This page examines passkeys, a new authentication method set to replace traditional passwords.
Passkeys – unveiled in 2022 by major tech companies including Apple, Google and Microsoft – are the result of 10 years of work by the FIDO Alliance.
As passkeys offer a more secure and convenient way to authenticate users, it is no surprise that industry experts agree that they will become the standard authentication method used worldwide. In fact, according to the business news channel CNBC, passkeys are already well on their way to become the industry norm.
Here we look at what passkeys are, how they differ from traditional passwords, and how Thales is leading the way in facilitating the seamless adoption of passkeys while maintaining the necessary security and compliance with standards demanded by regulated industries.
Let's jump right in.
Passkeys are cryptographic credentials that meet FIDO Alliance specifications and are used to authenticate users for accessing digital services.
Passkeys’ passwordless authentication typically involves using facial recognition or fingerprint scanning to authenticate a user. This approach can reduce the risk of account takeover through password theft or social engineering attacks while making the login process faster and more user-friendly.
The FIDO (Fast Identity Online) Alliance, a cross-industry coalition established in 2013, aims to develop and promote open standards for strong authentication that can reduce reliance on passwords and improve security for online transactions. FIDO specifications and protocols are designed to work across all devices, platforms, and online services. The FIDO Alliance also provides certification programs to ensure that products and services are interoperable and meet its standards.
Passwords are an outdated method of authentication that often pose a security risk.
They can be forgotten, phished, hacked, or not strong enough, leading to compromised accounts, data breaches, and related costs.
This is where passkeys come to the rescue as a more secure and user-friendly alternative.
Passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are phishing-resistant.
Passkeys represent the future of authentication for all digital services because they provide a more secure, convenient, and user-friendly authentication method.
How do we get there?
Passkeys are based on FIDO authentication, an open standard that enables passwordless authentication across different devices and platforms. It uses public-key cryptography to secure user identity and protect against phishing attacks.
Passkeys are already available on Apple platforms (iOS and MacOS), Android, Chrome and Windows – signaling massive support from the industry.
They are already changing access to digital services dramatically, bringing lots of benefits for end users and service providers:
We don’t have to remember passkeys.
The smartphones, tablets and computers we use to access digital services will generate, store and manage our passkeys. We can use them to authenticate digital services whenever required simply by doing the same biometric verification we use to unlock our devices.
Passkeys created and managed by the device’s OS synchronise to the device’s cloud – Apple, Google, Microsoft – meaning that they can be quickly recovered if a device is lost.
This is how passkeys synchronisation works:
A passwordless future is finally within reach.
Adopting FIDO technology to replace passwords for basic login with passkeys is a no-brainer for any service provider, including in highly regulated industries.
But service providers need to understand both the benefits and limitations with passkeys to ensure that they are implemented in the right way for maximum security in their different ecosystems.
For example, although FIDO authentication can be used for Strong Customer Authentication (SCA), using passkeys for SCA need some consideration.
Passkeys synchronised over the cloud combine two authentication factors (biometrics plus possession), but they are not uniquely bound to a specific device since they are synced over the device ecosystem.
Many regulations, such as PSD2 for financial services, require device binding. So, financial institutions, and service providers in similar regulated industries, have to raise the bar on passkeys before implementing them for PSD2/SCA.
Our IdCloud platform enables service providers to implement passkeys in several different ways, to make sure they strike the best balance between security and user experience.
The result?
It ensures compliance with regulations and meets the security demands of regulated industries.
Together, passkeys and IdCloud platform provide a robust and effective security solution to protect sensitive data and transactions from cyber threats and unauthorised access.
Naturally, IdCloud fully supports ‘synced passkeys’, ie the standard passkeys that are synchronised over the cloud.
But it also supports ‘device-bound passkeys’. These are passkeys that are uniquely bound to the device where they are generated, making them SCA compliant with strict regulations, such as PSD2, keeping the service provider in control.
Synced passkeys | Device-bound passkeys | |
---|---|---|
GREAT FOR | Password replacement | Strong Customer Authentication |
MANAGED BY | Device OS | Mobile app |
PRIVATE KEY | Uploaded to cloud | Never leaves the device) |
DEVICE BINDING | No | Yes |
PSD2 COMPLIANCE | No | Yes |
Our IdCloud platform is FIDO2 certified.
The platform offers fully scalable authentication as a service and supports the technology you use today (OTP) and the one you will use tomorrow (FIDO).
While passkeys are great for regulated industries, it’s important to remember that their implementation needs to be considered carefully to ensure maximum security.
This is where Thales can provide invaluable advice and support.
We have extensive experience in helping service providers transition from legacy authentication to state-of-the-art solutions, attaining the best possible security and user experience demanded in their services while ensuring compliance, service continuity, reliability and scalability.
Implemented correctly, passkeys will increase security and ensure a better user experience. But it shouldn't stop there.
Service providers can further enhance their digital authentication security and the user experience by incorporating risk management technologies and risk based authentication (RBA).
When implemented effectively, such technologies can identify returning good users with high confidence and enable them to benefit from SCA exemption.
Additionally, complete session monitoring can be used to prevent account hijacking and social engineering attacks that can happen after login.
By adopting such measures, service providers can ensure their customers enjoy a secure and seamless digital experience.
Read our companion blog post to learn more about fraud detection in banking.