While May 4 was World Password Day, the day prior constituted an inflection point that may force a change to next year’s event, perhaps to be called “World Passwordless Day” or “Password Memorial Day.” Google, which hinted at its move to passkeys at the 2023 RSA conference — where it launched an update to Google Authenticator — followed through on May 3 with an announcement that it will enable passkeys across accounts on all its major platforms.
Identity and credential management operators also spoke at RSA about the sunsetting of passwords. While security experts agreed that the change won’t happen overnight, some said that Google’s announcement represents a sea change in the security space.
Industry shifts to passkeys across devices
Here are some telling stats from Tech Jury: Fifty-two percent of Americans use the same password for multiple accounts, and 13% use one password for all.
Google’s announcement comes a year (to the day) after the company, along with Microsoft, Apple and others said they would start the shift to passkeys with expanded support for a common passwordless sign-in standard created by the Fast Identity Online Alliance and the World Wide Web Consortium.
SEE: Apple touts Passkey (TechRepublic)
“Since then, Apple and Google have readied their operating systems for service providers to enable sign-ins with passkeys that sync across devices: Windows 10 and 11 have long supported device-bound passkeys in Windows Hello — and passkeys from iOS or Android devices can also be used to sign into sites in Chrome or Edge on Windows,” Andrew Shikiar, FIDO Alliance executive director and chief marketing officer wrote.
The FIDO Alliance collaborated with industry to develop the passkey project FIDO2, a multi-factor authentication platform. It uses authenticators, originally flash-drive-like keys that plug into a USB port, but which could also be, say, a smart phone.
There are three industry specifications for passkey authentication based on asymmetric key cryptography, or public keys, that constitute the FiDO2 project:
- A phishing resistant public key cryptography protocol that includes FIDO standards for two-factor authentication.
- FIDO’s Universal Authentication Framework is an open standard that supports passwordless authentication with end-user devices.
- Client to Authenticator Protocols is complementary to the W3C’s Web Authentication (WebAuthn) specification.
Passkeys provide a way to liberate private keys from the device holding them. Instead of a password on a server and the secret in the user’s head, public key cryptography stores a unique key on one’s device. A public key, such as a fingerprint, encrypts the data. The private key never leaves the device, explained Shikiar.
“Before passkeys, let’s say I enrolled with ‘ecommerceProvider.com’ on my iPhone and go to the same site on my iPad. I’d have to enroll my iPad as well, and my PC and everything else,” Shikiar said.
“I’d have to remember that password and keep it front and center. It’s inconvenient and counterintuitive to the general direction that people are going. Passkeys allows synchronization of the private key, which then is on your device but also synced in the cloud. This means if I go to that website from my phone or my iPad, it automatically recognizes me from my user ID,” he added.
The FIDO Alliance’s Online Authentication Barometer, released last October, found that the entering of passwords online dropped by 5% – 9% across all five major use-cases that it tracks – including accessing financial services, work computers and accounts, social media, streaming services, and smart home devices – compared to 2021. Also, 70% of people had to recover a password at least once in a given month, 59% of people gave up on accessing online services in a given month with 43% abandoning purchases because they couldn’t remember their password.
In its new survey-based report, the Alliance found:
- fifty-seven percent of U.S. consumers expressed interest in using passkeys to replace passwords, compared with 39% who said they were merely familiar with the concept of passkeys.
- More than 47% of respondents said they are at least somewhat familiar with passkeys and 57% are interested in using passkeys to sign into their accounts.
- Passwords are still the most used sign-in method — but consumers now prefer to use biometrics over passwords (29% versus 19%).
- Nearly 60% of consumers have abandoned purchases in the last six months because of a forgotten password.
- Ninety percent of consumers report having to reset or recover passwords
- Thirteen percent of respondents said they must recover passwords daily or several times per week and nearly 60% reported several password resets per quarter.
- Twenty-nine percent said they prefer signing in with biometrics.
- Seventy percent said they use passwords that are a year old.
Password managers and IAM vendors keyed in
Identity access management firms like Cisco’s Duo, as well as Okta and 1Password are moving quickly into a biometrics and passkey future. FIDO noted that PayPal, Yahoo! Japan, NTT DOCOMO, CVS Health, Shopify, Mercari, Kayak and SK Telecom are among the many others who are doing likewise.
Starting this summer, 1Password, which launched universal sign on earlier this year, will allow customers to store, manage and use passkeys to access their online accounts through 1Password in the browser. One of the company’s goals is to unshackle passkeys from specific devices (in case you try to log in to an account from a new device) with a mobile 2FA authenticator for passkeys.
At the RSA conference, 1Password CEO Jeff Shiner told TechRepublic that society’s shift to passkeys won’t happen overnight because passwords, all their limitations notwithstanding, are familiar.
“Convincing people to move onto something new requires building trust in the security of new technologies,” he said.
“For example, with biometric data it’s important for people to understand that their fingerprint data, for example, remains on the device. It’s not being sent to 1password. We have to educate them that biometrics are more secure,” he added.
“It will take time to transition fully away from passwords depending on each company and their customers. For every survey you see around passwords there tends to be stubborn 20-something percent of people who prefer them. And because of that it will take time to fully transition away from them,” Shikiar concurred.
1Password’s Watchtower feature lets users know when passwords stored in 1Password’s vault have been compromised, and it alerts users when websites begin supporting passkeys.
The company also launched Passkey.directory, which tracks websites that have passkeys and allows users to vote on sites that should have passkeys access.
SEE: More here on 1Password’s password-free future
From Shiner’s point of view, e-commerce adoption of passkeys is imminent because of the security and marketing benefits.
“Home Depot, for example, has millions of customers and has to store and protect all of those passwords, which puts lots of risk on the CISO,” he said.
“From the CMO side, it’s an equal concern because how many people in the middle of checking out abandon their cart because issues with their password becomes a friction point? Passkeys are more secure, provide a much better experience and are better from a security, cost and risk point of view, and I’m protected by ownership of the device, so I’m reducing the attack surface.”
Your device is your fingerprint
Fleming Shi, chief technology officer at security, networking and storage technology company Barracuda Networks said passwordless is ideal because your device becomes an extension of your identity.
“It’s a TPM: trusted platform module. What’s good about it is your device is your trust point, instead of relying on a token or MFA, the device itself is the key, an extension of what you are. And generally, that trust between you and the device is highly managed,” he said.
Barracuda works with passwordless workforce identity management firm TruU, which uses additional data and telemetry to determine user identity based on data points such as time of login and location.
“It becomes a more refined way of identifying yourself,” Barracuda said.
From password managers to passkey managers
Shikiar said password — or key — managers will become a critical part of the identity management ecosystem.
“A lot of consumers use password managers because they live in a multiplatform world. Password managers give you independent, cross-platform implementation. If you are using password managers today for your passwords, you’ll do the same with your passkeys. We are working on ways to formalize that process,” he said.
The passkey imperative: Humans are the new perimeter
At the RSA Conference, Cisco announced that its Duo identity authentication application would expand Trusted Endpoints technology to all users with a registered or managed device, which includes passwordless login.
Iva Blazina Vukelja, vice president of product for zero trust at Cisco, said an issue with passkeys isn’t only that they are shared across devices, but they’re shared across people. FIDO2 addresses this with a roaming authenticator protocol or client to authenticator protocol, embodied by devices like YubiKey or through smartphone capabilities.
“It allows you to have your phone as a roaming authenticator in a passkey like manner and lets you share across devices, without sharing across different people who are not supposed to have access to those devices,” she explained.
She pointed out that post-COVID, with the explosion in remote and hybrid work, the security imperatives around the need to move to passkeys has to do with the human being as the new threat surface.
“In the past 12 to 18 months we have seen an unprecedented number of attacks on multi-factor authentication protocols. What brought that on? Remote access is number one,” she said, adding that a combination of factors makes people the perfect fifth wheel to the security cart.
“Forty percent of corporate apps are software-as-a-service, and 80% of our corporate customers allow unmanaged devices on their networks. The confluence of this establishes personal identity, the user, the person, as a new perimeter. An attacker sitting 4,000 miles away can trick your end user to give up your user name password and MFA token access a SaaS application, and you in the SOC won’t see it because the attacker has done all of this without crossing your network, and they didn’t see it because your endpoint didn’t get breached either. It’s the human that was breached. And that perimeter is undermanaged, and unobserved.”