“Your password has expired. Please update your password.” These dreaded words are becoming a thing of the past as the battle between passkeys vs. passwords continues to favor passkeys as the preferred option in the future state of cybersecurity frameworks. While the concept of passkeys can be traced decades back, the adoption of passkeys accelerated in 2018 when FIDO (Fast Identity Online) Alliance released a set of specifications (FIDO2) enabling passkeys for passwordless authentication. Since then, the adoption of this technology in certain financial and technology sectors has increased. While mainstream adoption of the passkey offering has yet to take off, passkeys have found a runway when it comes to combating cybercriminals. Let’s discuss why there is a high barrier to the adoption of this hugely beneficial technology and where passkeys fit into the passwordless future.
What is the Passkey Offering?
First, a brief overview of the passkey offering. A user-friendly alternative to passwords, passkeys are a secure, digital credential that replaces vulnerable passwords with a pair of cryptographic keys. One key is public and stored on the server and the other is private and stored securely on a user’s device. During the authentication process, Bluetooth® communication allows users to confirm their identity via a mobile device with a fingerprint, face scan or PIN. This FIDO authentication credential provides passwordless sign-ins to online services and enterprise applications.
The advantages of passkey implementation include boosted security measures, time and cost savings and an improved user experience. As password-related breaches lead the way in cyberattacks, passkeys minimize security vulnerabilities and boost productivity for IT teams and end users alike. 86% of security leaders say they would do away with passwords if they could, and passkey authentication provides that possible solution. The rf IDEAS ConvergeID™ software solution, which converts existing credentials into FIDO2 security keys, allows IT Administrators to remotely assign or remove user keys, create and designate security policies, and audit usage with the included administrative panel. The software provides more accountability when it comes to shared devices and workstations, ensuring that each user has their unique passkey, and administrators can track who accessed the device and when. Furthermore, if a user leaves a shared device without logging out, the system can automatically lock the session after a period of inactivity. This accountability helps prevent misuse or unauthorized access.
Adoption of Passkey Technology
Before diving into the reasons behind the slow adoption of passkeys into the mainstream, it’s vital to understand where passkey adoption currently stands. Passkeys are now supported by 20% of the world’s top 100 websites and 12% of the top 250 websites. Leading technology companies like Google, Microsoft and Apple have been developing and deploying their passkey solution since the technology was introduced by FIDO two years ago and the results have been promising with multi-platform passkey support for consumer accounts. Furthermore, websites, apps and companies like Amazon, PayPal, eBay, WhatsApp, Dashlane, Uber, Shopify, DocuSign, and 1Password are working to adopt the passwordless authentication solution.
While many organizations have made strides when it comes to passkeys, passwords are still primarily used because knowledge and awareness of passkeys are limited. Additionally, the general user is confused about how to implement passkeys, manage them and not all applications support it for mobile. Researchers have noted that the top five obstacles enterprises face in deploying FIDO2 passwordless authentication include this complexity and friction for new users and stakeholders in addition to no standardized fallback, technical issues, regulatory requirements and the intricacies of security culture.
Even with these roadblocks to adoption, the benefits are clearly there for consumers and enterprises. Passkeys are phishing-resistant, keep access consistent and simplified and are a highly secure cryptography-based authentication.
In fact, when passkeys are implemented, there is a 75% reduction in sign-in time and a 95% reduction in password resets.
It will take time for knowledge and trust in passkeys to be earned, but that is typical for most technology deployments, and there are many of which we consider standard technology today that went through the same issues.
Securing Business Data with Passkeys
Even though there is a high barrier to the adoption of passkeys, this does not mean the shift to passwordless authentication is not happening or supported. More than 13 billion accounts can now leverage passkeys for sign in according to FIDO Alliance. Many companies approach passkey deployment according to their unique needs because one size does not fit all when it comes to passkeys. The passkey type and regulatory and security requirements need to be considered so that the passwordless authentication method can be adjusted to fit the ecosystem in which it is implemented.
Part of the decision in passkey implementation comes down to device-bound or synced passkeys. Synced passkeys live on a computer, tablet or a smartphone, and they can be copied and shared across multiple devices. This makes for a great user experience as it allows you to generate a passkey once and use it across any number of devices, without having to enroll every device for every account. Our ConvergeID™ Passwordless Platform offers the synced passkey solution by binding to the user’s existing physical access credential and can be enrolled in FIDO security keys via a seamless process within the administration panel. The barrier to enterprise adoption is virtually eliminated with this solution because nearly every worker has a proximity or contactless card, or a mobile credential on a smartphone.
Device-bound passkeys, on the other hand, reside on a dedicated piece of hardware, such as a USB or NFC FIDO security key. These provide a higher level of security and they do support attestation. Attestation is the traceability of the authenticator device that provides cryptographic proof that the user has a specific model of authenticator device. However, the use of device-bound passkeys in enterprises is hindered by the difficulty of deploying them to the workforce and managing their lifecycle. To make enterprise deployment more streamlined, ConvergeID™ supports orchestration and lifecycle management of hardware FIDO2 keys.
Passkeys and a Passwordless Future
The passwordless future is possible, and passkeys will play an important role in it. It’s clear that breaches and phishing remain a hindrance for users across industries and passkeys offer secure and efficient authentication while mitigating the risks associated with traditional password-based systems. Our ConvergeID™ Passwordless Platform was introduced in 2023 to address this need in the market and provide our users with a secure, convenient, and seamless authentication technology that meets their needs. Ready to explore what the ConvergeID™ solution can do for your organization? Contact rf IDEAS to set up a demo today.