THALES BLOG

Secure Your World with Phishing Resistant Passkeys

October 10, 2024

Pedro Martinez Pedro Martinez | Business Owner for Digital Banking Authentication More About This Author >

As we celebrate Cybersecurity Awareness Month 2024 with the theme "Secure Our World," exploring innovative technologies is crucial to help us achieve this goal. One such advancement that's revolutionizing online security and user authentication is passkeys. Passkeys represent a significant leap forward in creating a safer digital landscape, aligning perfectly with the mission to secure our world. By leveraging cryptographic techniques and biometric authentication, passkeys offer a more robust and user-friendly alternative to traditional passwords, addressing many vulnerabilities that have long plagued our online accounts.

In this blog, we'll delve into how passkeys work, their benefits, and why they're an essential tool in our collective effort to build a more secure digital future for everyone.

Phishing, a Growing Scourge

Phishing is effective because it capitalizes on human psychology, exploiting natural biases and behaviors rather than targeting technological weaknesses. It is also popular because a successful phishing attempt can give malefactors a foothold on business networks, leading to data breaches and financial losses.

Despite ongoing efforts to raise awareness, these attacks successfully exploit human biases to bypass traditional password-based security systems. They lure people into giving out sensitive information like passwords or logins by masquerading as trusted entities, making passwords the weakest link in the cybersecurity chain. Let’s look at some stats:

It’s no surprise that this year’s Cyber Security Awareness Month encourages individuals to be vigilant about phishing. Education has a role to play here, but adopting stronger, phishing-resistant authentication mechanisms like passkeys can be even more effective in preventing this scourge.

Passkeys Unpacked

Passkeys were designed to eliminate the weaknesses inherent in passwords. They provide faster, easier, and more secure sign-ins to websites and apps and are phishing-resistant.

They are based on the Fast Identity Online (FIDO) standard, with a cryptographic key pair (public and private keys) that authenticates users without putting sensitive data like passwords at risk of phishing schemes. In fact, they remove the need for passwords altogether.

Unlike passwords, which can be easily stolen or phished, passkeys never leave the user’s device and can’t be intercepted by bad actors. They are a giant leap toward passwordless authentication, boosting security across public and private sector entities.

Passkeys enhance multi-factor authentication (MFA), too. MFA needs users to provide two or more verification forms; passkeys streamline the process by integrating biometric data or a PIN with cryptographic authentication.

Types of Passkeys: Synced and Device-Bound

There are two kinds of passkeys: synced passkeys and device-bound passkeys. While both provide phishing resistance, they work differently in terms of security and user experience.

1. Synced Passkeys: These are stored in the cloud and can be synchronized across multiple devices. Tech giants like Apple, Google, and Microsoft use synced passkeys to improve the user experience. These can be easily transferred between devices so users can log in with a PIN or a biometric (fingerprint or facial recognition). They are convenient for personal use, enabling users to access accounts from different devices without friction.

2. Device-Bound Passkeys: These are tied to a specific device and never leave it. This makes them more secure than synced passkeys, as the private key remains guarded against external threats like cloud attacks. These sometimes come in the form of hardware security keys, such as USB tokens or smart cards, that require physical possession of the device to authenticate. Device-bound passkeys are particularly useful for businesses with high-security requirements, as they provide an extra layer of protection against phishing and man-in-the-middle attacks.

Which Passkey Is Right for Your Business?

Synced passkeys are convenient for personal accounts and everyday use, and device-bound passkeys are the gold standard for businesses prioritizing security. Firms handling sensitive data or those subject to strict compliance requirements should opt for device-bound passkeys to prevent phishing, man-in-the-middle attacks, and other types of identity theft.

When convenience is the priority, synced passkeys are ideal for internal apps or services that don’t handle critical information.

The Push for Stronger Authentication

As phishing attacks become more sophisticated, governments and regulators advocate for more robust security measures. In the European Union, the General Data Protection Regulation (GDPR) mandates businesses implement security measures, which MFA and passkeys address comprehensively.

Similarly, Executive Order 14028 has directed the use of phishing-resistant MFA in the United States, explicitly calling for FIDO-based solutions.

This regulatory push has seen the demand for passkeys soar, particularly in heavily regulated industries that handle confidential data, such as finance, healthcare, and the public sector.

Securing Our World

In the fight to "Secure Our World," passkeys offer a powerful solution to one of the most pervasive cybersecurity threats: phishing. By replacing vulnerable passwords with phishing-resistant authentication, passkeys are the future of digital security.

As Cyber Security Awareness Month reminds us, recognizing and reporting phishing is critical to protecting our digital world. By adopting stronger authentication methods like passkeys, we can go one step further in securing our online spaces and safeguarding sensitive information.

For a more in-depth look at passkeys, listen to the recent Thales Security Sessions Podcast episode where I joined Andrew Shikiar of the FIDO Alliance to discuss “The Stealthy Success of Passkeys”.