From passwords to passkeys: A guide for enterprises

Passwords. We use them every day. We love them and we hate them. We are constantly frustrated by them — coming up with, and remembering, the required string of upper and lowercase letters, numbers and special characters. 

Simply put, “passwords are weak and user-unfriendly,” said Gartner senior director analyst Paul Rabinovich. 

And they’re a huge security risk: 81% of hacking-related breaches use stolen and/or weak passwords. 

Consumers do recognize this, with 68% believing that passwords are the least secure method of security and 94% willing to take extra security measures to prove their identity. At the same time, more than half of us continue to use passwords. 

Call it habit, unwillingness to change or just plain indifference, passwords have become entrenched — but we must be broken of the habit, experts say. Notably, many across the security industry are pushing for passwordless authentication methods and the use of passkeys — and some even project these to become industry standard. 

“Passkeys are a significant advancement in the identity and security industries,” said Ralph Rodriguez, president and CPO at digital identity trust company Daon. “They are a far safer alternative to passwords, especially at a time when cyberthreats are on the rise.”

Passkeys: Moving toward widespread adoption

Passkeys are a form of passwordless identity security that enable FIDO2 authentication (standards set by the FIDO Alliance, which is dedicated to reducing reliance on passwords). Industry giants including Apple, Microsoft and Google have recently backed passkeys, collaborating with the FIDO Alliance and the World Wide Web Consortium. 

This method of authentication employs cryptographic keys and stores credentials for several devices in the cloud, explained Rodriguez. Users combine a passkey on their smartphone with securely saved and encrypted cloud-based credentials. 

“Passkeys eliminate the need for passwords, enabling a more secure and expedient means of account authentication,” said Rodriguez. They can be integrated with existing applications, and can significantly reduce the incidence of identity theft and phishing efforts.

Ultimately, they will become the industry standard, Rodriguez predicted, and adoption by multinational giants will help spur their widespread use. 

“Enterprise use of passkeys, particularly in industries responsible for financial and personal data, is an enormous step in the right direction,” said Rodriguez.

But really, is this the end of passwords?

Because passwordless authentication methods challenge users to use alternative credentials, they will further reduce — and potentially even eliminate — passwords, said Rabinovich. 

Right now, organizations may have multiple applications relying on a password in the same directory. But as these applications are migrated to passwordless authentication, “one day the password may no longer be needed,” he said. 

If or when this point is reached, passwords may be completely disabled in a directory (even though as of now, just a few directories and identity services allow administrators to do this). In some cases, administrators may be able to set passwords to a random and secure value not shared with the user, “effectively eliminating the password from all user experiences,” said Rabinovich. 

As he noted, generating and remembering a good password is hard (and still harder if you must have many). And, if you forget one or it gets compromised, you need to go through a password-reset process. While many organizations deploy self-service password reset (SSPR), administrator-assisted password reset can be costly: $15 to $70 per event. 

Still, all applications have relied on passwords, and users are accustomed to them “even if they love to hate them,” said Rabinovich.

Thus, new authentication methods and new processes for acquisition, enrollment, day-to-day authentication and account recovery must be carefully designed.

Like anything, advantages and disadvantages

Passkeys are a safer, faster alternative to passwords, said Rodriguez, and their ability to transfer credentials between devices expedites and simplifies account recovery. For instance, if a user loses their phone, they can retrieve the passcode and use it on another device.

“When used with user experience (UX) in mind, (passkeys) can help consumers break the habit of using passwords,” said Rodriguez. 

Still, he pointed out, they may not be appropriate for all business scenarios, or for government agencies requiring adherence to National Institute of Standards and Technology (NIST) guidelines. The same is true for highly regulated industries such as financial services, where compliance requirements vary by country or region.

Also, passkeys are not as strong as other FIDO standards, which use biometric verification methods such as voice, touch and face recognition, said Rodriguez. And passkeys cannot be used for transactions with financial institutions because of Know Your Customer (KYC) standards that were implemented to protect financial institutions against fraud, corruption, money laundering and terrorist financing. They can’t establish users’ identities; if implemented, they could increase synthetic fraud.

Utilizing passkeys alone in financial transactions may still pose certain hazards, he said, and extra biometric authentication should be considered.

Because regulators have not yet accepted the use of a passkey alone to meet security standards required in highly regulated industries such as banking and insurance, passkeys at least for now must be combined with another authentication factor.

“The number of factors involved in authentication is a decision that will ultimately be made by the business or enterprise, but consumers and end users will have a say in the matter,” said Rodriguez. 

Not the end-all, be-all

Rabinovich agreed that “not all passwordless authentication methods are created equal.” 

“All methods suffer from certain security weaknesses,” he said. 

For example, SMS and voice-delivered one-time passwords (OTPs) are not as secure as second- or multifactor authentication (MFA), he said. Thus, they should only be used in very low-risk applications. 

Similarly, mobile push coupled with local device authentication suffers from “push bombing” or “push fatigue,” he pointed out. Bad actors can take advantage of this by inducing an application to bombard users with push messages that they will eventually accept. 

Also, while FIDO2 has very good security properties — it is phishing-resistant, for example — it doesn’t specify auxiliary processes such as user credential enrollment protection or account recovery rules. This can provide a weak link. So FIDO and all other authentication methods must be carefully designed. 

Support for FIDO by authentication and access management vendors is nearly universal. Some incumbent vendors typically limit themselves to just FIDO2, but some — including Microsoft, Okta, RSA and ForgeRock — support additional authentication methods. These can include magic links (where users log into an account by clicking a link that’s emailed to them, rather than typing in their username and password) and biometric authentication.

Emerging passwordless specialists — including 1KOSMOS, Beyond Identity, HYPR, Secret Double Octopus, Trusona, Truu and Veridium — support many enterprise use cases. 

FIDO2 is “very promising,” but its adoption is hampered by unavailability of smartphone-based roaming authenticators that enable the smartphone to be used as a companion device for users working on PCs. However, this will change with the introduction and standardization of passkeys, Rabinovich said. 

A gradual passwordless evolution

Moving forward, certain application architectures will make adoption of passwordless authentication easier, because identity provider/authentication authorities may — or will soon — support passwordless authentication. 

However, “for legacy password-dependent applications, this will be slow,” said Rabinovich. He pointed out that many new SaaS applications still assume the password.

Ultimately, “this will be a gradual process,” said Rabinovich, “because passwords are so entrenched.”