Evolving enterprise security beyond traditional passwords
In the ever-changing landscape of cybersecurity, Identity and Access Management (IAM) remains a critical link in the cybersecurity chain. In fact, the biggest threat can often come from the person sitting at the desk next to us. Everyone has moments when they’re vulnerable to attacks that exploit their biases, and the challenge with passwords is that users can quickly become fatigued. Constantly creating and maintaining the growing number of passwords needed to navigate the myriad systems they interact with every day is a task that many of us seek solutions to when we can.
Virtually every service or app wants a password, and each password must be a certain length and contain a special mix of letters, numbers, and special characters. Without such requirements, many users would use weak, predictable passwords that were easier to remember—and many of us still reuse passwords even though we know we shouldn’t.
Fortunately, as technology advances, so do the methods available to securely authenticate users. That’s why passwordless authentication is becoming increasingly popular among organizations, as it eliminates many of the pain points and costs associated with managing passwords in an enterprise-sized organization. One increasingly popular password alternative is passkeys, a modern take on traditional passwords. Offering improved user experience, security, and scalability, passkeys help improve authentication and, in turn, the state of security in 2024.
Passkeys are a more secure and simple option than passwords. Passkeys allow users to log in to applications and websites using biometrics such as fingerprint or facial recognition, a PIN or a pattern, meaning they no longer need to remember and manage passwords.
The Fast Identity Online (FIDO) Alliance is at the forefront of passkey technology. FIDO standards, such as FIDO2 and WebAuthn, facilitate secure authentication mechanisms by enabling passwordless logins via biometrics, USB tokens, or mobile devices. By eliminating the need for passwords entirely, FIDO standards mitigate the inherent vulnerabilities that come with traditional authentication methods.
Specialist in identity and access management, Thales.
Not all access codes are the same
While all types of passkeys serve the same purpose, there is some variation in how they can be stored and managed. There are two categories: synced and device-specific.
Synchronized access codes are synchronized between user devices via a cloud service, which can be part of a particular device’s operating system or third-party software. This allows users to seamlessly access their credentials across multiple devices. Whether they’re logging into a website on a laptop or opening an application on a smartphone, synchronized access codes provide a consistent and seamless user experience.
Device-specific passkeys are tied to specific hardware, such as a smartphone or a USB security key. By leveraging the unique characteristics of each device, these passkeys increase security by adding an extra layer of protection against account compromise. This type of passkey also reduces the reliance on centralized servers, reducing the risk of data leaks and server-side attacks.
While the experience of using passkeys is incredibly frictionless, one major barrier remains: the level of support from services, websites, and software. In order to use passkeys, any site that wants to be passkey-enabled will need to update its authentication mechanism to support and accept passkeys. That said, many of the major mobile operating systems and web browsers such as iOS, Windows, Android, and Chrome support the technology – which will help others make the change in the short term and push it toward a tipping point in mainstream adoption.
What is the best way to implement this?
To ensure a smooth and secure transition, businesses would do well to keep the following in mind before implementing passwords within their organization:
First, it’s worth considering an MFA approach that incorporates biometrics or hardware tokens in addition to passkeys. This improves authentication integrity and resilience against unauthorized access attempts, as passkeys should ideally be enrolled when the user’s identity is already highly trusted. Enabling enrollment outside of an MFA step can pose a security risk, as typical session- or token-based mechanisms lose their assurance after a while. For example, people leave their phones and laptops lying around unlocked.
The most important step to avoiding implementation challenges is to understand your users. This may seem obvious, but for any passkey implementation to be successful, it must be configured to match the user’s authentication journey. Think about how employees actually use applications and access data in the real world, versus how security teams would like them to. The two don’t always align.
Next, know your risk appetite. While there are certainly ways to avoid excessive conflict between security and user experience (UX), until passkeys gain more ubiquitous support across devices and environments, some tough decisions need to be made about where the company believes it is most vulnerable to attack.
Finally, it pays to stay on top of updates. Passkey providers are constantly updating their compatibility with browsers and ecosystems, meaning that just because there is no support for a particular piece of software, the situation could be very different in the near future. More and more new hardware also offers passkey or biometric authentication out of the box.
What now?
With support for operating systems, websites, and other services increasing, it really looks like passkeys could kill the password for good. Thanks to a range of innovative authentication methods, such as biometrics, hardware tokens, and cryptographic protocols, businesses now have the tools to finally move beyond the limitations of traditional passwords and improve their security posture.
We provide an overview of the best identity management software.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of TechRadarPro or Future plc. If you’re interested in contributing, you can read more here:
