Passwords have been used for decades to protect all types of information, but there are many challenges associated with them.
Password fatigue, the feeling from employees of being frustrated by the numerous passwords one needs to remember for different accounts, poses a challenge for enterprises as it can lead to users resorting to weak or reused passwords, compromising security, and increasing the risk of unauthorized access and potential data breaches.
Securely managing many user passwords across various systems and accounts translates into a password management burden. It includes tasks such as enforcing password policies, password resets, user authentication, and ensuring password security, which can be time-consuming, resource-intensive, and prone to human error.
Use of weak and reused passwords also poses significant risks, including increased vulnerability to unauthorized access, hacking, and data breaches. Attackers can exploit weak passwords easily,
compromising user accounts and potentially gaining access to sensitive information, financial assets, personal data, and even control over entire systems or networks.
It is important for enterprises to protect themselves from phishing attacks to safeguard their sensitive information, financial assets, and reputation. Phishing attacks can lead to data breaches, financial losses, and compromised customer trust.
The goal in the long term is to replace passwords using a stronger, yet easier alternative.
What Are Passkeys?
Passkeys are a cryptographic entity used for authentication and access control purposes, as a replacement of traditional passwords. Unlike them, passkeys are generated using complex algorithms and are stored securely on a user's device, an external security key (hardware) or online using a password manager.
While the concept is not new, big techs like Microsoft, Apple, Google, and other big tech companies have finally unified around a unique standard, guided by the Fast IDentity Online (FIDO) Alliance, an industry consortium and a standards organization focused on addressing the challenges of password-based authentication and improving online security.
How Do They Work?
When using a passkey to authenticate with a website (like Gmail):
1. If no passkey exists yet, the user’s device will generate a new cryptographic keypair
a. The private key will be stored on the device (and eventually synced to the cloud)
b. Public key will be shared with website
2. During authentication
a. Website challenges the device to sign a specific message using the private key
b. The user's device performs the signing operation, creating a digital signature
c. The website then verifies the signature using the associated public key.
3. If the verification succeeds, the user is authenticated without the need for a traditional password.
Key-based authentication enhances security, protects against password-related risks, and offers a streamlined user experience.
Even if malicious actors would manage to extract the passkey, they would not be able to make any use if it as it encrypted and protected by either biometrics (ex: fingerprint or face scan), a PIN or device password, same as used to unlock the device screen lock.
Furthermore, when passkeys can be stored on hardware tokens, cross-device authentication can be used, which relies on Bluetooth Low Energy (BLE) technology to verify authenticating device (ex: mobile phone) is in proximity to the device trying to log in (ex: laptop)
Depending on the mobile device OS, passkeys can be synced across multiple devices using cloud services, so users don’t need to enroll each of their devices for each service or app they need to access, but only once, after which all their devices are virtually enrolled for them.
Passkeys vs. Certificates
Certificates generally provide a higher level of security. They are based on public key infrastructure (PKI) and involve the use of public and private key pairs; private keys remain securely stored, while public keys are embedded in certificates. This asymmetric encryption provides stronger protection against attacks like password guessing or brute forcing.
But they can be more challenging to manage in large-scale enterprise environments, Certificate-based Authentication (CBA) requires a robust certificate infrastructure, including a Certificate Authority (CA) and a system for certificate issuance, revocation, and renewal. Managing certificates for a large number of users and devices can be more complex and resource-intensive compared to passkeys.
The use of one or the other technology will ultimately depend on the specific use cases and requirements of every organization. Certificates are commonly used for scenarios that require strong authentication and secure communication, such as accessing highly sensitive systems, encrypting emails, or establishing secure Virtual Private Network (VPN) connections, while passkeys are more suitable for less critical applications or situations where simplicity and ease of use are prioritized over advanced security features.
Where Can They Be Used?
Passkey-based authentication methods, such as FIDO2, have gained traction and are considered more secure than traditional passwords. However, the maturity and widespread adoption of these methods can vary across different industries and organizations.
Enterprises also need to assess the compatibility and integration of passkey-based authentication methods with their existing systems and applications. This includes evaluating support from identity and access management (IAM) solutions, directory services, and applications that may require authentication.
Transitioning to passkeys or password-less authentication requires user acceptance and understanding. Employees need to be educated about the new authentication methods, potential benefits, and how to use them effectively.
Finally, enterprises should conduct a thorough risk assessment to evaluate the potential risks and benefits associated with replacing passwords. This includes considering factors like the sensitivity of the data being protected, regulatory requirements, and the impact on user workflows.
Regarding scalability, users are not required to enroll each device for each service, only each service once. Passkeys will be available on all their devices, even replacements.
For organizations that do not require passkey syncing between the different user’s devices, storing them on FIDO2-compliant security key is a great option; they can easily connect to the user’s device using either USB or wireless connections like NFC and Bluetooth, making them available to use with both desktop computers and mobile devices. Note however that online stored passkey, is case of loss of reset, no backup of the device-bound passkeys would be available.
Consumer Online Services
Although major vendors like Microsoft, Apple, and Google have already updated their respective operating system (OS) and applications to actively support passkeys, there are still some limitations and incompatibilities (ex: passkeys used on Apple devices will work on Windows computers, but not the other way around), although these should be solved in the coming months.
Passkeys can help replace passwords in an enterprise environment by offering several advantages.
Improved User Experience
Passkeys can offer a more convenient and seamless user experience. Once the passkey is securely stored, users don't need to manually enter passwords each time they access systems or resources. This can save time and reduce frustration associated with password entry.
Passkeys provide a higher level of security compared to passwords. They are typically longer and more complex, making them harder to guess or crack through brute force attacks. Additionally, passkeys are resistant to common password-based attacks like phishing and credential reuse. They also protect against insider threats. In the case where an employee’s password is compromised, the passkey stored on their device or token remains protected, making it more challenging for malicious insiders to gain unauthorized access to critical systems or data.
Two-Factor Authentication (2FA)
Passkeys can be combined with other authentication factors, such as biometrics or hardware tokens, to implement strong two-factor authentication. This adds an additional layer of security by requiring something the user possesses (the passkey) and something they are (biometric data) or something they have (hardware token).
Reduced Password Management Burden
Password management is a significant challenge in enterprise environments, with users often having multiple passwords across various systems. Passkeys eliminate the need for users to remember complex passwords since the keys are securely stored on their devices or tokens, reducing the risk of weak or reused passwords.
Resistance to Credential Theft
Since passkeys are typically stored securely on a user's device or hardware token, they are less susceptible to theft compared to passwords stored on servers or transmitted over networks. This makes passkeys a more robust solution against credential theft or compromise.
Centralized Management Centralized Management
Passkeys can be managed centrally by an enterprise, allowing administrators to control access, revoke or update passkeys when needed, and enforce security policies more effectively.
Passkeys offer an additional layer of security against insider threats. Even if an employee's password is compromised, the passkey stored on their device or token remains protected, making it more challenging for malicious insiders to gain unauthorized access to critical systems or data.
And a Few Cons…
While passkeys undeniability offer additional security benefits, there are some potential drawbacks to consider when replacing traditional passwords with passkeys in an enterprise environment.
Introducing passkeys into an existing enterprise system can be complex and require significant changes to the authentication infrastructure. This may involve integrating with existing identity management systems, developing new APIs, and ensuring compatibility with various devices and platforms. The implementation process can be time-consuming and resource intensive.
Dependency on Third Parties
Passkeys are often delivered through separate channels like email or SMS. This introduces a dependency on the availability and reliability of these channels. If the delivery mechanism fails or experiences delays, users may have difficulty accessing their passkeys, leading to frustration and potential disruption of work.
Dependency on Mobile Devices
Some passkey systems rely on mobile devices to generate or receive passkeys. This can be inconvenient for employees who may not have access to smartphones or may not want to use their personal devices for work-related authentication. Additionally, reliance on mobile devices could pose a security risk if devices are lost or compromised.
Implementing and maintaining a passkey system may involve additional costs. This can include expenses related to infrastructure upgrades, licensing fees for passkey management software, ongoing maintenance and support, and potential costs associated with user training and support.
User Training and Adoption
Passkeys introduce a new authentication method that users may not be familiar with. Employees will need to be educated and trained in how to use and manage passkeys effectively. This training effort can require additional resources and ongoing support to ensure users understand the process and follow best practices.
Passkeys have become an easy, user-friendly replacement for traditional passwords and may prove to be safer in the long term, for both consumer and enterprise services. However, this will depend on whether major vendors start embracing and adopting that option widely. In the meantime, the more you educate your employees about the use of passkeys the better. You may find that with the enhanced security and centralized management, that passkeys are the right option for your organization. However, it’s also important to consider how difficult it may be to implement in your environment, or if you want to rely on third parties and mobile devices. Please don’t hesitate to reach out to the team at ISEC7, and we can provide an objective assessment of what can address the needs of your organization and/or risk mitigation needed to enhance your current solution(s).
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group