Why Google Passkey is Good for B2B Adoption of Emerging Authentication Practices
Passkey technology – a new type of passwordless authenticator – is still in the early stages of adoption among individual consumers. However, just last month, Google made an announcement that all its accounts will now support passkey sign-ins. This is a significant step forward regarding authentication because it means that companies like Google – with tremendous resources and large scale – are not only putting the infrastructure in place to support passkeys, but it is also prioritizing the security of its accounts. And, because Google has billions of users, that means a significant portion of the population will be exposed to passkeys, helping to further the adoption of this very-important technology.
Other larger companies have also announced consumer passkey support as well, such as Best Buy, CVS, Docusign, eBaby, Kayak, Hyatt, PayPal, and Shopify. In addition, late last month, 1Password announced it will start beta testing an expansion of its touchstone password manager that allows the tool to store passkeys. This is further evidence that passkeys are, in fact, continuing to gain momentum in the market.
Passkeys Extending from B2C to B2B
It has been said that IT trends in organizations are oftentimes driven first by consumer technology innovation and adoption. As an example, look no further than how prevalent phone-based apps are in organizations today. With this trend in mind, it is a positive harbinger of good that large organizations like Google are rolling out passkey technology. Widespread use and acceptance at the consumer level is likely to make B2B users more comfortable with the technology at a faster rate.
The effectiveness and usability of passkeys is hard to argue in a B2B setting. Compared to passwords that are easy to forget and easy to compromise – a passkey is clearly a better option. The half-step upgrade from passwords to multi-factor authentication (MFA) also fall short, as they often create a significant amount of user friction with push notifications, which often leads to users circumventing authentication methods and more risk to the organization. Moreover, all these non-passkey options are susceptible to phishing attacks, which are rapidly increasing in terms of volume and voracity.
But there are still hurdles to overcome on the road to a passkey future in the enterprise and at public sector organizations – many of which can easily be tackled.
The Real and Perceived Challenges of Passkeys
Some of the most important considerations that B2B IT teams are faced with as they think about passkeys, based on our discussions with customers and partners are:
- Uncertainty: There are many options to contemplate when considering passkeys. The most important option – FIDO passkey – is undoubtedly the future, but its future is still unknown (you can read more about FIDO and our approach in this previous blog post), leaving many organizations scratching their heads at what they can do now to help move past the insecurity of passwords and legacy MFA.
- Complexity: Implementing authentication methods such as passkeys at scale for large companies can be hard to do because it can be complicated as it requires the right tools and management of those tools to be successful. Specifically, authenticators and associated credentials involve a significant manual effort for IT to manage.
- Cost: Increased IT and opportunity cost often follow as organizations take more control of security. For instance, without self-service options for things like account recovery and renewals, managing passkeys may be costly when it comes to issuance, account recovery, renewal, and revocation efforts.
- Compatibility: According to Axiad research, 70 percent of organizations have three or more identity and access management (IAM) systems in place. Passkeys must be able to work within – and across – these various systems in a systematic way to provide optimal protection.
- The Short Term: Perhaps most important, given that FIDO passkeys are still a work in progress, IT security executives must contemplate what they are going to do right now. Phishing attacks aren’t slowing down to wait for the ultimate passkey solution, so what is an organization to do while demand for passkey effectiveness and usability grows?
A Pragmatic Approach to Phishing Resistance
Recently, at the Gartner Identity and Access Management conference we attended, one of the top topics we heard from analysts and wrote about in our “top takeaways” blog was a theme of taking a hybrid approach to authentication in the near term. Understanding that the threat of phishing attacks is very real and that (again) FIDO passkeys are still a bit of a future state, analysts noted that organizations should look for a solution that helps them fend off these attacks immediately, while waiting for passkeys to hit mainstream in a B2B setting.
One strong option in this hybrid state is to combine certificate-based authentication (CBA) for your day-zero solution, and FIDO passkeys as your day-one approach. This gives you protection now, but also an option to future proof your strategy down the road. We call this a pragmatic approach to phishing resistance, and explain how you can accomplish this in a related blog titled CBA and FIDO: One, Other, or Both.
Axiad Can Help You Navigate the Path to Passkeys
Axiad has all right tools and logistical knowhow to help your organization implement this hybrid approach. Our Certificate-Based Authentication for IAM is trusted and proven in the market. It extends functionality of IAM systems to deliver phishing-resistant MFA, even if you have multiple IAM systems in place. It also recently won a gold medal in the coveted Cybersecurity Excellence Awards in the category of Best Certificate-Based Authentication solution.
On top of that, Axiad is one of a handful of organizations to sit on the FIDO Alliance Board. That means we are on top of all the latest developments in the B2B application of passkeys and can help our customers develop a strategy accordingly.
Interested in learning more about how you can implement CBA for IAM and phishing-resistant MFA? You can request a free demo to witness the power of our solutions or contact us directly to get started.