Ditch the password: Passkeys are the future of online enterprise security (2024)

Presented by Dashlane

A password is fundamentally a secret—a handshake between the user and the system that gets you into the speakeasy. The problem with secrets, however, is they’re often hard to keep. Just last month saw the release of ten billion plaintext passwords onto a popular hacker forum in the largest leak ever recorded, and honestly, no one should still be surprised at this point.

These leaks have become commonplace, and the rising number of breaches that follow are textbook: Google Cloud’s 2023 Threat Horizons Report revealed that a full 86% of enterprise breaches involve stolen credentials. Passwords add UX friction, cost companies money and no one except hackers likes them, so why are they still overwhelmingly the primary method of securing accounts?

It’s mostly because until now there hasn’t been a workable, feasible replacement, from both a cost and technology standpoint. But passkey technology is gaining traction. Passkeys are passwordless logins that are phishing-resistant and don’t have to be memorized. They simplify account registration for apps and websites, are easy to use, work across all of a user’s devices, and even other devices within physical proximity.

A year ago Apple, Google and Microsoft announced a commitment to passkeys in their own products, along with plans to expand support for a common passwordless sign-in standard. Meanwhile, regulatory bodies are starting to offer formal guidance on using and implementing passkeys, including the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST), and credential manager Dashlane was the first to offer a fully passwordless experience from the moment of mobile account creation. It was also the first to support passkeys on the browser extension, iOS app, Android app and across all three platforms.

As passwords hurtle toward obsolescence and many users continue to resist the friction of dual authentication, passkeys are essentially the future of online authentication.

What a passkey is, and who’s behind it

The FIDO Alliance is an open industry association founded with the dream of reducing and eventually eliminating the overwhelming reliance on passwords. To that end, they’ve developed standards for authentication and device attestation, as well as secure device onboarding to ensure the security of connected devices in cloud and IoT environments. The most critical development was its proposed method to store cryptographic keys in a way that lets them sync between devices.

From a technical standpoint, passkeys are FIDO credentials that are generated and housed in an authenticator, which can be for example a smartphone, a security key or a password manager that supports passkeys. Instead of creating a password for a new account, the user chooses which authenticator should create and store the new passkey. Depending on the service’s passkey implementation, registering or signing in with a passkey may require user verification, whether that’s a password, PIN or biometric security measure. In any case, the passkey itself is never exposed or exploitable.

The authenticator generates two cryptographic keys for a new account, one public and stored on the account site, the other private and stored in the authenticator, using the WebAuthn API that’s widely implemented in all modern browsers and operating systems. The user signs into a passkey-enabled account, and then the authenticator and the website communicate to authenticate the login.

Passkeys can be either device-bound or synced between devices. The device-bound ones are typically created on a hardware key, such as a YubiKey or a Titan Security Key, while synced passkeys are typically managed by a credential or password manager, either one that’s built into your device’s operating system or a standalone password manager. Synced passkeys have the advantage of being available on any of your devices where the credential or password manager is available.

Passkeys replace passwords with cryptographic key pairs for phishing-resistant sign-in security and an improved user experience. The cryptographic keys are used from end-user devices (computers, phones or security keys) for user authentication.

Passkeys that are managed by phone or computer operating systems are automatically synced between the user’s devices via a cloud service. The cloud service also stores an encrypted copy of the FIDO credential. Passkeys can also by design be available only from a single device from which they cannot be copied. Such passkeys are sometimes referred to as “single-device passkeys.” For example, a physical security key could contain multiple single-device passkeys.

What makes passkeys the future of online security

No authentication method is absolutely foolproof, but passkeys are a significant leap forward in the technology. They’re more secure, easier for consumers and employees to use and for service providers to deploy and manage. They’re phishing-resistant, can’t be guessed or forgotten and the IT cost of lost credentials is dramatically reduced.

Phishing resistance: Phishing attacks lure a victim by prompting them to enter their login info at a fraudulent site that looks legit, to some degree. And when a user tries to sign in, they reveal their credentials and the attacker suddenly has full access to their account. That’s not possible with passkeys, which are bound to the website they were created for. A fraudulent site won’t prompt a passkey, so it can’t be stolen.

Consistent authentication experience: The authentication device’s operating system platform or password manager synchronizes cryptographic keys so that across multiple devices, the user will get a consistent, smooth authentication experience.

Improved scalability and credential recovery: Synced passkeys means a user doesn’t have to generate a new FIDO credential for every device, which means they’ve got access to their passkey even if they replace the device, and allowing for cross-device portability – giving the IT department a great deal less busywork.

Stronger authentication for enterprises of every size: FIDO authentication standards have proven strong against phishing and credential stuffing attacks, so incorporating them into enterprise security dramatically improves an organization’s security stance. Plus, since they rely on existing on-device security capabilities, it’s easier and less costly for small and medium businesses to adopt.

Managing passkeys across platforms and devices

Passkeys are a powerful security advancement, but they still have hurdles. Chief among them is that once a passkey is created in one ecosystem, such as Apple, it doesn’t easily work well with others, like Windows or Windows Hello, which mitigates a fair amount of the ease that passkeys are designed to offer.

Dashlane and other third-party credential and password managers provide cross-platform support, which ensures a user’s data is available wherever a user is logging in, and that access is seamless, regardless of platform. A third-party passkey manager syncs all of a user’s passkeys and saves them in the manager’s encrypted vault, allowing users to seamlessly access websites and apps across devices.

Plus, passwords aren’t entirely vanishing any time soon: They’ll have to coexist with passkeys as websites, apps and services work to make the switch, and credential managers—which can offer up a password or a passkey as the situation demands—help users navigate that transition.

And because users should be in control of their data and not locked into a specific product, credential and password managers are working together to bring data portability to passkeys. In other words, if a user decides to switch up their password manager, they’ll be able to take their passkeys with them. This isn’t yet the case with native platforms such as iOS, Android, and Windows.

Learn more about the future of online authentication with Dashlane, and how to easily make the switch to more easily secure your proprietary data. Get in touch or check out our plans.

Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact sales@venturebeat.com.

Ditch the password: Passkeys are the future of online enterprise security (2024)
Top Articles
Latest Posts
Article information

Author: Nathanael Baumbach

Last Updated:

Views: 5568

Rating: 4.4 / 5 (55 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Nathanael Baumbach

Birthday: 1998-12-02

Address: Apt. 829 751 Glover View, West Orlando, IN 22436

Phone: +901025288581

Job: Internal IT Coordinator

Hobby: Gunsmithing, Motor sports, Flying, Skiing, Hooping, Lego building, Ice skating

Introduction: My name is Nathanael Baumbach, I am a fantastic, nice, victorious, brave, healthy, cute, glorious person who loves writing and wants to share my knowledge and understanding with you.