Security practitioners have long struggled with passwords. Credential theft is a main goal for many attackers, as various studies like the Verizon DBIR, Mandiant M-Trends and others show. Credentials are a valuable commodity, with Initial Access Brokers (IABs) playing a key role in the cybercrime industry. Many big data breaches began with stolen credentials, which has its own MITRE ATT&CK Technique: Valid Accounts (T1078).
It has been hard for industry to change human behaviour and make people use stronger, complex, longer passwords. These passwords are hard to remember, especially when an average user needs several of them.
Some initial solutions were passphrases and Password Managers. Web browsers also added password vaults that people liked. But they are less secure and many breaches happened because someone stored work credentials in web browser on their home computer, which info stealers hacked.
In the recent years, Multi Factor Authentication (MFA) gained popularity and added another security layer to the credentials. However, attackers are creative and quickly discovered methods to bypass MFA or steal authentication tokens. While effective, MFA is still vulnerable to social engineering. So, what next for defenders? Go passwordless.
Since 2018, FIDO2 is the new standard for passwordless authentication. It merges the Web Authentication (WebAuthn) specification from the W3C and the Client-to-Authenticator Protocol (CTAP) from the FIDO Alliance. FIDO2 Hardware tokens are often used in very secure environments for passwordless authentication and resists phishing attacks. However, hardware tokens are inconvenient to carry and easy to lose.
Enter Passkey. Passkeys are a new way of signing in to websites and apps, replacing old-fashioned passwords with a more convenient, fast and secure method. Passkeys use public key cryptography, which is already common on the Internet, and create a secure token that is stored on the device itself, which can be accessed using fingerprint, face scan or PIN. Every Passkey identifies an app or service that the user wants to access, the device that the user is using, and the user themselves. This unique combination of app, device and user makes it resistant to phishing, unlike passwords or even MFA, which can be used from anywhere. Therefore, a user may have multiple Passkeys, one for each pair of app and device. Passkeys support authentication on the same device or across different devices.
Passkeys have become popular among consumer service providers, but enterprises are still slow to adopt them. As Microsoft and Apple join other Identity Providers, such as Okta, in offering that support, Passkeys will likely see more widespread adoption in future.
However, this requires enterprises to get ready for it. Those who use legacy and fragmented authentication should switch to modern unified authentication and set up universal Single Sign On (SSO). After that, they can activate Passkeys and other technologies that do not need passwords, such as Windows Hello for Business and FaceID/TouchID for Mac.
Passwordless phishing resistant authentication, such as Passkeys, is the future of cyber resilience and user experience. Enterprises are well advised to adopt them at the earliest.
