Passkeys and The Beginning of Stronger Authentication

How passkeys are rewriting the current threat landscape

Lillian, an experienced CISO, surveyed the threat landscape. Despite solid cybersecurity defenses within her enterprise, the reliance on age-old passwords left it vulnerable.

Their own employees, even with their best efforts, remained the weakest link. They struggled to create and remember complex, ever-changing passwords for the maze of systems they accessed daily. Their approach led to predictable patterns, password reuse, system lockouts, and a staggering number of costly helpdesk tickets.

Outside her organization, cybercriminals exploited these shortcomings with increasingly sophisticated phishing attacks and relentless persistence. It didn’t help that, despite tireless efforts to promote better password practices, "12345" remained the most popular password combination – globally.

Lillian knew that a shift in authentication couldn't wait. Fortunately, it didn’t have to.

Passkeys are ready to be rolled out on a larger scale

Our fictional CISO, 'Lillian,' was never alone in recognizing the problem with passwords. The truth is that the entire digital industry, particularly those in cybersecurity, has come to the same conclusion: passwords are the problem!

For over four decades, we've relied on passwords to safeguard computer systems, applications, and web services against unauthorized access. But while passwords have served their purpose, they have outlived their usefulness. They're error-prone, an unstable link in the security chain, a high-friction element in user journeys, and an outdated authentication method unsuitable for today's landscape.

This industry-wide understanding has, in turn, led to the rise of FIDO passkeys —a global standard created by the FIDO alliance and based on public key cryptography. Now, major internet players, such as Google, Amazon, and Apple have rolled out passkeys to all consumers, signaling the true end of passwords.

What is FIDO and what is the difference between synced and device-bound passkeys?

Before we dive deeper into the whole FIDO passkeys discussion, there is still some confusion to clarify; what is FIDO, what are passkeys? And what on earth is the difference between synced and device-bound passkeys? So, let’s drill down to the basics:

Synced passkeys: Every MacBook, Chromebook or Windows PC, and every Android or iOS smartphone or tablet with a recent version of OS is FIDO-enabled and capable of managing passkeys. Passkeys created on these devices may be uploaded to the device's cloud (e.g. Google's password manager or Apple's iCloud) and from there propagate to any other device the user may have linked to the same cloud account. These types of passkeys are called synced passkeys.

Synced passkeys eliminate the need for multiple enrollments and enable easy recovery if a device is lost or stolen. However, they do not meet stringent Strong Customer Authentication (SCA) rules due to the lack of unique user-device binding. For instance, the financial PSD2 regulation in Europe demands this binding for SCA compliance. This limitation prompts the need for an alternative: device-bound passkeys.

Device-bound passkeys, in contrast, are uniquely bound to a single device. They can be leveraged by using a dedicated FIDO certified hardware token or they can be directly managed by the service provider’s mobile app, ensuring full control without involving the cloud services of the device OS. The exclusive binding to a single device addresses the SCA compliance requirement for unique user-device linking and 2FA, making device-bound passkeys a viable solution for regulated industries striving to meet regulatory standards, such as financial institutions. By incorporating support for device-bound passkeys in their mobile app, service providers can achieve an optimal balance between heightened security and user convenience.

So, what is the recommended approach?

We strongly recommend organizations to implement support for synced passkeys and enable them as an alternative to passwords for low assurance access to their services and applications However, for high-level assurance authentication, such as authorizing a bank transaction, it's crucial to employ device-bound passkeys to ensure that the end user is using the approved device and not another device where there is a synced “copy” of the passkey.

Keep in mind that when a user seeks to identify themselves on a service or website, they can use passkeys, only if the site supports it. Otherwise, the user will have to stick to the traditional method of password and username. Having the right infrastructure in place is therefore a key steppingstone to going passwordless.

Passkeys are gaining widespread adoption

A widespread adoption of passkeys is largely thanks to the integration of passkey support by major tech giants such as Apple, Google, and Microsoft into their operating systems, ensuring native compatibility across almost all smartphones and computers. Synced passkeys offer convenience across devices. Widely accessible, their availability to all users is poised to elevate security standards universally.

On the other hand, device-bound passkeys take security a step further, meeting compliance in regulated markets and stringent enterprise needs. Integration within a mobile app or the use of hardware security tokens is essential but guarantees heightened security.

Passkeys are redefining user vulnerability

Passwords are vulnerable to phishing attacks, demanding extra effort from users for good hygiene. Until now, few tools assisted users in efficiently managing passwords to safeguard themselves and their businesses from attacks. Password managers gained traction for a while, but adoption remained limited. They have also, by design, unveiled various security gaps such as potential master password breaches, software vulnerabilities, and the risk of malicious attacks on stored passwords.

For users to adopt better security practices, measures around it must be non-disruptive. A study conducted by the Harvard Business Review revealed that most security breaches in a workforce do not stem from a desire to cause harm but from the perception that adhering to rules might impede employees in effectively carrying out their work.

The study showed that over 60% of employees end up breaking the security policy, with 85% pointing out lower productivity as the number one cause. In addition, they found that employees were more likely to breach policies on high-stress days, suggesting that elevated stress levels reduce people's willingness to comply with rules seen as obstacles to their tasks such as updating passwords when recommended. Security gaps like these can be closed with the implementation of passkeys.

Towards a passwordless future

The key takeaway here is that with passkeys, whether synced or device-bound, users no longer have to be the weakest link in the cybersecurity chain. By going passwordless, issues surrounding password reuse, predictable patterns and costly password reset tickets become obsolete. Experience and security-centric enterprises across the globe are increasingly dropping their passwords. identification provider grants a seamless experience to its clients by getting rid of passwords.

With passkeys taking the spotlight, we can envision a future that is not only safer but also more user-friendly for all. CISOs, like Lillian, can now redirect their focus to other critical aspects of cybersecurity. However, it's essential to remember that, as with any commercial rollout, adoption will not occur overnight. In the end, convenience will drive adoption, but a robust and resilient roadmap is the first step towards a passwordless future. Is your roadmap ready?

Thinking about going passwordless? Start with our eBook.