Passkeys as a secure alternative to passwords

11. December, 2023

The security of many digital services and networks depends on a password. As a result, passwords are a popular target: phishing attacks are one of the most common security incidents in organizations. Passkeys can provide a solution.

Strengthen password security in your company

Strong passwords need to be long, unique, and available at all times. If they are lost or fall into the wrong hands, they can be very damaging.

Organizations can improve password security by enforcing password policies regarding length, complexity, and frequency of change, educating employees, and implementing two- or multi-factor authentication.

Access restrictions such as least privilege, monitoring for suspicious activity and regular security audits also help to identify threats early and limit the damage.

Use passkeys instead of traditional passwords

Advanced authentication methods should reduce the reliance on passwords and eliminate their known weaknesses. In addition to biometrics, passkeys are another possibility.

While passwords are created by the user, passkeys are cryptographically generated keys or strings, often created by algorithms. They tend to be more complex and longer than traditional passwords. Passkeys can be part of authentication protocols such as FIDO2, which are based on asymmetric encryption using a public key for authentication and a private key for decryption.

The FIDO Alliance is an open alliance of many key industry players focused on developing open, interoperable authentication standards to improve the security and usability of digital services. [1] [2]

FIDO2 authentication methods

In the early days and during the development of FIDO, additional hardware tokens with security chips were commonly used. This had the disadvantage of additional acquisition and set-up costs and often lacked full software support for many popular services. Passkeys are the next step in a long history of integration. Instead of new hardware, they use something that is now widely available: the user’s own, usually mobile, end device.

Today’s systems are equipped with security chips and biometrics. The Passkeys concept uses these features in conjunction with the W3C’s Web Authentication function (WebAuthn), which is standardised as of 2018, to implement simpler and more secure user identification. [3]

It is based on the use of public-private (asymmetric) cryptography. When re-registering or switching to passkey authentication, a new matching key pair is generated. The public key is stored with the service, while the private key remains on the user’s personal device. When logging in, the requested service sends a request using the public key. A local unlocking process using PIN or biometrics (e.g., facial recognition/fingerprint) must be performed on the device to start this process. The task is then solved using the private key and the result is sent back. [4]

Advantages of passkeys in the corporate sector

Because of their cryptographic nature, passwords are extremely difficult to guess or crack. They also prevent the reuse of passwords across services or platforms. As part of authentication protocols such as FIDO2, they also provide protection against phishing and man-in-the-middle attacks, as they cannot be easily intercepted or duplicated. Passkeys therefore significantly increase the security of data and systems.

Unlike complex passwords, passkeys can often be used without much user intervention. They can be part of automated authentication processes where the user does not even see the passkey. This eliminates the need for complex password queries and the need to remember these complex strings and therefore increases usability.

Current support and implementation of Passkeys

At the operating system level, Passkeys have been supported by Google and Apple on current devices since 2022. Microsoft is working on finalising support in Windows for late 2023 to early 2024. Microsoft Edge, Google Chrome, and Safari are already well-prepared for the different browsers that most people use to access services. Only Firefox already supports FIDO hardware tokens but does not yet fully support the advanced features of passkeys. The good news is that the list of services supporting passkeys is growing. [5]

Passkey enrolments can be securely synchronised across multiple devices using the major platforms from Apple, Google and Microsoft – also a significant evolution from FIDO tokens. To access services from additional or third-party devices, it is possible to log in from your own device via Bluetooth or QR codes.

The combination of broad support from the big players in the industry, the ease of use of existing and widely available hardware such as smartphones, and the focus on the best possible user experience seems very promising. Unlike passwords, passkeys only exist on the user’s own device and cannot be written down or accidentally intercepted by the wrong person. Protection against phishing and misuse is therefore very high.