authentication for everyone.
Redefining Change Your Password Day
We’ll start with Change Your Password Day because, frankly, it’s a little complicated. Sure, changing your passwords will, in most cases, improve the security of your digital accounts – but what if we could do away with passwords altogether? This reality might be closer than you think.
Please don’t think we’re bashing the password. It has been a cornerstone of digital security for decades and has served us well. But it has had its day. Passwords are often weak, reused, or easily compromised. The average person manages a staggering 100 passwords and, as a result, uses workarounds, like choosing easy-to-remember passwords or reusing the same password across multiple services. These workarounds, it should go without saying, present a security risk.
So, what’s the alternative? Passwordless authentication. Many leading organizations are transitioning passkeys to authenticate users while enhancing security and convenience. Let’s briefly examine what they are and how they work.
What are Passkeys?
Passkeys are secure, passwordless credentials based on the FIDO Alliance authentication protocol. When a user registers with a service, a unique passkey linked to their account is generated and stored securely on their device. Then, to access the service, the user presents their device. The service verifies the user’s possession of the device and the passkey stored on it, typically using biometric authentication (like fingerprint scanning or facial recognition) or a device PIN. There are two main types of passkeys: device-bound passkeys, which are stored securely on the user’s device, and synced passkeys, which are stored on multiple devices.
Why Use Passkeys?
Switching to passwordless authentication and passkeys greatly benefits organizations and individual users. They are:
- Enhanced Security: Passkeys are resistant to phishing and other cyberattacks because they have a strong cryptographic foundation and rely on device-bound credentials.
- Cost-Effectiveness: Passkeys eliminate password resets, the most frequent and costly customer care incident.
- Improved User Experience: Passkeys eliminate the need for users to remember and manage complex passwords.
- Cross-Platform Compatibility: Passkeys work seamlessly across a vast range of devices and operating systems.
Ultimately, passkeys just make sense. They are the logical heir to the humble password and are gaining widespread adoption thanks to integration support by major tech giants like Apple, Google, and Microsoft.
Transitioning to Passkeys
Organizations transitioning to passkeys should take a phased approach:
- Assess: Evaluate current security posture and identify areas for improvement.
- Pilot: Test passkeys in a controlled environment.
- Deploy: Gradually roll out passkeys across the organization.
- Educate: Provide comprehensive training and support to users.
- Monitor: Continuously monitor usage and adjust implementation as needed.
For users, it’s simply a matter of enabling passkeys on their devices, using passkeys whenever available, and prioritizing device security with strong passcodes and regular updates.
What if Passkeys Aren’t an Option?
That said, not all digital services will offer passwordless authentication, and you need to ensure that your remaining passwords are strong and unique. Start by auditing and updating passwords for all your critical accounts. You should use a password manager to help you with this process; look for password managers that integrate seamlessly with your preferred browsers and devices, offer a built-in password generator to create unique and complex passwords for each account, and have autofill capabilities to fill login credentials automatically.
Amplifying 2FA Day
That brings us to 2FA day. Basic two-factor authentication is non-negotiable: everyone, everywhere, must enable it for all their accounts. Data shows that 2FA blocks 99.9% of automated attacks and dramatically reduces the success of phishing attempts.
However, as AI makes phishing more sophisticated and convincing, more advanced, phishing-resistant 2FA – like hardware security keys or FIDO2-compliant methods – have become critical, especially for gaining access to sensitive or critical systems. If you’re confused as to when you should use basic vs. advanced 2FA, here’s a quick guide:
- Use basic 2FA, like SMS or authenticator apps, for accounts with moderate sensitivity, such as social media or online shopping.
- Employ advanced 2FA, like security keys or biometrics, for highly sensitive accounts, such as banking, email, or company access, where data breaches have severe consequences.
The Future of Authentication: Passkeys and 2FA, Together
Used together, Passkeys and 2FA form a formidable defense. Passkeys eliminate passwords, a major phishing target, while 2FA adds an extra layer, often device-based, making it extremely difficult for attackers to access user accounts.
In celebration of Change Your Password Day and 2FA Day, organizations should lead by example by adopting and mandating passkeys and 2FA and upgrading to phishing-resistant options for sensitive systems.
Moreover, it’s important to empower our communities by taking practical steps. Everyone reading this should share these practices with friends, family, and/or colleagues they know who would benefit from having them shared with them. If you also know someone resistant to change who struggles to keep track of a multitude of passwords across different accounts, inform them about password managers, how they work, and what options they should consider when selecting one.
Remember, the threat landscape evolves, but so do we. Let’s stay one step ahead.
Learn more about passkey technology in our recent Thales Security Sessions podcast episode, “The Stealthy Success of Passkeys”, featuring Andrew Shikiar Executive Director & CEO at the FIDO Alliance, and Pedro Martinez, Business Owner for Digital Banking Authentication at Thales.