With the growth of sophisticated attacks against critical software and infrastructure systems, multi-factor authentication (MFA) has emerged as a critical layer of defense against unauthorized access. An increasing number of enterprise and developer-facing technology applications and platforms, from GitHub to Salesforce to Amazon Web Services, are making MFA mandatory for users.
That said, we are all used to passwords, and many people like the status quo. Not surprisingly, the introduction of MFA has added friction to the login process. This can negatively impact the user experience.
A newer technology that can provide even greater security benefits than MFA is now becoming more widely deployed. That technology is called passkeys. Based on widely accepted industry standards, passkeys offers the tantalizing promise of eliminating the need for passwords and the risks passwords create without adding user experience friction like MFA.
In other words, with passkeys, you can have great security and great user experience, a combination that has until now seemed nearly impossible to achieve.
How passkeys eliminate passwords
The origins of passkeys can be traced back to the development of Web Authentication (WebAuthn), a web standard created by the World Wide Web Consortium (W3C) and the FIDO Alliance. WebAuthn is a core component of the FIDO2 project, which was launched to create a more secure and convenient open authentication standard. These standards laid the groundwork for the development of passkeys by defining a framework for public key cryptography as the basis for authentication.
While getting all the major industry players to agree on precise details of passkeys took years, today Apple, Google, Microsoft, and most other large technology companies either support passkeys or have plans to do so within the next year. All major browsers support passkeys and a growing number of enterprise and consumer applications also support passkeys.
Passkeys use public key cryptography. Traditional passwords rely on a secret string of characters known to both the user and the server. In contracts, passkeys use a pair of cryptographic keys: a private key and a public key. The private key is securely stored on the user’s device or in their browser and is never shared. The public key is stored on the server of a service or system (for example, the authentication module of a SaaS app).
When a user attempts to log in, the server sends a challenge to the device or browser. The user’s device or browser signs the challenge with a private key and sends it back to the server, which verifies the challenge against the public key. A passkey can require a biometric challenge, or it can just work off a device or browser without requiring any user action whatsoever. When passkeys are implemented well, both passwords and MFA can be eliminated, and logins become completely painless.
Advantages of passkeys vs. passwords
Obviously, no one has to remember, manage, and rotate passwords anymore, which is a massive benefit all by itself. But passkeys have other critical benefits:
- Passkeys are harder to steal. Because the private key never leaves the user’s device, it’s significantly more difficult for hackers to steal credentials compared to traditional passwords.
- Passkeys automatically rotate. Because it is a cryptographic algorithm, a passkey generates a different response to each login attempt. This prevents replay attacks and simplifies zero-trust security by making re-authentication and continuous authentication seamless and invisible.
- Passkeys prevent phishing and business email compromise. Dynamically generated passkey responses also prevent phishing and business email compromise (BEC) attacks, which rely on static passwords matched to account or user names to gain access.
- Passkeys eliminate password breaches. Because there are no passwords stored on the server, the risk of mass password breaches is virtually eliminated. This greatly reduces the risk of password-related cyber crimes broadly and also reduces the operational load on already stretched IT security teams.
- Passkeys integrate easily with existing strong security mechanisms. Security-conscious organizations long ago embraced stringent security practices like dynamic authentication codes generated on authentication applications or hardware tokens. Passkeys integrate well with these systems and can be used in conjunction with authenticator apps and hardware keys, which can host passkeys.
Passkeys still face multiple challenges
Despite numerous advantages, passkeys face a number of challenges. To start with, users are comfortable with passwords as something they can see and easily change. For many, the ability to memorize and reuse passwords is a feature, not a bug. In our experience, enterprise IT teams frequently ask to turn off passkeys and revert back to standard MFA after confronting user pushback. User education and user comfort remain key issues.
But enterprises have the power to enforce behavior. For consumers, embracing passkeys might be a tougher slog. Even getting passkeys up and running on Android and iPhone devices and on different browsers remains complicated. Adding to the complications is the potential for passkey confusion with password wallet users storing some passkeys in their wallets and others in on-device keychains.
Users are also wary of complications resulting from passkey reset mechanisms should they lose control of their device. And still other users dislike the use of biometrics, which can add an extra layer of security to passkeys and also a convenient way to authenticate users for passkey resets.
Passkeys are the future
While these challenges are real, we are seeing a strong demand for passkeys as IT organizations look to provide a better user experience without compromising on security. When passkeys work right, users stop thinking about login as a barrier, and one of the biggest time sucks for corporate IT teams disappears, freeing short-staffed teams to focus on more complicated issues. Users also save time and hassles on password resets and on the confusing and painful management and rotation of passwords (which are essential companions to MFA under the old regime).
The bottom line: As organizations navigate the balance between robust security and a positive user experience, passkeys are emerging as a powerful solution. By embracing passkeys, organizations can strengthen their security posture while enhancing the login experience for their users.
Aviad Mizrachi is CTO and co-founder of Frontegg.
—
New Tech Forum provides a venue for technology leaders—including vendors and other outside contributors—to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to doug_dineley@foundryco.com.