The Future of Authentication

Do you have a complicated relationship with passwords? Maybe you are fine with them and personally follow all the recommended best practices, like having a different strong password for every login you have. Plus, each of these different passwords you use is very strong, with tens of characters and all the requisite special characters. None of the passwords you use is your pet’s name, or your favourite takeout food with your date of birth appended.

If you are this studious with passwords, you almost certainly use one of the many password managers to automatically create, store, and submit your passwords across your computer, smartphone, and tablet devices. Plus, you’ll have multi-factor authentication turned on for every login that supports it, and your password manager will be generating the extra security factors for you (if you are not using a dedicated device for this). You’ll also be in a minority of people regarding password use and security, possibly a tiny minority.

Passwords (and multi-factor authentication) are still the predominant way that most people authenticate to their IT systems. And that’s a problem.

Passwords Come with Problems

We all know that people are terrible at picking strong passwords and managing their use if they don’t have software to make it easier. When a password manager is not in place, the requirement that passwords be complex but memorable means that many people reuse the same password they can remember (or have written down) for multiple logins.

This password reuse problem means that if credentials leak from one of the places it gets used, cybercriminals with access to those leaked passwords will try to use them on other systems they think people have access to. And in many cases, they will work. To give you some idea of how many login credentials have leaked, estimates say 15 billion are available on the dark web.

These leaked credentials also provide cybersecurity researchers with interesting insights. Analysis of stolen or leaked passwords shows that the top 10 most used passwords across all the data sets are incredibly weak. Would you be surprised if I told you that a lot of people use the password 123456789? People do this because they want convenience and to get their jobs done with the least friction possible.

This 15 billion (and growing) total for leaked login credentials also shows that even if you are in the minority that uses a password manager and does everything right, your strong password and login details can still leak or, more likely, get Phished. Passwords are still problematic, even when people follow all current best practice advice, including multi-factor authentication. Surely there has to be a better way?

Passkeys Enter the Chat

Passkeys have emerged as the predominant way to address the issues with passwords. Passkeys are an advanced way of authenticating that eliminates the need for passwords, making the login experience more secure and convenient. Passkeys build on standards from the FIDO Alliance with W3C support.

Passkey authentication prevents attacks that exploit stolen or hacked passwords, plus attack methods like credential stuffing. Passkeys use the familiar cryptographic key pairs that we all know from encryption and other security solutions. The key pairs used in passkeys provide:

? Strong security - Every passkey pair gets created with strong security. They’re never guessable, can’t be reused, and are tied to specific devices or systems. Getting the key and trying to use it on another laptop doesn’t work.

? More safety from data breaches - As application servers only store the public key from a key pair, anyone stealing data with these public keys gets nothing that’s useful.

? Phishing and Scam protection - Passkeys get linked to specific apps and websites. If cybercriminals build a dummy website to trick people into signing in, this will fail. Users for any site using passkeys don’t have login credentials. So, if they visit a clone site, their local passkey will be unable to log them into the dummy site, and the criminals will not be able to harvest any data.

Many big tech companies have already implemented support for passkeys - including Microsoft — Google — Apple — Meta (for WhatsApp), and many more.

You can read more about Passkeys via this Halodata Vendor partner explainer titled A Users Guide To Passkeys on the HYPR website.

Adopting Passkeys with HYPR and Halodata

HYPR is an industry leader in Passkey deployment solutions, and Halodata is proud to partner with them through our vendor channel.

You can read more about their Passkey solutions on their website’s dedicated Passkey landing page. You can also read about the State of Passwordless Security in their freely downloadable 2023 report.

Conclusion

The time for passkeys has arrived. They are not going to sweep away the use of login names, passwords, and multi-factor authentication overnight, nor should they. A steady rollout over time (starting with the systems that hold the most sensitive data) is the way to go. Slow and steady, then one day, we’ll realise that we hardly ever use passwords anymore.

Halodata and HYPR can help you embark on your passkeys journey, and help you stay on target to make informed choices when navigating from today to a passwordless future. Talk to us about starting your journey.