RIP Passwords: Are Passkeys the Future of Account Security?

Passwords are probably the most well-known account security feature that exists today. But they’re problematic. They’re the security vulnerability behind phishing attacks – and cyber criminals are known to use compromised credentials to pull off ransomware attacks.  

But were passwords ever really fit for purpose?  Was it reasonable to ask everyone to use a different password of a least 8 characters, with a combination of letters, numbers and special characters, for every account they opened, and then to change those passwords on a regular basis – while remembering them all without ever writing them down or using anything simple? … Not surprising that passwords have been the security Achilles heel for so long. 

Given the issues associated with passwords, and it’s not all the individuals’ fault for not complying with the crazy password requirements, we are not surprised to see lots of innovation in this area. Multi-factor authentication is widely used as a backup for a single password – though MFA can introduce its own risks. (See our previous post regarding contractors using MFA on their personal phones). 

Passkeys are another innovation – and they are taking off. Apple, Google, and other large tech companies have all rolled out passkey security in the past months.  

What are Passkeys?  

Passkeys are an alternative to passwords that are considered to be more secure and more convenient. They work by having a person’s device generate a unique cryptographic key that is used to unlock an account. 

“Passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN. And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.” – Google. 

Comparing Passwords to Passkeys 

Here’s an overview of some of the benefits and features of passwords and passkeys:  

Passkey Pitfalls 

While they come with benefits above and beyond password protection, passkeys are not a perfect account security system.  

Some of the known pitfalls that come with passkeys include:  

• They tie account security to a specific device in many cases. For instance, if your fingerprint is used to log into your Google Password Manager, you may not (easily) be able to access your passwords if you are not on a device that has your biometric information stored locally.  
• Users may not strictly follow other account security best practices due to a greater feeling of ‘security’ that comes with the introduction of passkeys. Training will need to be supplied to alert uses to both the benefits and potential shortcomings of passkeys, so they continue to use appropriate security procedures.  
• Account recovery can be challenging. Since the passkey is tied to the device, not the cloud, you will need to carefully consider how you will recover the account if the device is lost or stolen.  
• Older devices may not be compatible with passkey technologies, which can make adoption expensive.  

Passkey Adoption and Implementation 

While the big names in tech have introduced passkeys, widespread adoption is going to be slow. For now, though, it is wise to consider using passkeys whenever they are offered and that their adoption does not pose any procedural or operational challenges.  

Strongly Consider Passkey Technology to Secure Sensitive Data 

You should strongly consider whether any passkey technologies exist to secure your sensitive data – whether that’s personal information of your customers, confidential trade secrets, or anything else that’s high value to your organisation (and therefore cyber criminals).  

Remember To Do a PIA Before Introducing Biometric Technologies 

Many passkeys rely on facial recognition or fingerprints: This should ring alarm bells. Biometric technologies come with significant benefits and significant risks. Before introducing any technology into your workplace that requires the use of biometrics, you will need to complete a privacy impact assessment (PIA).  

Passkeys with Privacy 108 

If you’re considering introducing passkeys at your organisation or you need any help with security, reach out. Our team of privacy consultants would love to work with you.