Published by Jed laundry, Senior Manager, Security 2 May 2024
18 months ago, we wrote a blog about how we’re gearing up to kiss passwords goodbye. We said passkeys, a replacement for passwords, were going to be a key part of the passwordless migration. Instead of remembering and typing a password, your device will manage your passkeys for you, making them phishing-resistant.
To mark World Password Day today, we thought we’d reflect on where we are now, why we still have passwords, and what our projections are.
Where are we now
Since our original blog post, we’ve seen:
- Tech leaders, including Apple, Google, and Microsoft, continuing to improve support for passkeys in their platforms and services, including guiding users to use passkeys (or at least strongly-generated passwords) by default, and continuing to develop their product roadmaps around passkeys.
- Countless consumer services add support for passkeys, including PlayStation, where it is not only a more secure login option, but as anyone who has ever tried to type a password via a controller can attest, greatly improves the user experience.
- Organisations turn on passkeys as a multi-factor authentication (MFA) option, alongside existing push-based MFA; and a small but growing number of organisations adopt passkeys to replace passwords + push-based MFA (in most cases, supporting physical security keys).
What issues remain
Based on our experiences, the biggest issues preventing the shift to passkeys are:
- Lack of awareness: why businesses should prioritise phishing-resistant authentication.
- Technical debt in authentication and Identity flows.
- Inconsistent end-user experiences.
Lack of awareness: why businesses should prioritise phishing-resistant authentication
As with any new technology, there are early adopters who get it, and want to realise the benefits before their competitors. But most people want to wait for the technology to settle and for and early issues to be resolved before implementing it.
The challenge with this approach is that, as we’ve seen with adversary-in-the-middle (AITM) phishing kits and QR code phishing, threat actors are moving faster than defenders. By not taking action, it’s costing businesses real money in ransomware and business email compromise (BEC) incidents.
While there are some residual end-user experience issues with passkeys (keep reading), with the increasing sophistication of threat actors means that now is the time to start thinking about how you’re going to adopt phishing-resistant authentication.
Technical debt in authentication and Identity flows
Once the need for passkeys becomes clear, the first major hurdle for businesses is often the technical debt in their identity technology stack.
As we outlined in the previous blog post, every good business change project starts with a plan. If you can, start with the list of systems and applications that are federated to your Okta or Entra ID directory, and then start working down the list from most-to-least important (your pool-car-booking web app users don’t need the same level of assurance as your cloud admin users).
Inconsistent end-user experiences
Security doesn’t end at 5pm, and unless we want to end up with users’ personal accounts being used as a common attack vector, we need people to move away from poor password practices at home too.
Ironically, turning on passkeys at work is easier than doing it at home, because at least at work there’s always someone you can call for help. For people to be as comfortable about passkeys as they are about passwords, they have to be confident: to understand what they’re doing, across the multitude of services they use, and it has to work first time, every time.
Sadly, even highly technical users can still struggle with passkeys, and as pointed out by recent Mastodon discussions and blog posts, there are still issues with some passkey implementations.
As we’re implementing passkeys in our businesses, we need to be conscious that this is a big change, and some use-cases are more ready than others. This comes down to good planning: understanding what you have, where the quick-wins are, and starting small to build internal knowledge and confidence.
What happens next?
Despite these issues, passkeys are still the best way to deploy phishing-resistant authentication, at scale, across all different types and sizes of organisations; which is desperately needed to address the growing impact of credential-based attacks.
We believe that businesses need to start planning now for how, where, and when they’re going to start using passkeys.
With any business change, if you dive head-first into the technology without a plan, you may struggle to complete the change successfully, and potentially confuse your users in the process.
Any plan to migrate to passkeys should consider how the technology will be implemented. Questions to ask include:
- What training and support are your users going to need?
- What are the target applications? What apps already use single sign-on?
- What about your devices – are they running supported operating systems, or do you have some legacy devices hanging around?
- How are you going to onboard existing users, and what needs to change for new hires?
- What about subcontractors and managed service providers?
- What happens if people leave their phones/keys at home? Are you going to have a temporary option, or is the recommendation going to be ‘go back and get it’?
This list is just a subset of how we would typically approach an identity change project. As Australia and New Zealand’s largest cyber security services provider, we have experts available to help guide you through a successful implementation.
