Published by Jed Laundry on 19 September 2022
Since the dawn of IT security, passwords have been an unavoidable necessity for humans to be able to interact securely with technology. At the same time, whether you’re an end user, an IT professional, or a business owner, our collective experience with passwords has been problematic at best.
Many attempts have been made to shift the dial on passwords, through technology, training and improved processes, but some fundamental issues persist:
- Everyone forgets their passwords from time-to-time;
- Password resets are a burden and expensive (in both non-productive time, and Service Desk costs);
- Most people will re-use passwords across multiple systems, even when they know that it is more risky; and
- There is always someone who will click on a link in an email and enter their login credentials no matter how much training we try to give them.
It has therefore long been clear that the only way to remove the risk and inevitable problems associated with passwords, is to get rid of passwords completely.
The good news is that passwords are disappearing faster than most people realise. This is in large part thanks to the rise of passkeys – a technology that has been developed by a consortium of tech leaders, and is about to get a huge boost as Apple rolls it out to millions of iPhones, iPads and MacBooks around the world through iOS 16 and macOS Ventura.
So what are passkeys?
Passkeys use the secure element in laptops, mobile phones, and FIDO2 security keys to store asymmetric cryptographic secrets.
But what does that actually mean in plain English? Here’s a run-down:
- Unlike current passwordless solutions, which require you to have dedicated USB security keys, passkeys use the mobile devices you already have, making it easier for people to adopt them.
- Passkeys are a complete replacement for both passwords and multi-factor authentication (MFA) apps. They combine the multiple factors into a single flow – you need to ‘have’ something (your phone), and either ‘know’ something (your PIN) or ‘be’ someone (through Face ID or Touch ID).
- Passkeys can’t be phished because you’re not making a judgement call. Your device will check the URL and only serve credentials that match that URL exactly. This means they are not fooled by websites that look similar.
- Passkeys cannot be compromised through reuse, because passkeys are unique for each website you visit.
The way it works in practice is simple:
- A website wants to authenticate you. Instead of showing you a password entry form, the website asks your browser for a passkey.
- Your browser asks you which passkey you would like to use. This could be one tied to your laptop (for example, Windows Hello), one that’s connected via USB (for example, a Yubikey), or one that’s on your Android or iPhone via Bluetooth.
- You prove who you are through Face ID, fingerprint, or your PIN. This happens locally between you and your device – it is not sent or stored in the cloud.
- Your passkey authenticator sends a signed token back to your browser, to send on to the website, proving that it’s you without needing a password.
From a technical standpoint, passkeys have a relatively low barrier to entry for any applications that use Single Sign-On (SSO) to your existing centralised identity provider, such as Azure AD, Okta, Auth0, or OneLogin. We can turn on and start using them today, because it is built on the existing FIDO2 and WebAuthn protocols.
But as with any business change, if you dive head-first into the technology without a plan, you may struggle to complete the change successfully, and potentially confuse your users in the process.
Any plan to migrate from passwords to passkeys should answer the following questions:
- What training and support your users are going to need?
- Are you going to recommend people enrol their phones, or their laptops, or both?
- Are you going to need USB security keys or a similar token for a small number of users such as privileged/admin users?
- What are the target applications? What apps already use Single Sign-On? What apps are (and need to be) standalone? What apps are outside your control, but your people need access to as part of their work?
- What’s going to be required to make the change? Do you manage your identity systems, or does a third party? Does your identity provider currently support FIDO2, or is support coming? What about your devices – are they running supported operating systems, or do you have some legacy devices hanging around?
- What considerations should you make for managing highly secure OT networks where network access is highly restricted?
- How are you going to onboard existing users, and what needs to change for new hires?
- What about subcontractors and managed service providers?
- What happens if people leave their phones/keys at home? Are you going to have a temporary option, or is the recommendation going to be ‘go back and get it’?
- What happens when people lose their devices?
Big tech leading the passkey shift
The good news is that major innovators and industry leaders from Apple, through to Google, and Microsoft are working together to make passkeys a reality for the billions of users across their ecosystems. The push by these leaders to normalise passkeys should smooth adoption more broadly, with people becoming familiar with them across their networks and in more parts of their daily digital life.
Your own plans to introduce and integrate passkeys into your organisation’s systems will take time to devise, implement, and embed. CyberCX, Australia and New Zealand’s largest cyber security services provider, is already working with organisations to prepare for this shift, following the principles outlined here. We can help you too.