FIDO Series Part 2: Simplifying Passkeys and Clarifying Their Role in Authentication
FIDO Passkeys Simplified
In the FIDO Series Part 1 blog, we discussed rising cybercrime and how the over-reliance on passwords is one of the main contributors to its growth as well as what FIDO passkeys are and how they work. Passwords continue to be such a problem because they are easily compromised. Supporting this, our recent 2023 State of Authentication Survey found that while nearly 90% of IT pros felt prepared for a password-based cyberattack, more than half fell victim to one.
The good news, however, is that, when the same respondents were asked what technologies their companies will use over the next year, 45% indicated passwordless technology. This is a big step in the right direction.
One such passwordless technology is FIDO passkeys, which are provided by the FIDO (Fast Identity Online) Alliance. They are a new, universal authenticator that acts as a replacement for passwords. Passkeys provide a way for users to more quickly, easily, and securely sign in anywhere – from desktops to websites to applications – using digital, phishing-resistant FIDO sign-on credentials.
Why FIDO Passkeys?
This type of passwordless authentication is gaining traction, with companies including Accenture, Google, and Okta all recently adopting passkeys, and companies such as Apple and Microsoft announcing plans to support the technology as part of their cybersecurity strategies.
Not only are FIDO passkeys gaining momentum, but they are also expected to become the gold standard of authentication technology moving forward. Here are a few reasons why:
- Passkeys improve end-user productivity as well as their experience. They no longer have to enter in a username and password to authenticate, which is not only easier, but also saves time over the long run by eliminating the need to remember a password, find where it’s stored, or re-set it.
- The technology also removes the IT burden of dealing with account lockouts and password resets, freeing them to focus on initiatives that will drive the business.
- Passkeys also present organizational benefits, including greater efficiency and a strengthened cybersecurity posture. Because passkeys use public key cryptography, they eliminate the shared secret that a password represents, providing a more secure form of authentication that is phishing resistant.
The Different Types of Passkeys
While the benefits of passkeys are proven, not all passkeys are the same. There are two main types of passkeys: synced passkeys and device-bound passkeys. Here’s a high-level overview of each:
- Synced passkeys use a FIDO credential that can be tied to a cloud-based account and synced between any number of different devices. For the user, this means that the passkey gets tied to their cloud-based account, so it will automatically be available to them to log in from all their devices – whether on their phone, laptop, or tablet. This process works in a similar way to password managers.
- Device-bound passkeys use a FIDO credential that is bound to a specific piece of hardware, such as a workstation or laptop. This type of private passkey is typically a stronger form of security because it can’t ever be copied or shared. Once the passkey is created it is bound to the device forever.
What Passkey Works Best for Your Organization?
Your company’s industry as well as its device usage will both play a major role in determining whether synced or device bound passkeys will be the best fit for your business.
Because device-bound passkeys offer the highest level of security, they are more often used in highly regulated industries that have strict compliance regulations, such as government and healthcare. It should be noted that device-bound passkeys’ higher security level comes with a usability trade off. Every individual device needs to be registered with a passkey, making the process a bit more cumbersome and less portable than other methods – which can affect user adoption. Additionally, this type of passkey does not provide backup and recovery, so, if a device is lost or wiped, the passkey cannot be recovered.
On the other hand, synced passkeys are highly portable and can be synced between an endless number of devices. They also can be shared by a designated group of people. Users are more likely to adopt this technology because the process is easy and seamless. And, this type of passkey also supports backup and recovery, allowing for the recovery of credentials. Because of these features, synced passkeys are more often used by organizations in industries that need flexibility and don’t have strict security regulations.
The Future of Passkeys
FIDO passkeys are now generally available and can be used with various cloud and web applications, including iCloud, Google accounts, and more. There has also been an acceleration of the adoption of websites that support passkeys, making this type of authentication technology even more accessible to the broader community. Even with these advancements, however, there are still some use cases not yet supported by FIDO passkeys. So, to maintain a strong cybersecurity posture across the board, we must take a hybrid approach – and Axiad is doing just this for our customers.
We support the FIDO framework, have a seat on the FIDO Alliance board, and are actively planning for more FIDO passkey developments. For those use cases not yet supported by this innovative technology, we provide our Certificate-Based Authentication (CBA) offering as part of the Axiad Cloud platform. CBA is backed by asymmetric cryptography that is issued through public key infrastructure (PKI), making it another viable, passwordless, phishing-resistant authentication option. We call this hybrid approach “Pragmatic FIDO.”