
As cyber risks continue to evolve across the BFSI industry, financial institutions are turning to stronger, more innovative ways to secure digital identities and transactions. Passkeys, a future-proof replacement for passwords that use device-based authentication methods, are setting a new standard for security – they’re creating a safer digital landscape, aligning perfectly with the mission to secure our world. By leveraging cryptographic techniques and biometric authentication, passkeys offer a more robust and user-friendly alternative to traditional passwords, addressing many vulnerabilities that have long plagued our online accounts.
In this blog, we'll delve into how passkeys work, their benefits, and why they're an essential tool in our collective effort to build a more secure digital future for everyone.
Phishing is effective because it capitalizes on human psychology, exploiting natural biases and behaviors rather than targeting technological weaknesses. It is also popular because a successful phishing attempt can give malefactors a foothold on business networks, leading to data breaches and financial losses.
Despite ongoing efforts to raise awareness, these attacks successfully exploit human biases to bypass traditional password-based security systems. They lure people into giving out sensitive information like passwords or logins by masquerading as trusted entities, making passwords the weakest link in the cybersecurity chain. Let’s look at some stats:
These alarming statistics underscore the critical and escalating risk phishing poses on organizations today. Education has a role to play here, but adopting stronger, phishing-resistant authentication mechanisms like passkeys can be even more effective in preventing this scourge.
Passkeys were designed to eliminate the weaknesses inherent in passwords. They provide faster, easier, and more secure sign-ins to websites and apps and are phishing-resistant.
They are based on the Fast Identity Online (FIDO) standard, with a cryptographic key pair (public and private keys) that authenticates users without putting sensitive data like passwords at risk of phishing schemes. In fact, they remove the need for passwords altogether.
Unlike passwords, which can be easily stolen or phished, passkeys never leave the user’s device and can’t be intercepted by bad actors. They are a giant leap toward passwordless authentication, boosting security across public and private sector entities.
Passkeys enhance multi-factor authentication (MFA), too. MFA needs users to provide two or more verification forms; passkeys streamline the process by integrating biometric data or a PIN with cryptographic authentication.
There are two kinds of passkeys: synced passkeys and device-bound passkeys. While both provide phishing resistance, they work differently in terms of security and user experience.
1. Synced Passkeys: These are stored in the cloud and can be synchronized across multiple devices. Tech giants like Apple, Google, and Microsoft use synced passkeys to improve the user experience. These can be easily transferred between devices so users can log in with a PIN or a biometric (fingerprint or facial recognition). They are convenient for personal use, enabling users to access accounts from different devices without friction.
2. Device-Bound Passkeys: These are tied to a specific device and never leave it. This makes them more secure than synced passkeys, as the private key remains guarded against external threats like cloud attacks. These sometimes come in the form of hardware security keys, such as USB tokens or smart cards, that require physical possession of the device to authenticate. Device-bound passkeys are particularly useful for businesses with high-security requirements, as they provide an extra layer of protection against phishing and man-in-the-middle attacks.
Synced passkeys are convenient for personal accounts and everyday use, and device-bound passkeys are the gold standard for businesses prioritizing security. For instance, banks processing financial transactions or insurance firms managing confidential policyholder information should opt for device-bound passkeys to prevent phishing, man-in-the-middle attacks, and other types of identity theft.
Investment companies and payment processors, who are often subject to strict compliance requirements like PCI DSS also benefit from the additional security device-bound passkeys provide.
When convenience is the priority, synced passkeys are ideal for internal apps or services that don’t handle critical information. This could be a bank enabling synced passkeys for employee access to non-sensitive systems – such as scheduling platforms or internal team communication tools – while reserving device-bound passkeys for customer banking portals and any application processing sensitive financial data.
As phishing attacks become more sophisticated, governments and regulators advocate for more robust security measures. In the European Union, the General Data Protection Regulation (GDPR) mandates businesses implement security measures, which MFA and passkeys address comprehensively.
Similarly, Executive Order 14028 has directed the use of phishing-resistant MFA in the United States, explicitly calling for FIDO-based solutions.
This regulatory push has seen the demand for passkeys soar, particularly in heavily regulated industries that handle confidential data, such as finance, healthcare, and the public sector.
Migrating to FIDO2 passkeys can follow several common paths, depending on your business size, existing infrastructure, and user base:
Organizations across regulated industries have demonstrated how thoughtful, phased migration can deliver measurable security and operational benefits. For example, Aflac’s early passkey rollout enrolled over 500,000 customers and achieved a 32% reduction in password recovery requests and support calls. Read more real-world migration success stories here.
By planning your migration carefully and considering your users’ devices, workflows, and security policies, your business can transition smoothly to phishing-resistant passkeys and future-proof your authentication strategy.
In the fight to "Secure Our World," passkeys offer a powerful defense against one of today’s most pervasive cybersecurity threats: phishing. By replacing vulnerable passwords with phishing-resistant authentication, passkeys are the future of digital security.
To learn more about how passkeys can protect your business and strengthen your security posture, visit our website.
Want to dive deeper? Check out this Thales Security Sessions Podcast episode where I joined Andrew Shikiar of the FIDO Alliance to discuss “The Stealthy Success of Passkeys”.