By Ralph Rodriguez, President and Chief Product Officer at Daon
Cyber risks become more prevalent and sophisticated every day. As consumers look to increase their security online, passkeys may be the emerging solution they’re looking for. Passkeys, also referred to as multi-device credentials, provide a more secure alternative to passwords. I’ve spent many years as a security expert and have seen the industry advance beyond standard passwords. Passkeys are an important innovation in this evolution. While their specifications have been around for a few years now, industry leaders like Apple, Google, and Microsoft are enthusiastically driving efforts to roll out passkey technology to their users.
In 2023, the global annual cost of cybercrime is predicted to top $8 trillion, according to a recent Cybersecurity Ventures report, making the push to migrate users away from passwords even more salient.
Much of the news around passkeys lately has focused on their availability on consumer devices, including the latest iOS update for Apple’s iPhone. But how do passkeys apply to the enterprise, where many companies have advanced identity authentication solutions?
In my daily discussions with different business leaders, there are five things I encourage them to keep in mind when it comes to passkeys and identifying the best methods to protect their businesses and customers:
- Passkeys are a simpler way to move beyond passwords. Users never have to manage the contents of a passkey – they are generated on the user’s device and are always unique. Passkeys prevent phishing attacks and eliminate the complications of legacy two-factor authentication, such as SMS codes and knowledge-based authentication. Passkeys are stored in a vault, such as a device’s keychain or password manager. They can sync across devices and can be restored by OS providers after upgrading or losing a device.
- Passkeys are based on an industry standard established by the FIDO Alliance. While tech giants like Apple, Google, and Microsoft have recently released passkey technology, the specification for passkeys was actually developed by an industry consortium, the FIDO Alliance. The FIDO Alliance’s members include leading companies from the technology, infosecurity, financial services, and consumer sectors.
- Passkeys require user and industry support to be more widely accepted. Browser support for passkeys is essential. Now that most major web browsers support the specification, a wide range of devices will need to offer passkeys (like smartphones) and businesses will need to offer passkey support to their customers. With B2C technology leaders supporting passkeys, consumer adoption will increase and users will expect more businesses to offer passkey support for identity authentication. While today’s OS providers are targeting the average consumer with passkeys, there are no limitations for passkey use – and their adoption is becoming increasingly popular. The FIDO Alliance expects to see more high-profile cyber-attacks targeting cloud service providers that bypass traditional multi-factor authentication (MFA), which will push more major brands to adopt passkeys in 2023.
- Passkeys offered by an OS provider do have risks. When a user relies on an OS provider to use passkeys, they are potentially locking themselves into passkey security solely for devices using those platforms and operating systems. Apple’s passkey technology, for example, may not always work similarly to other OS providers. The other major risk is that passkey technology offered by an OS provider is controlled only by the provider. OS providers can change their implementation, EULA (end user license agreement), or underlying policy at any time, which leaves some level of risk to any adopter, whether a user or an organization.
- Passkeys are only one part of an identity management solution for the enterprise. Most enterprises already have an identity management solution that continually needs to be updated as security requirements and governmental or regulatory compliance change. Businesses that anticipate future consumer demand for passkey support should talk to their provider about integrating passkeys into their existing system. However, passkeys may not suit all business use cases. For instance, it is unlikely that government agencies that require adherence to standards like NIST 800-63 or FIPS-140 would allow cloud-based credentials to be used in the near future. Also, within highly regulated industries such as banking and insurance, regulators have not yet accepted the use of a passkey alone to meet the security standards required.
As consumers and the security industry continue to adopt passwordless authentication, it’s important for organizations to understand what this shift means, both for them and their customers. I believe passkeys will become the industry standard; adoption by large enterprises will help spur their widespread use.
Ralph A. Rodriguez is President, Chief Product Officer (CPO), and a member of the Board of Directors for Daon. He is accountable for defining the go-to-market vision, strategy, and roadmaps for Daon’s products and technology. Ralph was most recently an Executive-in-Residence at Summit Partners, a Boston-based private equity firm. Previously he was a Research Scientist and Head of Identity Verification at Facebook, where he oversaw Applied Identity Intelligence. Ralph was also the co-founder and chief technology officer of Confirm.io, an identity verification and authentication company acquired by Facebook in March 2018. Ralph founded Blue Hill Research, Delfigo Security, Invenio, and NTA before Confirm.io. In addition, he was the CTO/CIO of public companies Brooks Automation (NASDAQ: BRKS), C-bridge Internet Solutions (NASDAQ: CBIS), and Excelon Corporation (NASDAQ: EXLN).