Have any of us forgotten a password before? Probably all of us, right? This is one of the issues associated with traditional passwords that we use every day. To keep them secure, they must now be extremely complex, which requires exceptional memory or, if that fails, the help of password manager apps, which may be somewhat risky.
What if there were a more secure way to access our accounts without having to remember passwords? Google believes passkeys are the solution.
A passkey is a digital identity that allows users to authenticate and sign into apps and websites without needing to remember a username and password. Instead, authentication is done using a biometric sensor (fingerprint or facial recognition), a PIN, or a pattern.
Unlike passwords, this login method does not require an additional authentication factor (such as OTP one-time passwords). According to Google, passkeys are easier to use and 40% faster than passwords. Google also claims passkeys are more secure, thanks to the type of encryption they rely on.
For this reason, Google has officially made passkeys the default sign-in option for all users. So what is the best time to understand the benefits, risks, and challenges of passkeys?

Why are passwords slowly heading toward obsolescence?

When passwords were invented in the 1960s by a professor at MIT, simple, easy-to-remember combinations were enough to prevent unauthorized access. Today, however, cyber attackers can crack complex character combinations extremely quickly, which makes passwords as an identification method insecure and fragile.

What happens is that most people write their passwords down on a note—either on paper or digitally (and this is not the most secure approach)—or they rely on password manager apps, which are also vulnerable to hacking. Evidence of this includes the troubling August 2022 cyberattack that targeted LastPass, and more recently the October 2023 data breach involving Okta.

It is true that Multi-Factor Authentication (MFA) has greatly improved security for logins in recent years. But the reality is that you still need to remember the main password to proceed.

So passwords are no longer easy to use or secure, which is why their usage is declining.

The birth of passkeys

In 2012, the FIDO Alliance (Fast IDentity Online) was formed by several leaders from companies across different sectors in order to work together on a passwordless authentication protocol.

The first version of FIDO authentication was completed and deployed in 2014, while FIDO2 appeared in 2018. This enabled stronger, standardized FIDO authentication across all web browsers and related infrastructure.

In general, FIDO authentication is based on public key cryptography the foundation on which passkeys are built. André Courtez, Infrastructure Systems Manager at act digital, explains how it works:

“Passkeys use cryptography made up of two keys: a public key stored on the service server, and a private key stored on the user’s device. After biometric approval, the public key is sent to be paired with the service’s key, and authentication happens. The private key is never sent.”

Are passkeys really more secure than passwords?

The answer appears to be yes. According to André Courtez—and due to the encryption method used in passkeys

“There is no longer any risk of password theft or identity impersonation, even if the devices themselves are lost or stolen,” he says, affirming the point.

Elias Shmengui, a cybersecurity expert at act digital, agrees with André’s view, pointing out that passkeys require physical proximity to the devices.

“Passkeys limit identity information theft through physical authentication. They are not vulnerable to phishing attacks or password breaches. This means that even if someone gets your username and password, they will always need the physical passkey to access your account significantly reducing the risk of unauthorized access and strengthening overall security,” Elias explains.

In summary, our cybersecurity expert believes that passkeys can effectively reduce various cybersecurity threats, namely:

Identity data breaches

“Because passkeys do not rely on passwords, they prevent stolen login information from being used in automated login attempts across different platforms.”

Account takeover

“Because passkeys provide an additional layer of security, it becomes very difficult for attackers to take over accounts even if they manage to obtain some login information.”

Brute-force attacks

“Passkeys are not susceptible to brute-force attacks, where attackers try to guess passwords using automated methods, because they operate outside the password-based authentication system.”

Challenges of implementing passkeys

For businesses in particular, integrating passkeys into the current IT infrastructure should not be a major problem today. According to our Systems and Infrastructure Manager, it should not be a major concern at present:

“Almost all smartphones, tablets, and laptops are equipped with biometric sensors, so it seems these new methods can be adopted easily. On the user side, the infrastructure is covered, with devices and systems capable of managing and recognizing biometric records. It really depends on companies to adapt their existing infrastructure to accept passkeys.”

For his part, Elias believes that ensuring compatibility and seamless integration of passkeys with current systems and software may face issues during adoption leading to workflow disruptions.

“This may require changes or updates to the current configuration. A good deployment plan can reduce disruptions,” he explains.

Regarding privacy policies and control, the act digital experts raise some concerns:

“One advantage of passkeys is the synchronization between devices within the same ecosystem. While that is useful for users, it raises issues in terms of control, security, and compliance. Synchronization between personal devices and passkeys may result in identity and company data being shared with people outside the organization,” André Courtez warns.

Elias adds:

“Biometrics and other advanced authentication methods involve collecting and storing sensitive user data. It is essential to ensure privacy and secure handling of this data.”

Beyond these challenges, our cybersecurity expert also identifies a few other potential issues that companies should keep in mind:

Reliance on physical devices

“Companies using passkeys may face problems if employees forget their passkeys, lose them, or if they get damaged. This dependence on a physical device can lead to access issues and potential downtime if no alternatives are available.”

Cost and logistics

“Deploying passkeys inside an organization involves costs related to purchasing and distributing these physical devices. Managing and replacing lost or damaged passkeys can also create additional logistical expenses.”

A single point of failure

“Although passkeys enhance security, if a hacker manages to physically access an employee’s passkey, they can bypass other security measures creating a risk if it is not handled properly.”

Best practices related to passkeys

According to our experts, when transitioning to a passkey-based authentication method, companies and employees should consider the following security measures:

Secure storage

Protect passkeys the same way you would protect anything else of value. Keep them in a secure place and avoid leaving them unattended or in a location that is easy to access.

Reporting lost or stolen passkeys

Report any lost or stolen passkeys immediately to the IT department or the security officer. This enables fast action, such as disabling the passkey to prevent unauthorized access.

Regular software updates

Keep passkey firmware and related software up to date to benefit from security patches and improvements.

Avoid sharing or lending passkeys

Encourage employees not to share or lend their passkeys to others, because it compromises security. Ensure comprehensive training on how to use passkeys, including best practices and what to do in case of loss or theft.

Regulatory compliance

Make sure passkey systems comply with industry standards and regulations to avoid legal and compliance issues.

Control

Creating a strong system for monitoring, managing, and replacing passkeys along with ensuring timely updates and patches is essential to guarantee ongoing security.

Who uses passkeys?

In addition to Google, the following companies already support the use of passkeys as password alternatives:

PayPal

Adobe

TikTok

GitHub

Microsoft

Amazon

Uber

X (formerly Twitter)

eBay

and others…

In the near future…
Even though passkeys are being adopted as the default way for all users to sign in, Google will continue to support traditional passwords. This means users can still use them if they want for example, by disabling the option “Skip password when possible.”
However, industry experts generally agree that passkeys seem to be the future not only because they are more secure, but also because they are easier to use.