Written by Geoff Schomburgk, Asia Pacific Vice President at Yubico.
Passwords clearly have some significant drawbacks around usability, including the difficulty of remembering the multiple increasingly complex passwords in your head, having to write them down somewhere or using password management software to keep track of them all.
Beyond usability, there are clear security risks with passwords, as they can be easily compromised via increasingly sophisticated phishing attacks targeting consumers and businesses every day.
Poor password practices and the innate challenges around passwords have proven to lead to costly account takeovers, data breaches and stolen identities.
To combat password-based breaches, some organisations adopted what is now regarded as legacy Multi-Factor Authentication (MFA) such as One-time passwords (OTP) which are more likely to be intercepted as cybercriminals can easily break into OTP databases.
Even mobile phone authentication is vulnerable to phishing and cyberattacks from similar methods of attacks. These legacy methods are more costly for companies needing to supply users with mobile phones without being free from the risk of attacks.
This is precisely why some of the world’s biggest tech giants have decided to kill off the password altogether and move towards modern forms of MFA like passkeys and hardware security keys.
Phishing-resistant authentication standards
Now that all three of the major tech giants (Google, Microsoft and Apple) and countless other enterprises and companies around the world have embraced modern MFA for secure access to their services, we are on the precipice of replacing passwords with modern open authentication standards, like phishing-resistant FIDO2 (Fast Identity Online version two).
The FIDO2 standard provides a simpler user experience, providing multiple ways to verify users’ identities and can deploy an external tool such as a security key. This encourages the move away from passwords to more secure and user-friendly methods.
The FIDO2 standard provides organisations with more secure authentication based on public key encryption, eliminating the need for passwords and, therefore, exposure to data compromise. The tech giants worked with us to develop FIDO2, encouraging the widespread use of phishing-resistant and easy-to-use security devices and eliminating many problems associated with passwords for decades.
Encouraging the adoption of MFA
As mentioned, major companies are adopting phishing-resistant MFA using the FIDO2 standard for all mobile, desktop and browser platforms under their umbrella.
These include Apple’s iCloud, iOS and macOS; Google’s Chrome, ChromeOS and Android; and Microsoft’s Windows, Windows 365, Azure Virtual Desktop and Virtual Desktop Infrastructure, which billions of people use daily.
Together, the three companies represent over 99 per cent of mobile users and over 92 per cent of desktop users, making widespread FIDO2 adoption a significant step towards ensuring greater cybersecurity for all. Given their ubiquity, these three major tech giants heavily influence the supply side, which will likely generate substantial demand for hardware security devices and other modern MFA methods.
We have seen other players in the eco-system, like Identity and Access Management (IAM) providers, Virtual Private Network (VPN) providers and others adopting FIDO2 as their preferred authentication method.
What are passkeys and security keys?
Passkeys are discoverable FIDO credentials that enable users to authenticate to websites without a password.
Two types of discoverable FIDO credentials enable passwordless authentication and these are either “syncable” or hardware bound.
Syncable passkeys can be synced across smartphones, tablets, and laptops/desktops and are primarily meant for consumer scenarios to help move away from phishing-prone passwords.
By contrast, hardware-bound passkeys – where the FIDO credential stays on the portable authenticator (such as a security key like the YubiKey) – are a benefit for enterprises and high assurance consumers, or just high assurance use cases.
A hardware security key is the optimal solution to ensure greater protection, relying on a physical device unlocked by a unique PIN code or biometric fingerprint to log into an account.
It requires the user to have the device in their possession and is a more robust verification method than a username and password. Organisations can also comply with the FIDO2 standard, which replaces passwords entirely.
Making the move to passwordless with FIDO2
Many organisations will now be encouraged to move towards a passwordless future to ensure their systems are more secure.
Implementing these practices will help mitigate cyber risks and allow IT staff to spend more time on strategic projects.
However, now that the big players are entirely on board with passwordless, which are the services we all engage with every day, the adoption of modern authentication methods will rise sharply. It is clear that passwords aren’t disappearing anytime soon, and it will certainly take effort on a global scale to get all apps and websites to move away from them together. Although a passwordless future is heading our way, it will take time to fully incorporate FIDO2 technology everywhere.
User education
Since passwordless is a cultural paradigm shift as much as a technological change, user education is essential. Decades of password abuse are a considerable habit to kick!
Organisations will therefore need to put significant efforts into raising awareness, so their users can feel comfortable with the new passwordless technology. Any fears can be alleviated around this more secure and convenient way of logging into their accounts.
We’re on the right trajectory towards secure and easy passkey sign-ins across devices and platforms. Passkeys solve a global problem and allow us to move away from passwords to reduce cyber breaches and phishing.
However, be warned that one size does not fit all and we should be careful to consider the tradeoffs of “syncable” passkeys versus security keys with hardware attestation to know where the credentials are stored.
