From Passwords to Access Keys: A Guide for Enterprises

Passwords. We use them every day. We love them and we hate them. We are constantly frustrated by it – coming up with and remembering the required sequence of upper and lower case letters, numbers and special characters.

Simply put, “Passwords are weak and user-unfriendly,” says Gartner senior director analyst Paul Rabinovich.

And they pose a huge security risk: 81% of hack-related breaches use stolen and/or weak passwords.

Consumers recognize this: 68% believe passwords are the least secure security method and 94% are willing to take extra security measures to prove their identity. At the same time, more than half of us continue to use passwords.

Call it habit, reluctance to change or plain indifference, passwords have become established — but we need to break the habit, experts say. Notably, many in the security industry are pushing for passwordless authentication methods and the use of passkeys – and some even expect them to become industry standard.

“Passkeys are a major advancement in the identity and security industry,” he said Ralph Rodriguezpresident and CPO at Digital Identity Trust Company Daon. “They are a much more secure alternative to passwords, especially at a time when cyber threats are on the rise.”

Passkeys: on the way to widespread adoption

Passkeys are a form of passwordless identity security that enables FIDO2 authentication (standards set by the FIDO Alliance, which is intended to reduce dependency on passwords). Industry giants including Apple, Microsoft, and Google have recently supported passkeys, working with the FIDO Alliance and the World Wide Web Consortium.

This authentication method uses cryptographic keys and stores credentials for various devices in the cloud, Rodriguez explains. Users combine a password on their smartphone with securely stored and encrypted credentials in the cloud.

“Passkeys eliminate the need for passwords, enabling a more secure and faster way of account authentication,” said Rodriguez. They integrate with existing applications and can significantly reduce identity theft and phishing attempts.

Eventually they will become the industry standard, Rodriguez predicted, and adoption by multinational giants will help drive their widespread use.

“The use of password keys by enterprises, especially in industries responsible for financial and personal data, is a huge step in the right direction,” said Rodriguez.

But is this really the end of passwords?

As passwordless authentication methods challenge users to use alternate credentials, they will further reduce — and possibly even eliminate — passwords, Rabinovich said.

Currently, organizations can have multiple applications that rely on a password in the same directory. But as these applications migrate to passwordless authentication, “one day the password won’t be needed anymore,” he said.

If or when this point is reached, passwords can be completely disabled in a directory (though as of now only a few directories and identity services allow administrators to do so). In some cases, administrators can set passwords to a random and secure value that is not shared with the user, “effectively removing the password from all user experiences,” Rabinovich said.

As he noted, it’s hard to generate and remember a good password (and even harder if you have to have several). And if you forget one or it gets compromised, you’ll have to go through a password reset process. While many organizations implement self-service password reset (SSPR), administrator-assisted password reset can be costly at $15 to $70 per event.

Still, all applications relied on passwords, and users are used to them “even if they love to hate them,” Rabinovich said.

Therefore, new authentication methods and new processes for acquisition, enrollment, daily authentication and account recovery must be carefully designed.

Like everything, pros and cons

Passkeys are a more secure, faster alternative to passwords, Rodriguez said, and their ability to transfer credentials between devices speeds up and simplifies account recovery. For example, if a user loses their phone, they can retrieve the passcode and use it on another device.

“When used with user experience (UX) in mind, (passkeys) can help consumers break the habit of using passwords,” said Rodriguez.

Still, he pointed out, they may not be appropriate for all business scenarios, or for government agencies requiring National Institute of Standards and Technology (NIST) compliance. guidelines. The same is true for highly regulated industries such as financial services, where compliance requirements vary by country or region.

Also, passkeys aren’t as strong as other FIDO standards, which use biometric authentication methods such as voice, touch and facial recognition, Rodriguez said. And passkeys cannot be used for transactions with financial institutions due to Know Your Customer (KYC) standards implemented to protect financial institutions against fraud, corruption, money laundering and terrorist financing. They cannot identify users; if implemented, they can increase synthetic fraud.

Using only passwords in financial transactions can still pose certain dangers, he said, and additional biometric authentication should be considered.

Because regulators have not yet accepted the use of a passkey alone to meet the security standards required in highly regulated industries such as banking and insurance, passkeys should be combined with another authentication factor at least for now.

“The number of factors that go into authentication is a decision that will ultimately be made by the business or enterprise, but consumers and end users will have something to say about it,” said Rodriguez.

Not the end, everything

Rabinovich agreed that “not all passwordless authentication methods are the same.”

“All methods suffer from certain security weaknesses,” he said.

For example, SMS and voice-delivered one-time passwords (OTPs) are not as secure as second- or multi-factor authentication (MFA), he said. Therefore, they should only be used in very low-risk applications.

Similarly, mobile push combined with local device authentication suffers from “push bombing” or “push fatigue,” he stressed. Bad actors can take advantage of this by getting an application to bombard users with push messages that they will eventually accept.

While FIDO2 has very good security features – for example, it is resistant to phishing – it does not specify any additional processes such as user credential enrollment protection or account recovery rules. This can be a weak link. So FIDO and all other authentication methods must be carefully designed.

Support for FIDO by authentication and access control vendors is nearly universal. Some established vendors typically limit themselves to FIDO2 only, but some — including Microsoft, Okta, RSA, and ForgeRock — support additional authentication methods. These can include magic links (where users log into an account by clicking a link emailed to them, rather than typing in their username and password) and biometric authentication.

Emerging passwordless specialists – including 1KOSMOS, Beyond Identity, HYPR, Secret Double Octopus, Trusona, Truu, and Veridium – support many business use cases.

FIDO2 is “promising” but its adoption has been hampered by the unavailability of smartphone-based roaming authenticators that allow the smartphone to be used as a companion device for users working on PCs. However, this will change with the introduction and standardization of access keys, Rabinovich said.

A gradual evolution without a password

In the future, certain application architectures will make it easier to adopt passwordless authentication because the identity provider/authentication authorities can – or will soon support passwordless authentication.

“However, for legacy password-dependent applications, this will be slow,” Rabinovich said. He pointed out that many new SaaS applications still rely on the password.

Ultimately, “this will be a gradual process,” Rabinovich said, “because passwords are so ingrained.”