How passkeys pave the way for passwordless authentication

Fast Identity Online (FIDO) outlines secure authentication protocols that are available to all. Now, Microsoft, Google and Apple are doubling down on passkeys to support FIDO Alliance. Their goal is to normalize passwordless authentication and eliminate passwords from the user authentication equation. FIDO Alliance seeks to bring the idea of the "password" into modern times with stronger security -- by developing the FIDO protocols and setting a new standard.

The rationale behind this movement is the growing recognition that passkeys can succeed where passwords have previously failed. How so? 

To answer that question, it’s worth breaking down what passkeys are and how they operate.

What are passkeys

Simply put, a passkey is a type of digital credential used to verify a user’s identity and, by extension, that user’s access privileges. Once created, the passkey can allow a user to authenticate their identity without having to answer standard log-in fields such as username, password, or other common inputs. In this way, it effectively renders passwords moot.

Passkeys work in accordance with FIDO and W3C Web Authentication (WebAuthn) standards, which make use of public key cryptography. What this means is that a generated passkey results in a pair of keys – one public, one private. The public key is stored and known only to the application or website’s server where the passkey request originated. The private key, meanwhile, is registered to the authenticating device that belongs to the user. Therefore, even if an attacker infiltrated the server to acquire the public key, they would still not possess the other crucial half  — the private key that is specific to the user’s device. 

So when a user attempts to sign into a web application, the relying party (in this case, the application) checks that the public key generated for that user matches the user signature created by the private key on the authenticating device. If there’s a match, the user is granted access.

Why passwords fail

Passkeys represent an opportunity to rectify many of the mistakes resulting from password use through the years. And those mistakes continue to plague organizations, according to several research studies conducted between 2020 and 2022. Consider that:

#1: 48% of the more than 350 IT respondents surveyed by CyberRisk Alliance in 2021 said their organization had suffered credential-based phishing attacks involving passwords in the previous three months. 

Credential-based phishing attacks, which exploit weak password habits, affected roughly half of all respondents surveyed by CyberRisk Alliance in Q1 and Q3 of 2021.

#2: 33% of IT leaders believe their organization’s personnel make minimal changes to passwords or recycle previously used passwords, and 91% are very or somewhat worried about passwords being stolen at their organization.

#3: Close to half of all records breached included at least some form of login credentials. Findings published in 2022 revealed more than 24 billion username and password combinations circulating in cybercriminal marketplaces, a 65% increase over a previous study conducted in 2020. 

#4: Password fatigue is real and getting worse. In a 2022 survey of 2,000 U.S. consumers, 57% of respondents expressed frustration in dealing with knowledge-based authentication that puts the burden on the user to recall and retain passwords from memory. Additionally, 63% saw resetting their password as a major inconvenience and would support their organization instituting user-friendly alternatives.

Prevent credentials from being compromised

Passwords also provide very little defense against most cyber attacks. Phishing, keylogging, and password cracking tools give adversaries plenty of ammunition to target low-strength or heavily reused passwords. Moreover, if even one password is leaked, then there's a high chance that the same password is in use and can be exploited across other accounts.

Passkeys are a different story. First, the burden is no longer on users to manage, remember or maintain login details. The passkey automatically generates the cryptographic public and private key pair by linking the relying party (application or site) to the user’s authenticating device. Nothing in this arrangement requires the user to recall alphanumeric strings from memory. 

Second, passkeys are significantly more secure than passwords. Suppose, for example, that a user registers a passkey for their email account. If the user was targeted by a phishing attack – such as being presented with a lookalike email login page – the attack would fail because the private key on the user’s device wouldn’t recognize the signature of the public key generated by the original relying party (i.e. the genuine email account).

Third, passkeys save time. Users no longer need to reset their credentials or submit tickets to IT departments for a fix. Nor do they have to submit the same information again and again each time they log in. Passkeys grant them passwordless authentication to access their profiles without delay.

Introducing passkeys for passwordless authentication

It may be a while before passwords disappear entirely, but more companies are beginning to see passwordless authentication as the secure, sustainable alternative. And passkey technology is helping pave the way. 

For organizations exploring such a move, there’s a few features to keep an eye on when evaluating passwordless security solutions. 

#1: Single sign on. Employees shouldn’t have to recall a unique set of credentials for each separate application and service they use. Single sign on (SSO) relieves password fatigue by allowing the user one set of credentials to access multiple applications. Not only does SSO save time, but it also reduces the attack surface by eliminating the need to use separate accounts and passwords.

#2: Multi-factor authentication. With multi-factor authentication (MFA), passwords are replaced with two or more authentication mechanisms such as biometrics, FIDO security keys, or other device authentications to verify that a user is who they say they are.

#3: Risk management. Organizations should seek out risk management tools and policies to improve intelligence and security analytics. Risk management pairs well with passwordless MFA by aggregating data from across the network — device activity, risk signals, session logs, and authentication flows — to give organizations more visibility into threats and suspicious behavior. 

#4: Standardize FIDO: To embed smart passwordless practices, organizations should consider implementing FIDO policies—the first passwordless open standard—for stronger security controls. FIDO emphasizes the use of open and scalable technical specifications that allow people to access websites and apps through a common protocol. 


Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.