It’s a great time to think more about passkeys, and not just because this Thursday is another World Password Day. Let’s look at where those 2022 passkey plans stand, and what companies will have to do to deploy them across their enterprises.

Interest in the technology, also referred to as passwordless — a bit of a misnomer — has been growing since Google announced its support last fall and before that when Apple and Microsoft also came out in support last summer.

Certainly, it’s about time we moved away from passwords. According to the 2022 Verizon Data Breach Incident Report, 80% of data breaches still begin with a phishing or “man-in-the-middle” attacks, using hijacked account credentials to take over an account. And according to HYPR’s “State of Passwordless Report,” a third of information technology help desk time is spent on password resets. Passkeys can prevent these sorts of attacks and cut down on these support calls.

To refresh your memory, the big three computer platform vendors have worked mostly within the FIDO Alliance to develop passkeys, using a series of web and security protocols. You can see one passkey demo here (shown adjacent) to set one up and another demo on the WebAuthn website here, along with links to download the code to implement the standard.

Passkeys work by forgoing the standard username/password for an online login. You will use either your Android phone or your iPhone to authenticate yourself. If you have used an authenticator app, the workflow will be similar, but simpler: You don’t have to remember the sequence of digits to type. Plus, criminals won’t be able to steal your code, because it’s stored and encrypted on your phone. If we examine the various authentication methods, such as using SMS codes or password managers (shown below), passkeys are a superior security solution.

Last week there were two sessions devoted to the technology at RSA Conference. Christiaan Brand, a Google passkey product manager, gave an update. “We are at the point where mass transition away from passwords to passkeys can start to happen,” he said during his talk, which also showed some code samples and user workflows to implement them.

Note the careful language: After 10 years of work within FIDO, passkeys are poised to come out into the real world. “It might take some time for regulations to catch up and for users to become accustomed with them,” he admitted. Update: That said, Google on May 3 said it has begun rolling out passkey support to consumer accounts and said it will bring the feature to Google Workspace soon.

A second RSA session was given by Derek Hanson, a vice president at Yubico, a maker of hardware encryption keys. He focused on authentication dilemmas and how to solve them. He put passkeys in the context of other tools such as smart cards and the earlier FIDO approaches, which are not as good or don’t offer as clear-cut benefits as passkeys, which are “a way to get rid of passwords faster because passkeys can be managed by either the device platform or a third-party provider.”

But here’s the rub: For passkeys to truly replace passwords and these older authentication methods, they have to work in a lot of different situations, including logging into websites, your smartphone and desktop apps, and for supporting a variety of operating systems too. That is a hard problem to solve, because it means that a key has to be shared across all those environments. If you have an iPhone, a Chrome browser and a Windows laptop, you have to figure out some way to share the keys across the three different vendors. That interoperability has been slow to come to fruition by the vendors.

Second, the passkey solutions don’t yet require attestation, or tying the key to a particular human being’s identity. Given that they are created by machines, that makes some sense. All the vendors recognize this flaw, and Google now supports better attestation protocols in its current Android 13 phones. It is a start.

Finally, there are differences in implementations between business and consumer-oriented solutions for passkeys. A consumer-based product has to manage millions of passkeys and scaling up to support that kind of load. A business wants interoperability across all the various devices, browsers, and websites that its users touch to get their daily work done.

Where to go from here? Google’s Brand recommends that you should first identify key applications that would benefit from passkey deployment and start a trial with this set. You will eventually need to buy or build a FIDO server to connect the various implementations and offer a cross-platform solution. These include Nok Nok, HYPR, SecretDoubleOctopus and Beyond Identity, among others. You can also look at open source options, but you will need to write some Javascript code to the various APIs and build an appropriate user interface. Update: If you want to get an early start on actually using passkeys, 1Password maintains this list of websites that currently support them.

And although having user awareness training is often mentioned in the context of stopping password phishing abuse, “training users doesn’t completely work,” says Yubico’s Hanson. “Phishing attacks are going after the weakest part of authentication, and succeeding. We have to build systems for our users that are phishing-resistant.” He especially emphasizes that application development groups and vendor/supplier partners need better security like passkeys for preventing supply-chain attacks.

Yes, the day of passwordless is coming. But building an enterprise passkey solution will require some effort at understanding how they are configured and how they secure your users, something Hanson addressed at his RSAC session. Maybe on World Password Day in 2024 we can finally break out the bubbly and celebrate their actual demise.

(Disclosure: The author has consulted with the FIDO Alliance and Nok Nok in the past.)

Images: qimono/Pixabay, FIDO Alliance