Thales Blog

IAM and Passkeys: 4 Steps Towards a Passwordless Future

May 2, 2024

Simon McNally Simon McNally | Pre-Sales Director IAM, EMEA More About This Author >

In the ever-evolving landscape of cybersecurity, Identity and Access Management (IAM) remains a vital link in the cybersecurity chain. However, with World Password Day just around the corner, there’s no time like the present to consider how relying on antiquated password systems leaves organizations exposed to vulnerabilities. In fact, the greatest threat is often the person sitting in the next office. People are vulnerable to attacks exploiting their biases. They suffer from password fatigue, constantly creating and keeping track of a burgeoning number of passwords needed to navigate the myriad systems they interact with daily.

Almost every service or app wants a password, and each must be a certain length and a special mix of letters, numbers, and special characters. If left to their own devices, many users would still use weak, predictable passwords. And despite relentless efforts to advocate for improved password practices (Bill Gates declared the death of passwords back in 2004), the uphill battle against ingrained habits and the allure of convenience continues.

Understanding this struggle, password managers were introduced. With password managers, enterprises no longer need to rely on their staff to memorize multiple passwords, as they generate highly secure passwords automatically and provide access to the vault across devices via cloud storage. However, even these handy tools rely on good old passwords.

Understanding Passkeys

Fortunately, as technology advances, so do the methods used to authenticate users securely. This is why passwordless authentication is growing in popularity among organizations - it introduces features that help boost security while eliminating user friction. One of these methods is passkeys, a modern version of traditional passwords, which are helping to improve authentication and, alongside that, the state of security in 2024.

Passkeys are a more secure and easier option than passwords. With passkeys, users are able to sign in to applications and websites via a biometric sensor, for instance, a fingerprint or facial recognition, a PIN, or a pattern, meaning they no longer have to remember and manage passwords.

According to Google, “A passkey can meet multifactor authentication requirements in a single step, replacing both a password and OTP to deliver robust protection against phishing attacks and avoids the UX pain of SMS or app-based one-time passwords. Since passkeys are standardized, a single implementation enables a passwordless experience across all of a users' devices, across different browsers and operating systems.”

The Fast Identity Online (FIDO) Alliance is at the vanguard of passkey technology. FIDO standards, such as FIDO2 and WebAuthn, facilitate secure authentication mechanisms by enabling passwordless logins via biometrics, USB tokens, or mobile devices. By eliminating the need for passwords altogether, FIDO standards mitigate the inherent vulnerabilities that go hand in hand with traditional authentication methods.

Synced and Device-Bound Passkeys

All passkeys are not the same. There are two categories: synched and device-bound.

Synched passkeys are synchronized between user devices via a cloud service, such as an operating system ecosystem or password manager. This allows users access to their accounts frictionlessly across multiple devices. Whether logging into a website on a laptop or accessing an application on a smartphone, synced passkeys ensure a consistent and seamless user experience.

On the other hand, device-bound passkeys are tied to specific hardware, such as a smartphone or a USB security key. By leveraging the unique characteristics of each device, device-bound passkeys boost security by adding another layer of protection against account compromise. This type of passkey also reduces the reliance on centralized authentication servers, mitigating the risk of data breaches and server-side attacks.

However, the biggest downside of using passkeys is that many sites do not use them yet. To use passkeys, each site that wants to be passkey-enabled must update its authentication mechanism to understand and employ passkeys.

Implementing Passkeys: Best Practices

To ensure a smooth and secure transition, businesses must be aware of the following considerations before implementing passkeys:

  • Firstly, adopting an MFA approach, incorporating biometrics or hardware tokens alongside passkeys, enhances authentication integrity and resilience against unauthorized access attempts. This is because, ideally, passkeys should be registered when the identity of the user is already highly trusted. Enabling enrolment outside an MFA step can create a security hazard as the typical session or token-based mechanisms lose their assurance after a while. People leave their phones and laptops lying around unlocked, for instance. If no other mitigations exist, an attacker could register their own keys, which could see the legitimate customer locked out.
  • The most essential step to avoid implementation challenges is understanding your users. This may seem obvious, but for any passkey implementation to succeed, it has to be configured to match the user authentication journey. Think about the devices they prefer, be it mobile or desktop, and which are their platforms of choice. All these will impact the implementation.
  • Next, know your appetite for risk. Although security and user experience (UX) are not always at odds, until passkeys enjoy more ubiquitous support across devices and environments, some difficult decisions need to be made about where the business believes it is most vulnerable to attack and in which areas it could offer a more frictionless experience for users.
  • Finally, keep a proverbial toe in the water. Passkey providers are constantly updating their compatibility with browsers and ecosystems, and vendors are continually releasing devices that are passkey or biometrical authenticated. All new developments will affect how passkey implementation works in practice.

A Passwordless Future

There’s no doubt that the birth of passkeys heralds the dawn of a passwordless future, where users don’t have to depend on annoying, cumbersome passwords to authenticate themselves. By utilizing innovative authentication methods, such as biometrics, hardware tokens, and cryptographic protocols, companies can move beyond the limitations of traditional passwords and boost their security posture.

This, along with the proliferation of FIDO standards and passwordless authentication technologies, highlights the industry’s collective desire to mitigate cybersecurity risks and build a more secure digital ecosystem. As businesses transition towards passwordless authentication methods, they are paving the way for a future where user identities are safeguarded by cutting-edge security measures, lowering the risk of data breaches and the resulting fallout.

Happy World Password Day! Or should that be Happy World Passwordless Day?