How passkeys eliminate password management headaches

In this Help Net Security interview, David Cottingham, President at rf IDEAS, discusses the key benefits organizations can expect when implementing passkeys.

Cottingham addresses the misconceptions surrounding the adoption of passkeys, particularly in the B2B landscape.

What are the key benefits that organizations can expect when they implement passkeys?

When implementing passkeys, users are ensured an extra layer of protection from phishing attacks and cases of password reuse. This is achieved by using a digital credential that can replace vulnerable passwords with a pair of cryptographic keys. One key is public and stored on the server and the other is private and stored securely on a user’s device, which means it is not reliant on users entering sensitive credentials that are susceptible to interception or manipulation.

For workers, passkeys provide the advantage of an improved user experience including boosted security measures and time and cost savings. In fact, when passkeys are implemented, workers experience a 75% reduction in sign-in time and a 95% reduction in password resets. Passkeys are twice as fast as passwords and provide consistent access across devices while ensuring that sensitive credentials are protected even if a server is breached. IT teams especially benefit from passkeys eliminating the need for password management, freeing up valuable IT time and resources typically used in addressing password-related issues.

Additionally, when passkeys are paired with other authentication methods like smart cards and single-sign-on (SSO) authentication, they can also simplify user access and streamline authentication processes by addressing different aspects of the login experience.

Are there any usability challenges that could affect the adoption of passkeys, especially in large organizations with diverse user bases?

There are several usability challenges that could affect the adoption of passkeys. Key among them is compatibility, as passkeys may not work on outdated operating systems or older devices. Bypassing the technical roadblocks, user resistance is often the reason for a failure to adopt new technology such as passkeys. After all, users have been leveraging passwords since the early 1960’s.

Emphasizing training and education on how to provision passkeys is essential to adoption, as registration could be challenging for non-tech-savvy users. It may be best to start with small groups or departments to address unique challenges within the organization’s diverse culture and educate users.

Organizations are starting to adopt passkeys to enhance security and optimize productivity, and as with any new implementation, there will be challenges. Passkey implementation should begin with top-level leadership as early adopters, which will help employees buy in and ensure a smooth transition from traditional passwords to passkeys. Upfront investment in planning, and creating robust policies and processes, will be critical to the implementation’s success.

FIDO has recently created a library on their site named Design Guidelines to assist with design principles for implementing passkeys and creating a positive end-user experience.

Despite the advantages, why do you think passkeys have not yet seen widespread adoption in the industry?

Despite the advantages, passkeys have not yet been widely adopted in the B2B landscape. Up to now, adoption has been more widespread in a consumer environment. The primary reason for a lack of adoption among business organizations is the lack of education of passkeys among IT professionals. Some IT professionals still don’t understand the risks associated with traditional passwords. For example, 81% of data breaches are the result of weak or stolen passwords. Furthermore, it’s not widely known that passkeys are a phishing-resistant method, a common form of attack being deployed by hackers.

Assuming IT professionals understand the benefits of passkeys, the other hurdle for widespread adoption has been a lack of understanding of implementation. Organizations still do not have a clear picture of how to onboard and offboard, provision, distribute, and manage passkeys for their users. Just as it’s critical to provide the user with a seamless experience, it’s just as important to provide the IT administrators with a frictionless implementation experience.

What common misconceptions about passkey implementation have you encountered among businesses?

There’s a big misconception that passkeys are a consumer-based authentication method. However, businesses can take full advantage of the benefits of passkeys. In fact, organizations have as much, if not more, to lose as individual consumers if faced with a phishing attack.

Another common misconception is that passkeys are limited to web applications due to the prominence of WebAuthn standards that address compatibility and technical limitations. However, passkeys can also be used for desktop and mobile applications.

Many believe that passkeys require the use of biometrics for multi-factor authentication. However, modernized platforms can leverage employee badges as one factor of authentication that can be paired with a pin. While biometrics, such as fingerprint or facial recognition can be used as a factor, it is not required. Lastly, while passkeys significantly reduce risks like phishing, they are not foolproof. There are always other security measures and vulnerabilities that need to be considered depending on the use cases and threats.

Can you share any real-world examples of passkeys successfully implemented and what lessons can be learned from these implementations?

Among our earliest adopters of passkeys are clients across the manufacturing, hospitality and healthcare industries. In addition, enterprise organizations like Target and Yahoo have implemented passkeys for both consumer and workforce environments. One key lesson we’ve learned is that organizations are very interested in leveraging their existing employee badges as a FIDO passkey to be used in combination with a FIDO capable reader. Moreover, we’ve found that converting ID badges to FIDO passkeys is remarkably seamless, with some implementations being completed overnight.