Partner POV | Passkeys: Building Blocks for Passwordless Authentication
In this partner contribution
Article written by Nelson Melo, Founding Engineer, Beyond Identity.
The latest data breach research shows that stolen credentials and phishing are now the top paths into your organization's resources, and the problem is growing at an alarming rate. In 2022, 80% of successful attacks on internet-facing infrastructure, such as web and email servers, involved compromised credentials—an increase of almost 30% since 2017.
So how do you protect your network and its users from this rising threat? The answer is surprisingly simple: passwordless authentication using passkeys.
Developed by the FIDO Alliance, an open industry association on a mission to strengthen authentication standards, passkeys are a more secure replacement for passwords. On a more technical level, they're a standard-based technology that uses public key cryptography to authenticate access requests and can be multi- or single-device.
A host of tech giants, including Microsoft, Apple, and Google, now support the sign-in standard, and with good reason. Unlike passwords, SMS one-time passcodes (OTP), and push notifications, passkeys are phishing-resistant. They improve the user experience by simplifying and accelerating registration and authentication processes. And they support organizations in moving away from perimeter-based security to a zero-trust architecture by enabling a key component: Zero Trust Authentication.
Let's take a closer look.
Concerned by the weaknesses inherent in passwords and traditional multi-factor authentication (MFA), a group of companies, including PayPal and Lenovo, formed the FIDO Alliance in 2012 to work on a passwordless authentication protocol. Fast-forward to today, and the organization is comprised of hundreds of tech leaders worldwide and has released three sets of open technical specifications that support simpler, stronger user authentication.
Passkeys were born out of this collaboration and offer users a more secure, convenient passwordless method to sign in to websites and applications. They work using a device's built-in authentication mechanisms, such as Face ID, a fingerprint scanner, or a pin. When a user registers an account for the first time, their device creates a unique cryptographic key pair, bound to the website or app's identity. Only the public key is stored on the server, making it useless to an attacker who cannot authenticate without the corresponding private key, which is stored on the user's local device.
As passkeys take passwords and weak factors like OTPs out of the equation, they also remove the dangers and frustrations that accompany them. In particular, passkeys enable:
- Higher phishing resistance. Without the opportunity to steal credentials, phishing attacks are rendered useless, and the savings are significant. In 2022, the average cost of a data breach caused by phishing was $4.91 million.
- Lower help desk costs. Freeing up help desk staff saves an average of $70 in labor costs for a single password reset.
- More user flexibility. Allowing users to choose their preferred authentication method and making it more convenient adds value to the user experience.
- Improved accessibility. Users with disabilities can overcome accessibility barriers associated with traditional authentication methods by using biometrics, such as facial recognition and fingerprint scanning.
- Greater future-proofing. Passkeys can easily integrate with existing frameworks and technologies, allowing developers to quickly and securely build authentication features into their applications.
The idea behind zero trust security is that every connection and endpoint is a threat, and Zero Trust Authentication follows the same principle, centering around three simple but important concepts:
- Eliminate passwords and other shared secrets that can be easily hacked from databases, bought on the dark web, or obtained from users.
- Use phishing-resistant factors in favor of OTPs, magic links, or other authentication factors that enable phishing, adversary-in-the-middle, and other attacks.
- Ensure that requesting devices are bound to a user and authorized to access information assets.
- Assess device security posture to ensure that devices have security controls enabled and that their settings comply with security policies.
- Collect and analyze many types of risk signals using data from endpoints and security and IT management tools, allowing a policy engine to make risk-based decisions.
- Evaluate risk throughout a session rather than assuming nothing malicious will happen after the initial authentication.
- Improve risk detection and accelerate responses to suspicious behavior by integrating with a variety of tools in the security infrastructure.
Within this model, it's clear that passkeys support Zero Trust Authentication by enabling a high level of trust in user identity. For enterprise deployments, it also highlights that in isolation, a passwordless user experience is not enough. To achieve the full impact of zero trust in an enterprise context, you need to combine passkeys with the remaining elements of Zero Trust Authentication—achieving high confidence in device security and continuously assessing risk.
The US Cybersecurity and Infrastructure Security Agency (CISA) recently named FIDO the gold standard for MFA, and, as we've seen, using passkeys is undoubtedly a giant leap toward stronger security. But it's not necessarily straightforward, and that's where Beyond Identity can help.
Universal Passkeys are enterprise-ready FIDO deployments that allow you to easily implement, manage, and scale passwordless authentication in your company. By abstracting the complexities of browser and device compatibility and delivering out-of-box support with existing SSOs, adopting the FIDO standard is simple and quick.
At the same time, Universal Passkeys allow you to confidently and securely verify user identities, improving the security posture of your online systems and reducing the risk of breaches. For users, these cutting-edge security measures provide a high level of security while simultaneously reducing authentication friction to near zero by not requiring a second device.