To simplify the message from speakers at a June authentication summit:
Passkeys > password.
The challenge for organizations implementing the emerging login credential known as the passkey will be finding the right option—like synced or device-bound—and preventing the dreaded “friction” that discourages employees from using it.
“It is imperative for us as employers to understand some of those differences, to be able to choose the right passkey for the right situation, based upon our security needs, our regulatory compliance needs,” said Dean Saxe, senior security engineer at Amazon Web Services, who also serves as the cochair of the FIDO Alliance enterprise deployment working group (EDWG).
Saxe, along with other industry authentication enthusiasts, spoke on June 29 at a virtual summit titled, “Considerations for Passkeys in the Enterprise,” presented by the FIDO Alliance, an industry association promoting security standards. The “EDWG” recently released a series of papers, offering guidance to companies considering the new option.
Passkey basics. No need to come up with 12 characters, a number, and symbol—a passkey is an automatically generated unique private string, tied to the specific device. The “relying party,” or the location requiring authentication, has a public key, previously registered for that user. That pair together is a kind of Arnold Schwarzenegger-and-Carl-Weathers-in-Predator secure handshake that confirms identity; anyone logging in, including a malicious hacker, needs the registered device and the passkey.
In practice, that means a login experience can be as simple as going to Kayak.com, adding an autofilled passkey at login, maybe doing a touch-ID biometric to establish local proximity, and getting that plane ticket. (That specific demo was shown during the summit.)
Device-bound passkeys require the original hardware device for login. Synced passkeys can be accessed via an individual’s multiple devices heading to the same destination.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Pick a passkey, any passkey. Tom Sheffield, senior director of cybersecurity at Target, told the summit audience that the synced option suits many of today’s organizations, especially those still implementing passwords and multi-factor authentication.
“I think, generally speaking, a synced passkey offers significant improvement over password plus legacy MFA, and is definitely something you should be considering in your environment,” said Sheffield.
Some organizations, like government entities and the Department of Defense, however, may require AAL3, or third-level authenticator assurance levels, which means hardware-based authenticators.
Choices of device-bound versus synced passkeys may just come down to risk appetite.
“Maybe your cloud administrators or system administrators are required to have a higher level of assurance than a normal user accessing another application,” said Sheffield, during the presentation.
Clearing things up. Orgs going with the passkey option will need to clear any obstacles that could frustrate a user, said Sheffield, who reminded the audience to ensure that any synced passkey implementers enable integration mechanisms, like iCloud keychain syncing.
“Once you’ve introduced friction, that gives users the chance to jump out of the process anytime they want,” Sheffield told the crowd of remote attendees.
Apple and Google both allow passkeys upon registration. Microsoft, too, is adding passkey support to its Windows 11 OS. Password managers are also prepping their own versions of passkey creation and support.
Whatever the choice for users: there’s one clear answer, according to Sheffield.
“If you take nothing else away today, remember that passkeys are better than passwords, period,” Sheffield said.