Recognizing the vulnerabilities of passwords, more and more businesses are now offering a passkey login option to their users. However, there are still too many that do not. To discuss why some organizations are hesitant to adopt this technology, I recently spoke with Andrew Shikiar, the Executive Director and CEO of the FIDO Alliance, who is a key driver in the search for alternative authentication solutions.
We went deep into the challenges businesses face when confronted with new authentication technologies, and why they need the latest solutions in the first place. The discussion stressed several key points about the current state and future of cybersecurity. I'd like to share some of the key takeaways with you.
CEO of NordPass.
Lack of knowledge about both password vulnerabilities and passkeys
Businesses—no matter if we speak about founders, CEOs, or other employees—are simply tired of passwords. The study we conducted in partnership with independent researchers revealed that employees at the world's largest corporations love passwords like "123456" and "password." Notably, 32% of passwords in top businesses include references to the company name, email domain, or products, while others include less secure choices such as "dummies," "vacation," and "sexy4sho."
Some organizations might not even realize how big of a threat such passwords can pose to their operations and growth opportunities. Irresponsible password management has led to thousands of data breaches and leaks, causing severe financial and reputational damage to countless companies.
Based on sets of cryptographic keys and biometric authentication, passkeys are a new type of credentials that offer way more protection for user accounts than traditional passwords. Plus, by eliminating the need for users to remember complex passwords, they make for a much more convenient alternative.
First, to understand the benefits of passkeys in providing enhanced cybersecurity, it's important to know how they fundamentally improve upon traditional authentication methods. As noted by Andrew Shikiar: “They [passkeys] require possession-based authentication, which is immune to sophisticated phishing and social engineering attacks that otherwise succeed when a human communicates the secrets.”
Customers are demanding the passkey option themselves
Many businesses think their customers would resist such a massive change, considering that passwords have been around as long as the internet has been around. However, my own convictions were reaffirmed when Andrew told me about the Sony case: “It was interesting to see the positive feedback when Sony introduced passkeys for PlayStation on social media. People were giving Sony all sorts of kudos for making passkeys available – and we’re starting to see more and more consumers ask their service providers for passkeys as a sign-in option.”
According to our own statistics, there were ten times more users using passkeys in May this year than in September 2023.
Clearly, the future of passwordless solutions is bright. And it's not just because of the promise of privacy. As Andrew puts it, “I anticipate that, over time, we’ll also be able to draw a direct line between the increase in the percentage of passkeys sign-ins and both reduced fraud and increased revenue.”
Regulators have yet to consider passkeys
Together with Andrew, we talked about how the general consensus is that regulators don't like passkeys and how that's simply not really true – Andrew doesn't think that “regulators have ever contemplated passkeys… It’s always been passwords.” They've just added layers on top of them, hoping that the next add-on will eventually eliminate the risk of phishing.
Unfortunately, this essentially makes them more cumbersome to use. Andrew also shared that what may finally get regulators on the side of passkeys is the fact that they are being recognized by most reputable entities: “We were pleased to see NIST’s additional instructions to their digital identity guidelines last month, which said that, when implemented in accordance with their guidelines, synced passkeys meet the MFA requirements associated with AAL2, suitable for helping prevent phishing attacks.”
Passkey adoption: outlook
Andrew shared that currently, there are over 13 billion user accounts that can enroll with passkeys. With businesses continuing to adopt this technology, I expect this number to grow to yet unseen heights. However, it is inevitable that, for some time, we will continue to live in a world where both passwords and passkeys coexist when handling corporate accounts. It requires companies to be conscious of their password security measures, and at the same time – to tame new authentication solutions.
My full conversation with Andrew can be found here.
We've featured the best authenticator apps.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
