How are passkeys changing user authentication
In the previous blog, we talked about FIDO2 and how it is the best technology available for passwordless authentication. But you have probably also heard another term recently: passkeys. So what are passkeys and how are they different from FIDO2 keys? Let’s dive in.
Passkeys are, in fact, the same thing as FIDO2 credentials. They are simply the next phase of the evolution of FIDO2 technology, spearheaded by FIDO Alliance and supported by big names like Microsoft, Google and Apple. The industry now actually encourages the use of the term “passkey” whenever you are talking about FIDO credentials. What this new iteration brings to the table is a much greater scalability and richer, more consistent and intuitive user experience across all devices and applications.
Passkeys are quite simply a replacement for passwords. But unlike passwords, they are much more secure and phishing-resistant. They also don’t rely on users’ knowledge and memory, offering a fast and seamless login experience into applications and websites across a wide variety of devices.
“Google data (March-April 2023) shows how the percentage of users successfully authenticating through same device passkeys is 4x higher than the success rate typically achieved with passwords: average authentication success rate with passwords is 13.8%, while local passkey success rate is 63.8%.
Passkeys live on your computer, tablet or smartphone. Once generated, they can be copied and shared across multiple devices and applications. The login experience is as simple as confirming your identity on the mobile device with your fingerprint, face or PIN. If you want to know if a website supports passkey login, simply look for the logo:
By using Bluetooth communication, the passkey on your mobile phone can act as a FIDO2 security key to log you into Windows and the web applications on your PC.
What makes passkeys better than passwords
Where passwords have been proven to be easy to hack, passkeys offer a more secure solution. In 2021, 30% of users experienced a security breach due to insecure passwords. And of those users, nearly 50% use the same password for multiple accounts. For hackers, this is great news. If they can figure out one password, they can access most of your accounts quickly and easily.
Phishing and other common cyberattacks are defeated by the adoption of passkeys
Passkeys use the same cryptographic technology as standalone FIDO2 keys, pairing a public key with a strong private key that never leaves the user’s device. They are thus inherently very difficult to phish or harvest.
Two types of passkeys and which one is right for your organization
There are two types of passkeys defined by the FIDO Alliance: synced passkeys and device-bound passkeys.
Simply stated, synced passkeys live on a computer, tablet or a smartphone, and they can be copied and shared across multiple devices. This makes for a great user experience: you can generate a passkey once and use it across any number of devices, without having to enroll every device for every account. While this is great for consumer authentication, there are concerns about the use of synced passkeys in security-sensitive enterprises.
There are scenarios where workers could potentially share their credentials. Additionally, compliance policies at many enterprises push them to require what is called attestation: a traceability of the authenticator device that provides cryptographic proof that the user has a specific model of authenticator device. This is not available with common synced passkey implementations.
Device-bound passkeys, on the other hand, reside on a dedicated piece of hardware, such as a USB or NFC FIDO security key. These provide a higher level of security and they do support attestation. However, the use of device-bound passkeys in enterprise is hindered by the difficulty of deploying them to the workforce and managing their lifecycle. Issuing authenticator devices to potentially thousands or hundreds of thousands of employees, revoking them when an employee leaves the company, as well as auditing and tracking usage are all headaches that can quickly lead to a large cost and resource overhead.
The ConvergeID™ Passwordless Platform announced recently is a solution that takes every advantage of synced passkeys (including attestation), while removing virtually every barrier to enterprise adoption. The passkeys are bound to the user’s existing physical access credential: a proximity or contactless card, or a mobile credential on a smartphone. This is something that virtually every worker already has, so the need to issue hardware authenticators to employees is eliminated, and the credentials can be enrolled as FIDO security keys via a seamless process within the administration panel. This panel also offers powerful tools for monitoring usage and activity and for setting security policies.
Why passkeys are the future of authentication
Passwords are a problem: they are easy to guess, harvest or phish. Remembering and managing numerous long and complex passwords and entering them multiple times a day is a big drain on employee efficiency and productivity. Passkeys are a great solution to these problems. Although they may not fully eliminate the possibility of cyberattacks, they can drastically reduce the risk, while offering an unparalleled user login experience.
Learn how the rf IDEAS® ConvergeID™ software solution converts your existing credentials into FIDO2 security keys overnight, with little or no action required on the part of your users. Now, your business could achieve the highest levels of security with no additional credentials to purchase or carry and no passwords to remember, type or manage. Learn more at rfIDEAS.com/ConvergeID, or complete the form to get help with all your passwordless authentication needs.