Major players in the cybersecurity game are moving on from passwords to the more secure (and still esoteric) passkey. Think of passkeys, said RSA Security’s Jim Taylor, like a ripped-in-half bank note: One side (a private key) remains tied to a user’s device, and the other side (a public key) remains with a given server. The keys together, activated by a user’s pin or biometric signature, initiate access.
But passkeys can eliminate the use (or reuse) of a password that can be easily compromised. Passkey users are also protected against phishers looking to deploy a fake, realistic-looking site, but one that lacks a public key—the other half of that security certificate.
Passkeys offered an upgrade for Taylor, chief product and technology officer at the network security company, and his team as they recently deployed passwordless options across their organization. Taylor warned, though, that passkeys still can be compromised.
“It doesn’t matter how good the credential is if I use a bypass attack and get new credentials,” Taylor said.
James Hoover, senior principal analyst at Gartner, laid out two passkey types:
- A device-bound passkey, “less susceptible to any sort of direct attack,” does not leave the mobile phone, laptop, desktop, or hardware token. “You’d essentially have to lay hands on it to do any sort of extraction of the key,” Hoover said.
Device-bound passkeys can be added to laptops and mobile devices via enterprise platforms like Microsoft Entra. Other options for IT pros include a hardware token, which holds the key.
- Multi-device passkeys, seen frequently with customer accounts, work for several assets—one’s laptop, tablet, and phone, for example. The sync’d key, which provides an ease of use by preventing multiple key activations, changes the security protections slightly, from defending the physical device to defending who can join the “multi-device” party.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“If I can contact you and convince you to go through the steps that it would take to put my phone on your account and trust it for key sync, all of your keys come off of your phone and onto my phone,” Hoover said, noting that such threats, though rare, are the biggest reasons enterprises prefer a device-bound key.
A recent survey from the FIDO Alliance—a group dedicated to reducing the world’s reliance on passwords—found that 87% of a survey of 400 UK and US “decision makers” said they successfully deployed or are deploying passkeys. The percentage has grown by 14% since 2022, according to the survey.
Researchers are always finding ways to crack the latest security mechanism—one security pro told us last year how to target passkeys by eliminating the option altogether.
Social engineers have frequently tried to compromise authentication by tricking the help desk into handing over new credentials—a threat still possible with passkeys if an impersonator successfully shares that they’re having a really bad day and dropped, say, their laptop and device-bound passkey into a lake.
“Even if you have a device-bound passkey that you issue, I can try to attack the credentialing process itself,” Hoover said, emphasizing the importance for IT pros to have verification mechanisms in place.
If a situation at RSA warrants more assurance, Taylor wrote in a follow-up email, like if a laptop and phone have been compromised, the company can escalate to identity-verification technology that involves mechanisms like live face captures and voice recognition.
“I’ve given you a really strong credential. Now I want to make sure that it’s you who’s using it,” Taylor said.