How the tech giants are embracing a secure future with passkeys

In a world where escalating cyber threats and data breaches have become all too common, the inadequacies and immense risks associated with traditional passwords and legacy authentication methods have never been more apparent.

Recognising the urgent need for stronger and more user-friendly authentication methods to safeguard users against the growing menace of attacks like phishing, the three major tech giants — Google, Microsoft and Apple — have recently thrown their weight behind passkeys.

What are passkeys?

Passkeys seamlessly authenticate users by using digital keys stored on their computer or device and are considered a superior alternative to passwords since users are not required to recall or manually enter long sequences of characters that can be forgotten, stolen or intercepted by bad actors.

Notably user-centric, passkeys combine advanced encryption and the integration of hardware-based security. Sometimes biometric data can be used but this is optional.

Passkeys simplify and secure the login process, making modern phishing-resistant authentication accessible to businesses and consumers alike.

This pivotal shift in the adoption of passkeys by the major tech giants and other companies worldwide marks a significant step towards achieving a more secure online future without passwords or outdated authentication methods.

The limitations of passwords

Traditional passwords have been the linchpin of digital security for decades, serving as the first line of defence since the inception of the internet. However, their effectiveness has dwindled as cyber threats have become increasingly sophisticated. For example, Verizon’s Data Breach Investigations Report (DBIR) found that a staggering 82% of data breaches result from stolen login credentials. The limitations of traditional passwords are as follows:

• Highly insecure and easily phishable: Passwords are susceptible to theft through phishing attacks and brute-force methods, rendering them highly insecure.
• Complexity versus usability: Striking the right balance between creating complex, secure passwords and ensuring ease of use is a constant challenge for users.
• Password fatigue: Managing and remembering many passwords for various online accounts has led to what is colloquially termed ‘password fatigue’.
• Social engineering: Passwords can often be compromised through social engineering, where attackers manipulate individuals into divulging sensitive information.

The issue with legacy authentication methods

Before the advent of hardware security keys and passkeys, users had limited authentication options in addition to passwords, none of which provided robust protection against phishing attacks. Not all multi-factor authentication (MFA) methods are created equal, as most were not designed with security in mind, so are susceptible to compromise by scammers.

Widely used legacy MFA methods, such as numerical codes or one-time passwords (OTPs) sent via SMS or email to users, often demand memorisation and rely on a functional, connected, charged mobile phone with internet access and a phone signal. The user experience is clunky and it often leads to user frustration.

Other legacy MFA methods were a time-based device reliant on batteries, posing the risk of power depletion, and a push app requiring users to have their phones constantly with them and connected to the internet. Unfortunately, all these traditional authentication approaches have demonstrated vulnerability to cybercriminal activities.

Acknowledging these limitations, major technology companies have embarked on a journey towards a passwordless future. Microsoft, Google and Apple have committed to adopting passkeys, a promising alternative that addresses many of the shortcomings of traditional passwords.

Emulating the efforts of global technology leaders

The success of the passwordless strategy hinges on improved user experience, increased security and broad interoperability across devices, browsers and platforms. Achieving this requires industry-wide adoption, collaboration and education on the efficacy and advantages of passkeys over traditional passwords.

Seamless integration of a FIDO2 passwordless experience won’t work without standards across devices, apps and services that do not require additional proprietary software. This requires broader industry adoption, collaboration and education around passkeys.

How the tech giants are advocating a passwordless future

The big draw of passkeys in the consumer space is that the big three tech vendors that develop operating systems and devices have integrated passkeys into everyday consumer devices like phones and laptops.

Microsoft

Microsoft’s dedication to a passwordless future is evident in initiatives such as Windows Hello, which allows users to log in using biometric data like fingerprints, facial recognition and hardware-based passkeys (security keys), enhancing security and user convenience.

Google

Google actively promotes a passwordless ecosystem with its FIDO2-based authentication. Services like Google’s Smart Lock and Android’s biometric authentication options facilitate a seamless and secure user experience, reducing user dependence on passwords.

Apple

Apple, a pioneer in biometric authentication with Face ID and Touch ID, offers a frictionless login experience while maintaining high security. Apple’s support for WebAuthn standardises passwordless authentication and is compatible with security keys and passkeys.

The takeaway

Security has become a serious concern for consumers as the frequency and sophistication of cyber attacks involving them have escalated, exposing the limitations of traditional password-based or legacy authentication methods. Therefore, the support of the major technology companies for passkeys marks a pivotal turning point in our digital security journey.

More secure, user-friendly and accessible authentication methods, such as hardware security keys and passkeys, are being widely adopted. As we continue to embrace a passwordless future, we can look forward to a safer and more convenient online experience, unburdened by the shackles of passwords and outdated and clunky authentication methods.

*Geoff Schomburgk is responsible for driving the Yubico business across the Asia Pacific and Japan (APJ) region, working with partners and enterprise customers to implement modern phishing-resistant authentication. He is an experienced senior executive with a background in engineering and strategy consulting and over 30 years’ experience in the global ICT industry. Geoff has a Bachelor of Engineering (Honours) and MBA and is also a qualified Company Director (FAICD).

Top image credit: iStock.com/ArtemisDiana