How Secure Are Passkeys?
Jay Roxe, HYPR
3 Min. Read | June 21, 2023
As I was walking around Identiverse last week, I was reminded of the old Barbara Mandrell song, “I Was Country, When Country Wasn’t Cool.” HYPR has been doing passkeys since passkeys (then known simply as FIDO credentials) weren’t cool. It’s given us a unique point of view on the overall impact and security of passkeys.
First off, passkeys are so vastly more secure than passwords that you should run — don’t walk — to implement them everywhere that you can. Seriously. Stop reading this blog and go implement some passkeys. One of the notable moments of Identiverse was when Ryan Rowcliffe and Cisa Kurian highlighted that CVS has implemented passkeys on cvs.com faster than Google has deployed passkeys. (Go check out cvs.com and register for a passkey. It’s pretty cool.)
The Verizon Data Breach Investigations Report highlights that more than 50% of breaches come from attackers using credentials and a large number come from phishing attacks. The beauty of passkeys is that they’re not susceptible to phishing and can’t be compromised in the ways that passwords can.
The Different Flavors of Passkeys
However, it’s also worth looking at the question of the security level of different types of passkeys. As a quick refresher, synchronized passkeys (the type that you’re hearing the most about) can be synchronized or passed between devices by features in your operating system (iCloud Keychain, etc) or by your password manager (Dashlane, 1Password, LastPass, etc). Device-bound passkeys are tied to a single device.
As most security practitioners know, meeting the requirements of multi-factor authentication requires having at least two independent factors of “something you know,” “something you have,” or “something you are.” Synchronized passkeys only meet the requirement of “something you know” or “something you are” depending on whether you verify identity with a PIN or biometric, respectively. Because of how they can be shared and transmitted, they don’t meet the possession requirement. This means that some organizations are looking at how they add multi-factor authentication on top of passkeys. (This feels a little bit like buying the latest Tesla and sticking a 1970’s spoiler on it.)
Organizations also need to be comfortable with who will be managing their passkeys. For implementations of synchronized passkeys, organizations need to accept that they won’t know who is managing the passkeys that they’re provided. The passkey could be managed by the iCloud Keychain, Android, Dashlane, 1Password or another solution yet to be identified. Users will be in charge of who manages the passkeys on their devices.
(Let me reiterate the earlier point: passkeys are so much more secure than passwords that you should absolutely go implement them right now.)
Passkeys Built for the Enterprise
There are several scenarios where enterprises may want an authentication solution that meets the requirements of MFA and doesn’t have the same challenges highlighted above. This is where HYPR’s Enterprise Passkeys come into play. At their core, these are device-bound passkeys and are the same FIDO credential that HYPR has been based on since we were founded nine years ago. Enterprise Passkeys meet the requirements of MFA, are fully under the enterprise’s control, and can be used for other applications that require proof of possession such as digital signing and funds transfer.
Jay Roxe is Chief Marketing Officer at HYPR where he is responsible for elevating the company story and helping to define the passwordless security category. Prior to joining HYPR, Jay held the same role at BitSight where he helped to define the Security Ratings category. Jay has more than 20 years of experience in software development and marketing with expertise in security, electronic medical records, and development platforms at a variety of companies including Rapid7 and athenahealth.