September 29, 2023
Here Comes Passkeys!
The next version of Windows 11 (23H2) due October 2023 adds support for passkeys. Google also added passkey support for Google accounts back in May of this year, and many popular websites allow you to utilize this feature as well. So, what are passkeys? Simply, they eliminate the traditional username and password combination for logging in to things. The are a ton of reasons why using a username and password is broken, and passkeys represent a strong effort to make authentication quick, easy, and more secure. From Microsoft’s description:
Passkeys provide a more secure and convenient method to logging into websites and applications compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device's unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other sign-in challenges, making the authentication process faster, secure, and more convenient.
Today, we’re just going to cover some simple advantages and disadvantages of passkeys over passwords.
Advantages
- Passkeys are more secure. They are linked to a specific device making it more difficult than just guessing a password by a bad guy.
- Better experience for users. Whether client or employee, forgetting a password always negatively impacts the user experience. Passkeys eliminate this issue.
- Passkeys are always strong, where passwords are not created equally - Some are weak, some are strong.
- Passwords need to be changed periodically with many password policies. Not true with passkeys.
- No need for password storage. Passkeys eliminate this need.
- Associated costs of passkeys over the long-term should ultimately be lower than password authentication.
Disadvantages
- Not all websites or applications accept passkeys, leaving users trying to take advantage of this new technology while still living in a world of the old. Adoption may be slow for a while.
- While user experience with passkeys is an advantage, adapting to new technology can be difficult for some users.
- Passkeys use biometrics to verify accounts. A smudge of dirt on a finger, a blemish on a face may hinder verification, making something easy become a minor annoyance.
- If you don’t have your device with you, you won’t be able to authenticate.
- Losing your authentication device with passkeys is painful. Regaining access to your accounts may require providing IDs and take considerably more time than clicking “reset password.”
Like all things, passkeys have benefits as well as shortcomings when it comes to moving to passwordless authentication. And while in theory, passkeys sound like a silver bullet, actual implementation will ultimately determine if passkeys are better for your organization. Look for more discussion of passkeys in our weekly security tips as adoption of use grows, and implementation and management improve.
Authored by: Brad Goetsch, CBISO
You May Want to Read More:
Security Incident Notification Rule and Service Providers - WST
September 21, 2023
Back in November of 2021, the OCC, FRB, and FDIC jointly issued a final rule requiring banking....
Pig Butchering – What to Know About this Virtual Currency Scam and FinCEN Alert FIN-2023-Alert005 - WST
September 14, 2023
The Financial Crimes Enforcement...
Standard Password Complexity Rules Just Don’t Cut It Anymore - WST
September 7, 2023
Microsoft Active Directory has had password complexity requirements....