Login
The End of Passwords? Embrace the Future with Passkeys.
Yesterday, unexpectedly, my personal Google account suggested using Passkeys for login. This is amazing, as Passkeys is the game-changer for cyber security because it could imply the solution to one of the biggest headaches in cyber security: password use.
The problem with passwords.
For decades, we have struggled with passwords as an authentication tool. They constitute a conceptually very weak solution for digital security. Using passwords is much more prone to abuse than most people realize. The intense use of digital applications caused users to juggle hundreds or thousands of passwords. Human behaviour led to poor practices: password re-use increased the risk of broad access breaches in case criminals stole a password. Increasing password length and complexity was circumvented by people keeping a paper list of passwords. The universal use of authentication to access a wide array of personal or business applications has created a situation where, to stay secure, a password manager and multi-factor authentication (MFA) are indispensable for critical services.
According to Google Cloudβs 2023 Threat Horizons Report, 86% of security breaches involve stolen credentials. IBM estimates the global average cost of a security breach was $4.45 million in 2023.
So how can we, in a structural way, eliminate the dangers associated with single password authentication per service and trust something more resilient, for both our private and personal digital life?
Why passkeys are a game-changer.
After its creation in 2013, the FIDO (Fast IDentity Online) alliance paved the way in 2018 for the introduction of FIDO2 keys. The size of USB sticks, they safely store a certificate, allowing authentication on any kind of device (laptops, smartphones, etc.) These are also known as YubiKeys (the most famous product leveraging this technology). These products have a good reputation and a reasonable adoption among users and institutions aware of the dangers of using passwords.
But while this key offers one of the best protections available on the market, the need to buy and manage a separate token is a showstopper for many individuals, although the daily use of passwords is ubiquitous. Passkeys offer a much better alternative.
So, why am I so enthusiastic about passkeys? Because they solve all the issues associated with passwords for both security professionals and everyday users.
Hereβs how passkeys shine:
- Enhanced Security: Passkeys are resistant to phishing and brute-force attacks. They are complex in structure and length and cannot be guessed.
- Privacy: The private key never leaves the userβs device, reducing the risk of theft.
- Convenience: No need to remember complex passwords.
What exactly are passkeys?
Do not confuse passkeys with passphrases. Passphrases, like passwords, are secrets you need to remember and enter manually. They are just longer passwords. Passkeys, however, are fundamentally different.
Passkeys rely on asymmetric cryptography, meaning they consist of:
- A Private Key: Securely stored on the userβs device.
- A Public Key: Shared with the server to verify the userβs identity.
- A Challenge-Response Mechanism: Used to authenticate the user without exposing the private key.
Here is a simplified description of the logon process.
The private key is the crucial element to secure, often stored in a password vault or, even better, in the TPM chip of your computer. Any modern smartphone or computer offers a way to securely store a private key, making it straightforward to use passkeys. As a fallback, password managers offer a reliable storage solution.
Built on open standards.
Passkeys are based on open standards developed by the FIDO Alliance. Security keys like YubiKey are also based on those standards. However, earlier versions required buying a physical key and were often complicated to initialize. For companies, the cost of buying and managing large numbers of physical keys was also a barrier.
Modern passkeys no longer require a token but can be installed as software. Together with the widespread adoption of MFA, they offer a truly passwordless solution, compatible with state-of-the-art devices, and therefore easy to obtain and install.
For both personal and corporate use.
Tech giants like Google, Microsoft, Apple, Amazon, and Meta are now adopting passkeys. For users, logging in will be as simple as validating the connection on their phone, using a PIN or biometric authentication.
For companies, passkeys and FIDO standards represent an opportunity to enhance security by reducing risks associated with traditional password use and implementing a passwordless strategy. Passkeys are easy to use, easy to deploy, cost-effective, and robust. All major cloud vendors provide guidance on implementing passkeys or any other passwordless based on FIDO standards, and Microsoft is providing guidance on Active Directory implementation.
One more thing remains, where to keep your secrets?
When you use passkeys, keeping your certificates safe is crucial. You might be wondering where to put that secret, right? After all, you donβt want anyone else getting their hands on your private key. The good thing is that you have plenty of options! The not so good thing is that they all have their pros and cons. As always, you will have to balance security and convenience.
The table below shows your alternatives for storing your passkeys:
| Store your passkeys in: | PROS | CONS |
|---|---|---|
| TPM chip of your computer | High security, protection against hardware and software attacks with the integrated TPM Chip | Less flexible for multi-device access |
| Smartphone | Convenient and mobile, dedicated security modules (Apple Secure Enclave or Android Trust Zone) | Issues if lost or stolen without backups |
| IAM (Identity and Access Management) Solutions (Google Cloud IAM, Azure AD, AWS IAM) | Centralized management, advanced security, multi-factor support | Complex setup and management, dependency on cloud services |
| Password Managers (1Password, Dashlane, Bitwarden, β¦ ) | Flexibility, multi-device access, robust encryption | Depends on the security of the manager, risk of compromise |
| Hardware Security Keys (YubiKey, Google Titan) | Maximum security, portable, compatible with many services | Need to carry the key, risk of loss or theft |
A natural choice for a company is to leverage an existing IAM solution. For instance, when using Microsoft EntraID, the built-in features enable the technology. For Apple users, there is a similar mechanism that works on both IOS and MacOS.
I do not use YubiKeys yet, but they are the best option to store my passkeys. Currently, I keep my passkeys in my favourite password manager, and I am hoping to change all my passwords soon!
The Future Norm ?
Passkeys will become the new norm in a few years. Users will realize that passkeys simplify their lives, and companies and users alike will appreciate the reduced risk of breaches from phishing or brute-force attacks. However, building user trust in passkeys remains a challenge, like the adoption of password managers. Employers and providers of digital services should find effective ways to explain the importance and benefits of adopting passkeys just as they previously advocated for the use of strong, complex passwords.
Looking ahead, passkeys will be particularly valuable in a quantum computing future. Although current passkeys do not yet utilize quantum-resistant cryptography, they offer a flexible and scalable solution. Updating and replacing passkeys will be significantly easier compared to traditional passwords (finally, no more trying to generate and remember new secret password). Personally, I am adopting passkeys for every service that offers them as an option. At NVISO, we are encouraging customers to include a password-less strategy into their zero-trust journey.
What about you? Is it the first time you are hearing about passkeys? Are you using them personally or have you seen companies successfully deploying them? Feel free to share your thoughts and questions in the comments below!
Alexandre Baratin
Alexandre Baratin is a Cyber Security Consultant active in the Cyber Security and Architecture team at NVISO. With a comprehensive background in IT and Cyber Security, he assists companies on their Cyber Security journey by enhancing security awareness, developing or refining GRC processes, and managing the security program through NVISOβs CISO as a Service offering.
Alexandre possesses the most recognized certifications in IT, project management, cybersecurity, and cloud computing.
