ISEC7 Blog Demystifying Cybersecurity: Goodbye Passwords, Hello Passkeys?

© surasak – stock.adobe.com Passwords have been used for decades to protect all types of information, but there are many challenges associated with them.   Password fatigue, the feeling from employees of being frustrated by the numerous passwords one needs to remember for different accounts, poses a challenge for enterprises as it can lead to users resorting to weak or reused passwords, compromising security, and increasing the risk of unauthorized access and potential data breaches.   Securely managing many user passwords across various systems and accounts translates into a password management burden. It includes tasks such as enforcing password policies, password resets, user authentication, and ensuring password security, which can be time-consuming, resource-intensive, and prone to human error.   Use of weak and reused passwords also poses significant risks, including increased vulnerability to unauthorized access, hacking, and data breaches. Attackers can exploit weak passwords easily,  compromising user accounts and potentially gaining access to sensitive information, financial assets, personal data, and even control over entire systems or networks.   It is important for enterprises to protect themselves from phishing attacks to safeguard their sensitive information, financial assets, and reputation. Phishing attacks can lead to data breaches, financial losses, and compromised customer trust.   The goal in the long term is to replace passwords using a stronger, yet easier alternative.   What Are Passkeys? Passkeys are a cryptographic entity used for authentication and access control purposes, as a replacement of traditional passwords. Unlike them, passkeys are generated using complex algorithms and are stored securely on a user's device, an external security key (hardware) or online using a password manager.   While the concept is not new, big techs like Microsoft, Apple, Google, and other big tech companies have finally unified around a unique standard, guided by the Fast IDentity Online (FIDO) Alliance, an industry consortium and a standards organization focused on addressing the challenges of password-based authentication and improving online security.   How Do They Work? When using a passkey to authenticate with a website (like Gmail):   1. If no passkey exists yet, the user’s device will generate a new cryptographic keypair  a. The private key will be stored on the device (and eventually synced to the cloud)  b. Public key will be shared with website   2. During authentication a. Website challenges the device to sign a specific message using the private key  b. The user's device performs the signing operation, creating a digital signature  c. The website then verifies the signature using the associated public key.   3. If the verification succeeds, the user is authenticated without the need for a traditional password.   Key-based authentication enhances security, protects against password-related risks, and offers a streamlined user experience.   Passkey will be used for authentication, instead of a traditional password. User is prompted for biometrics, to unlock the corresponding passkey. User is successfully authenticated!  Even if malicious actors would manage to extract the passkey, they would not be able to make any use if it as it encrypted and protected by either biometrics (ex: fingerprint or face scan), a PIN or device password, same as used to unlock the device screen lock.    Furthermore, when passkeys can be stored on hardware tokens, cross-device authentication can be used, which relies on Bluetooth Low Energy (BLE) technology to verify authenticating device (ex: mobile phone) is in proximity to the device trying to log in (ex: laptop)   Depending on the mobile device OS, passkeys can be synced across multiple devices using cloud services, so users don’t need to enroll each of their devices for each service or app they need to access, but only once, after which all their devices are virtually enrolled for them.   Passkeys vs. Certificates Certificates generally provide a higher level of security. They are based on public key infrastructure (PKI) and involve the use of public and private key pairs; private keys remain securely stored, while public keys are embedded in certificates. This asymmetric encryption provides stronger protection against attacks like password guessing or brute forcing.   But they can be more challenging to manage in large-scale enterprise environments, Certificate-based Authentication (CBA) requires a robust certificate infrastructure, including a Certificate Authority (CA) and a system for certificate issuance, revocation, and renewal. Managing certificates for a large number of users and devices can be more complex and resource-intensive compared to passkeys.   The use of one or the other technology will ultimately depend on the specific use cases and requirements of every organization. Certificates are commonly used for scenarios that require strong authentication and secure communication, such as accessing highly sensitive systems, encrypting emails, or establishing secure Virtual Private Network (VPN) connections, while passkeys are more suitable for less critical applications or situations where simplicity and ease of use are prioritized over advanced security features.   Where Can They Be Used?Enterprise Workplace Passkey-based authentication methods, such as FIDO2, have gained traction and are considered more secure than traditional passwords. However, the maturity and widespread adoption of these methods can vary across different industries and organizations.   Enterprises also need to assess the compatibility and integration of passkey-based authentication methods with their existing systems and applications. This includes evaluating support from identity and access management (IAM) solutions, directory services, and applications that may require authentication.   Transitioning to passkeys or password-less authentication requires user acceptance and understanding. Employees need to be educated about the new authentication methods, potential benefits, and how to use them effectively.   Finally, enterprises should conduct a thorough risk assessment to evaluate the potential risks and benefits associated with replacing passwords. This includes considering factors like the sensitivity of the data being protected, regulatory requirements, and the impact on user workflows.   Regarding scalability, users are not required to enroll each device for each service, only each service once. Passkeys will be available on all their devices, even replacements.   For organizations that do not require passkey syncing between the different user’s devices, storing them on FIDO2-compliant security key is a great option; they can easily connect to the user’s device using either USB or wireless connections like NFC and Bluetooth, making them available to use with both desktop computers and mobile devices. Note however that online stored passkey, is case of loss of reset, no backup of the device-bound passkeys would be available.   Consumer Online Services Although major vendors like Microsoft, Apple, and Google have already updated their respective operating system (OS) and applications to actively support passkeys, there are still some limitations and incompatibilities (ex: passkeys used on Apple devices will work on Windows computers, but not the other way around), although these should be solved in the coming months.   Many Pros Passkeys can help replace passwords in an enterprise environment by offering several advantages.   Improved User Experience Passkeys can offer a more convenient and seamless user experience. Once the passkey is securely stored, users don't need to manually enter passwords each time they access systems or resources. This can save time and reduce frustration associated with password entry.   Enhanced Security Passkeys provide a higher level of security compared to passwords. They are typically longer and more complex, making them harder to guess or crack through brute force attacks. Additionally, passkeys are resistant to common password-based attacks like phishing and credential reuse. They also protect against insider threats. In the case where an employee’s password is compromised, the passkey stored on their device or token remains protected, making it more challenging for malicious insiders to gain unauthorized access to critical systems or data.   Two-Factor Authentication (2FA) Passkeys can be combined with other authentication factors, such as biometrics or hardware tokens, to implement strong two-factor authentication. This adds an additional layer of security by requiring something the user possesses (the passkey) and something they are (biometric data) or something they have (hardware token).   Reduced Password Management Burden Password management is a significant challenge in enterprise environments, with users often having multiple passwords across various systems. Passkeys eliminate the need for users to remember complex passwords since the keys are securely st