Passkeys: The Slow Death of Passwords

Only shortly after multi-user computer systems began gaining traction in the 1960s, did we see the potential for incidents to occur. Fast-forward to the 1990s, documented cases of security breaches surged, and today they are just a mundane, business-as-usual occurrence. We are witnessing an unprecedented surge in data breaches and cybercrime, projected to cost the global economy up to $10.5 trillion by 2025 (Cobalt, 2023). A significant contributor to the facilitation of cybercrime is undoubtedly the widespread use of weak passwords. Although the adoption of stronger passwords is an option, there's no guarantee they cannot be compromised. This is where passkeys come into play amidst the escalating complexity of cyber threats. Throughout this article, I will be weighing the reasons as to why undergoing the move from passwords to passkeys is inevitable and the solution we’ve been longing for.

What Are Passkeys?

Passkeys are like advanced digital keys for your online accounts, let’s clarify. Imagine each passkey as a special lock-and-key system, where the key (your face or fingerprint) is safely kept on your device (like your smartphone or computer) and the lock is with the website or app you're trying to access. When you sign in, instead of typing a password, your device confirms your identity by showing it has the unique key. This happens without actually sending the key over the internet, so it's much safer. Unlike regular passwords, which can be guessed (e.g., brute force) or stolen (e.g., phishing), passkeys are nearly impossible for hackers to copy because the key stays securely with you on your device. This way, passkeys provide a more secure and easier way to access your online accounts. Google, who are one of the major adopters of passkeys in the industry, explain how their system works in this video on Youtube.

Why Passkeys?

Passkeys offer a significant advancement over traditional passwords by leveraging cryptographic techniques, ensuring stronger and unique authentication for each access. This shift not only provides us with enhanced security measures against common cyber threats but also streamlines the user experience, eliminating the need for remembering complex passwords. For businesses looking to comply with the ever-more stringent laws around data protection and security, especially those required to comply with the GDPR in the EU, adopting passkeys bolsters their security infrastructure and helps them stay ahead of the curve.

Passkeys vs. Password Managers: How do they Compare?

Password managers have been providing a centralized and encrypted vault for storing passwords for years. Reading this sentence at first might seem nice, but there’s a catch: if that one master password is compromised (single point of failure), it can lead to a domino effect, jeopardizing all our stored credentials. Putting the burden on the user to remember this one complex password deems unnecessary when we have better alternatives in place.

Passkeys, on the other hand, represent a paradigm shift. They eliminate the need for storing multiple passwords or even remembering a master password. Using cryptographic techniques, passkeys in their essence are more secure, as they are resistant to common attacks such as phishing and brute force. The adoption rate speaks volumes: 1Password users alone have created over 700,000 passkeys​​, and the authentication success rate using passkeys has soared to 63.8%, a stark contrast to the 13.8% success rate with traditional passwords​​ (TechRadar, 2024).

Beyond security, passkeys unparalleled convenience is hard to disregard. They are easily syncable across devices, removing the hassle of remembering and entering multiple passwords. This ease of use is a game-changer, especially for users who struggle with password fatigue.

Top 5 Leading Password Managers Embrace the Passkey Revolution:

1Password stands at the forefront of passkey integration, offering seamless storage, organization, and sharing of passkeys. It enhances user convenience with biometric solutions like Touch ID and Windows Hello, allowing secure sign-ins across multiple devices. Learn more about their passkey features here.

Dashlane, not to be left behind, has innovated in managing passkeys even in the absence of dedicated APIs. Through JavaScript, Dashlane enables users to choose between passkeys and traditional passwords, contributing significantly to the portability of passkeys across platforms as a member of the FIDO Alliance. Discover Dashlane's passkey advancements here.

LastPass is gearing up to introduce passkey support, promising passwordless authentication with FIDO2 standards. The service will facilitate the secure storage of passkeys in the Vault, where a user's private key remains safely on their device. More about LastPass's upcoming passkey features can be found here.

KeePass offers a unique approach as an open-source password manager, focusing on local storage of passwords. This method gives users control over their data security, often coupled with cloud synchronization for convenience. Ideal for tech enthusiasts, KeePass is freely available and donation-supported. Learn more about KeePass here.

Bitwarden recently joined the passkey movement, introducing support in 2024 even for free accounts. This feature enables the creation and storage of passkeys for passwordless sign-ins, backed by Bitwarden's robust encryption. The latest version of the Bitwarden web extension is required for this functionality. More details about Bitwarden's passkey support are available here.

A Cautionary Tale for All Digital Security Platforms

In a stark reminder of the vulnerabilities in digital security, LastPass, a well-known password management service, disclosed two significant security breaches within a few months. The first, announced in December 2022, occurred in November when unauthorized access to a shared cloud storage service led to the theft of sensitive customer data, both encrypted and unencrypted. This breach prompted LastPass to recommend users change their master passwords and monitor their accounts for any suspicious activities.

The situation escalated with a third breach disclosed in March 2023, traced back to October 2022. Here, a threat actor exploited a vulnerability in third-party software to access a LastPass engineer's account, leading to further unauthorized access to customer data. This incident included the compromise of system configurations, API secrets, and more customer data. These breaches at LastPass underscore a crucial point: the entire landscape of password management is susceptible to sophisticated cyber threats, emphasizing the urgency to transition towards more secure alternatives like passkeys. To learn more about this breach, you can read up on it from LastPass themselves here. Passkeys, present a formidable challenge to hackers, effectively turning what was once a vulnerability into a hacker's worst nightmare.

The High Costs Incurred by Password Insecurity

Recent studies have highlighted the staggering cost of data breaches, with the average incident now costing around $4.35 million, and even higher for critical infrastructure at $4.82 million (Astra, 2023). These aren't mere statistics; they're a clear sign of the heavy financial burden falling on businesses, often with long-term effects. The economic toll of cybercrime is on a sharp rise, projected to hit a massive $10.5 trillion by 2025 (Cobalt, 2023). In 2022 alone, the FBI reported a record $10.2 billion lost to cybercrime (security.org, 2023). This alarming trend underscores the urgent need for stronger, more effective security solutions.

Enter passkeys: a promising, easily implementable solution in mitigating these financial risks. By shifting to passkey technology, organizations can significantly lower the likelihood of data breaches that stem from password vulnerabilities.

For a deeper dive into the statistics of passwords and the financial burden they've caused, check this webpage out.

Navigating the Future with Passkeys - The Verdict:

The move to passkeys is a long-awaited solution to the issues associated with passwords, which are soon to become a thing of the past. For organizations, this transition involves a well-planned approach, beginning with educating employees about passkey benefits and mechanics, and gradually phasing out old password systems. Key steps include conducting pilot tests, soliciting feedback, and involving IT and security teams to ensure a smooth changeover. Embracing passkeys not only bolsters security but also promises long-term cost savings by mitigating data breach risks as seen above. This evolution to passkeys is a major milestone in digital security, offering stronger protection against cyber threats while streamlining user experiences. As we adapt to this change, it's vital to view it as an ongoing process crucial for staying ahead in an increasingly complex digital world. The era of passkeys has arrived, heralding a new chapter in online security.