Passkeys: a secure solution to replace passwords forever

Yubico is a Business Reporter client.

As more of our personal and working lives move online, we’re all using a bigger range of online services, meaning more pressure to create and remember passwords. Often, these passwords are shared across business and personal devices, so a breach in an individual’s life outside work can cause havoc for their employer, too.

Obvious passwords are all too easy for hackers to uncover, and users’ tendency to duplicate these across multiple sites means criminals can gain access to someone’s entire online activity from finding out just one password. In fact, according to Security.org, 68 per cent of people use the same password for all of their accounts. More difficult passwords, meanwhile, will be more secure and harder to guess – but run the risk of being forgotten, leading to users being locked out of accounts altogether. For businesses, passwords are inherently risky, not least because of the growing threat of phishing, where users are tricked into providing login credentials to criminals.

An increasingly popular, and inherently more secure, option is passkeys. “Passkeys use cryptography to create digital keys which protect your accounts from attacks such as phishing and credential stuffing”, says Christopher Harrell, Chief Technology Officer at Yubico, a leading provider of multi-factor authentication. “Passkeys are built to replace passwords, and create a much more secure and usable experience. They are stored on a device such as your smartphone or on a physical security key. Instead of a website asking for you to type your password to log in, you’ll confirm your identity via a passkey.”

Each passkey is a keypair consisting of a public key and a private key, adds Harrell. “The public key is stored by a website or service, while the private key remains on your device,” he says. “Successful authentication relies on proving possession of the private key in a way that the service with the public key can verify.” Crucially, passkeys are phishing-resistant and can’t be stolen or intercepted during use and, as each one is linked to a specific website or app, passkeys prevent credential attacks by phishing sites.

It’s important that businesses and individuals understand the different forms of passkey that are available, to make an informed choice about what approach is best for them. Syncable passkeys, offered by platforms such as Apple and Google, can be shared among smartphones, tablets, laptops or desktops. These are primarily meant for lower assurance scenarios, to help people move away from phishing-prone passwords. “In the event of a lost device, syncable passkeys can make account recovery easier if the user has another device that works with the cloud-syncing service they used and remembers the recovery credentials,” points out Harrell.

The ultimate protection comes from hardware-bound passkeys, such as Yubico’s YubiKeys, where a passkey stays on one physical device. “They are a benefit for organisations and higher-risk individuals because they provide the highest levels of assurance and are easy to understand and build systems around: no device, no access,” says Harrell. “Syncable passkeys can be convenient but that comes at a cost. If the passkey recovery mechanisms aren’t phishing-resistant then attackers will shift their phishing efforts to those.”

Despite the growing availability of passkeys, public awareness still has some way to go. More than half – 59 per cent – of business accounts are still authenticated using username and passwords, according to Yubico’s State of Global Enterprise Authentication Survey. Meanwhile, 22 per cent of employees still believe usernames and passwords are actually the most secure way to authenticate, although 61 per cent of employees and 79 per cent of senior leaders believe their organisations need to upgrade to more modern phishing-resistant forms of multi-factor authentication, such as hardware security keys.

The profile of passkeys is set to grow in the coming years, with major operating systems now starting to support fully password-less options, and incorporating security-focused hardware into their designs. Mainstream services are incorporating support for passkeys as a method to authenticate into accounts. Google recently announced that it will make passkeys the default sign-in method for all users on its Android or Chrome platforms. Passkeys can also be used to secure Apple ID and iCloud accounts, and Amazon has enabled support for passkeys for accessing Amazon and AWS accounts.

Harrell is hopeful that such efforts will help to improve security for businesses and consumers, and ultimately reduce the risk of companies and individuals falling victim to cyber-criminals. “As passkeys continue to gain momentum around the world, we’ll see the advantages and the differing levels of security available continue to become widely accepted and understood,” he predicts.

To find out more about Yubico and how the YubiKey can protect your online accounts, please visit yubico.com.