Device-bound passkeys: The potential solution for secure authentication's persistent issue of password vulnerability
A recent Global State of Authentication survey of 20,000 employees revealed that more than half use the same username and password for both their personal and work accounts, making them vulnerable to cyberattacks. In response, it's crucial for organisations to adopt more secure authentication methods to protect sensitive data and critical infrastructure.
One of the most promising solutions is the adoption of passkeys. These authentication methods use public-key cryptography, where the private key remains securely stored on the user's device and is never transmitted. Authentication happens via biometrics (like fingerprint or face recognition) or device PIN, eliminating the risks of phishing because there are no shared secrets to steal or reuse. Major platforms such as Apple, Google, and Microsoft support passkeys, promoting interoperability through FIDO2/WebAuthn standards.
Passkeys simplify authentication, enhance security, and prevent attackers from acquiring credentials via phishing emails or keylogging. They are a significant step towards a password-free ecosystem, which ultimately offers enhanced protection against phishing and credential theft while improving usability.
Other passwordless approaches include magic links, one-time passwords (OTP), biometric integration, and push notification approvals. While these methods offer some benefits, they also have vulnerabilities that make them less secure compared to passkeys.
Device-bound passkeys, in particular, are emerging as the de facto authentication solution to replace passwords and legacy multi-factor authentication (MFA) systems. They operate by using something you know (a PIN) alongside something you have (a hardware security key), which is inserted into a device and physically touched. This approach provides a superior level of security for channel managers since it requires users to prove possession and presence to log in.
The move to passkeys could save the UK government several million pounds annually and improve cyber resilience on a national scale. Device-bound passkeys stored on physical devices like security keys cannot be shared or copied across the cloud, making them resistant to phishing attacks.
However, advanced phishing and sophisticated attack techniques, along with the threat of AI-driven cyberattacks, are on the rise. Establishing phishing-resistant users by implementing phishing-resistant MFA for all employees and secure processes for account registration and user recovery can eradicate phishing threats.
To realistically transition away from passwords, organisations often adopt hybrid approaches that encourage strong unique passphrases and multi-factor authentication for legacy systems. They gradually roll out passkey and hardware-based authenticators for higher-value or critical accounts. They also implement user education and infrastructure that supports modern authentication standards (FIDO2/WebAuthn).
Using passwordless authentication platforms designed for scalability and security, like enterprise-focused solutions such as MojoAuth, enables organisations to improve their overall cybersecurity posture realistically and sustainably. This evolutionary strategy balances immediate security needs with progress towards a password-free ecosystem.
In conclusion, passkeys backed by public-key cryptography, biometrics, and multi-factor methods—enabled through interoperable standards like FIDO2/WebAuthn—represent the most realistic and effective solutions to replace passwords and combat phishing in digital authentication. Supplementing this with comprehensive passwordless platforms and transition strategies enables organisations to improve their overall cybersecurity posture realistically and sustainably.
- To better protect sensitive business data and critical infrastructure, it's essential for organizations to adopt more secure authentication methods like passkeys, which use public-key cryptography.
- In the domain of finance, the UK government could save several million pounds annually by adopting device-bound passkeys, as these methods resist phishing attacks and enhance cyber resilience.
- Hybrid approaches, combining strong passphrases, multi-factor authentication, and passkeys or hardware-based authenticators, can enable a realistic transition away from traditional passwords in business and infrastructure.
- In the growing ecosystem of data-and-cloud-computing and technology, implementing passwordless platforms featuring interoperable standards (such as FIDO2/WebAuthn) can help companies enhance their overall cybersecurity posture in a practical and sustainable manner.
