This year, Cybersecurity Awareness Month is themed “Secure Our World,” a stark reminder that simple measures can protect businesses from online threats. The week emphasizes four key strategies: using strong passwords and password managers, turning on multifactor authentication (MFA), recognizing and reporting phishing, and updating software.
While this message is accurate, and all these elements are a move towards more robust authentication, there’s an even better way than managing solid and unique passwords – adopting passkeys.
For decades, passwords have been the cornerstone of securing computer systems and applications, but they’ve outlived their utility. Many data breaches happen due to weak or reused passwords, phishing attacks, and human error, and as cyber threats evolve, passwords become more error-prone, burdensome, and outdated.
Passkeys, on the other hand, are a more secure alternative built on the FIDO (Fast IDentity Online) Alliance’s standard, which hopes to eliminate passwords altogether.
What are Passkeys?
Passkeys are cryptographic objects used for authentication. They leverage public key cryptography to maintain security without using a traditional password.
They come in two forms: synced passkeys and device-bound passkeys.
- Synced Passkeys: These passkeys are stored in cloud environments like Google’s Password Manager or Apple’s iCloud and are accessible across multiple devices linked to the same account. This eliminates the need for various password entries and enables easy recovery if a device is lost or stolen. However, synced passkeys might not meet stringent compliance requirements like those found in the European PSD2 regulations, which mandate strong customer authentication (SCA) involving unique user-device binding.
- Device-Bound Passkeys: These are bound to a specific device, which helps with compliance with SCA and other regulatory standards—useful in highly regulated industries like finance and healthcare. Device-bound passkeys can be managed via hardware tokens or directly through service provider apps, giving businesses more control and security.
Improving Security Stacks
More and more businesses are now using passkeys to improve their security stacks. Passkeys are the answer to many of the challenges raised by Cybersecurity Awareness Month by simplifying authentication processes and improving security outcomes at the same time. Here’s how:
- Phishing Resistance: Unlike passwords, passkeys are resistant to phishing attacks. For some time, phishing has been a top threat, and this won’t change anytime soon. Passkeys help mitigate this risk by ensuring that a service can only be accessed by the right cryptographic key, which renders phishing ineffective.
- Seamless User Experience: No one likes friction, and a smoother authentication process means employees will be less inclined to try and work around security policies. A Harvard Business Review study found that more than 60% of employees circumvent security policies because they believe they hinder productivity. By using passkeys, entities can cut the friction that is an inevitability with password changes, MFA prompts, and password resets.
- Compliance and Regulation: As regulatory requirements become increasingly stringent, and regulations like the EU’s PSD2 or US financial sector guidelines tighten, passkeys — particularly device-bound passkeys — help keep businesses compliant without compromising user convenience.
Implementing Passkeys
Google, Apple, and Microsoft are now supporting passkeys across their platforms, which is a great opportunity for businesses to integrate passkeys into their authentication strategies. Here’s a roadmap for successful implementation:
- Evaluate Business Needs: Determine the level of security your business requires. For low-assurance activities, such as accessing non-sensitive applications, synced passkeys bring a nice mix of convenience and security. For high-assurance environments (think financial transactions), device-bound passkeys will help the business meet compliance standards.
- Update Your Authentication Infrastructure: Ensure that your systems and services support passkeys. This may mean updating the tech stack or bringing on board a vendor to ensure smooth and error-free integration. Companies should consider using passkeys in conjunction with MFA for another layer of security—MFA is another key recommendation from the Cybersecurity Awareness Month campaign.
- Educate Your Workforce: Even the best security tools are only as good as the people who use them. Ensure that employees understand the importance of passkeys and how they offer a phishing-resistant, secure alternative to traditional passwords.
- Monitor and Adapt: As passkey adoption increases, monitor evolving best practices and compliance requirements. Regularly audit your authentication methods to ensure they align with the latest regulatory standards.
A More Secure Future with Passkeys
As businesses work to enhance security in light of Cybersecurity Awareness Month, it’s clear that passwords might not be dead, but they should think about putting their affairs in order.
Passkeys are the future, helping companies move towards a more strong and efficient security posture. Again, in line with Cybersecurity Awareness Week, consider using password managers—a great tool to store and manage passkeys that provides a seamless way to integrate advanced authentication methods while keeping credentials safe and easily accessible.
The path to a passwordless world won’t happen overnight, but adding passkeys to the business’s security roadmap is a giant leap toward safeguarding your organization. Remember, securing your business doesn’t have to be complex — with passkeys, it can be simple, efficient, and resilient. Cybersecurity Awareness Month is an international initiative that educates everyone about online safety and empowers individuals and businesses to protect their data from cybercrime.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.