Why it's time to swap your password for a passkey

For a simple security concept, passwords can create many challenges. Each website and account requires a different, unique password, resulting in users having to remember numerous, complex combinations of letters, numbers and characters – it’s no surprise that some people write passwords down.

The reliance on passwords can be problematic as they can be easily compromised through phishing attacks that target individuals and businesses daily. Inadequate password practices and the inherent difficulties surrounding the use of passwords have been proven to result in costly incidents like account takeovers, data breaches and identity theft.

Whilst over time there have been other methods to authenticate accounts, these often also fail to eliminate the risk of attacks. For example, to counteract breaches, some organisations embrace multi-factor authentication (MFA) methods such as one-time passwords (OTP), which are susceptible to interception by cybercriminals who can breach OTP databases with relative ease. Even SMS-based authentication is susceptible to phishing and cyberattacks employing similar methods.

All three of the major tech giants (Google, Microsoft and Apple) and countless other enterprises and companies around the world have embraced modern MFA for secure access to their services. We are on the precipice of replacing passwords with modern open authentication standards, like phishing-resistant FIDO2 (Fast Identity Online version two).

The FIDO2 standard provides a simpler user experience, providing multiple ways to verify users’ identities and can deploy an external tool such as a security key. This encourages the move away from passwords to more secure and user-friendly methods.

The standard also provides organisations with more secure authentication based on public key encryption, eliminating the need for passwords and, therefore, exposure to data compromises. Yubico worked with these tech giants to develop FIDO2, encouraging the widespread use of phishing-resistant and easy-to-use security devices and eliminating many problems associated with passwords for decades.

This is why some of the world's biggest tech giants have decided to kill off the password altogether and move towards modern forms of MFA, like the YubiKey, which has supported passkeys since 2018. Together, the three companies represent over 99 per cent of mobile users and over 92 per cent of desktop users, making widespread FIDO2 adoption a significant step towards ensuring greater cybersecurity for all. Given the ubiquity of passkeys the three major tech giants’ are moving away from passwords, which will likely generate substantial demand for hardware security devices and other modern MFA methods.

What are passkeys and security keys?

Passkeys are discoverable FIDO credentials that enable users to authenticate to websites without a password. Two types of discoverable FIDO credentials enable passwordless authentication and these are either “syncable” or hardware bound.

Syncable passkeys can be synced across smartphones, tablets and laptops/desktops and are primarily meant for consumer scenarios to help move away from phishing-prone passwords. By contrast, hardware-bound passkeys – where the FIDO credential stays on the portable authenticator (such as a security key like the YubiKey) – are a benefit for enterprises and high assurance consumers, or just high assurance use cases.

Storing a passkey on a hardware security key is the optimal solution to ensure greater protection, relying on a physical device unlocked by a unique PIN code or biometric fingerprint to log into an account. It requires the user to have the device in their possession and is a more robust verification method than a username and password.

User education

Since passwordless is a cultural paradigm shift as much as a technological change, user education is essential. Decades of password abuse is a hard habit to change. Organisations will therefore need to put more effort into raising awareness, so their users can feel comfortable with the new passwordless technology. Any fears can be alleviated around this more secure and convenient way of logging into their accounts.

We’re on the right trajectory towards secure and easy passkey sign-ins across devices and platforms. Passkeys solve a global problem and allow us to move away from passwords to reduce cyber breaches and phishing. However, be warned that one size does not fit all and we should be careful to consider the tradeoffs of “syncable” passkeys versus security keys with hardware attestation to know where the credentials are stored.