Evolving enterprise security beyond traditional passwords

An open lock against a computer background.
Image Credit: JanBaby / Pixabay (Image credit: Pixabay)

In the ever-evolving landscape of cybersecurity, Identity and Access Management (IAM) remains a vital link in the cybersecurity chain. In fact, the greatest threat can often come from the person sitting at the next desk over. Everyone has moments where they are vulnerable to attacks exploiting their biases, and the challenge with using passwords is that users can quickly get fatigued. Constantly creating and keeping track of a burgeoning number of passwords needed to navigate the myriad systems they interact with daily is a task that sees many of us seek workarounds if we can.

Almost every service or app wants a password, and each must be a certain length and a special mix of letters, numbers, and special characters. If such requirements weren’t in place, many users would use weak, predictable passwords that are easier to remember – and many of us still reuse passwords even though we know we shouldn’t.

Fortunately, as technology advances, so do the methods available to authenticate users securely. This is why passwordless authentication is growing in popularity among organizations, because it eliminates many of the pain points and costs that come with managing passwords in an enterprise-sized organization. One increasingly popular password alternative is passkeys, a modern version of traditional passwords. Offering improved user experience, security and scalability, passkeys are helping improve authentication and, alongside that, the state of security in 2024.

Passkeys are a more secure and easier option than passwords. With passkeys, users can sign in to applications and websites via biometric details such as a fingerprint or facial recognition, a PIN, or a pattern, meaning they no longer have to remember and manage passwords.

The Fast Identity Online (FIDO) Alliance is at the vanguard of passkey technology. FIDO standards, such as FIDO2 and WebAuthn, facilitate secure authentication mechanisms by enabling passwordless logins via biometrics, USB tokens, or mobile devices. By eliminating the need for passwords altogether, FIDO standards mitigate the inherent vulnerabilities that go hand in hand with traditional authentication methods.

Simon McNally

Identity and Access Management Specialist, Thales.

Not all passkeys are the same

While all types of passkeys serve the same purpose, there is some variation in how they can be stored and managed. There are two categories: synched and device-bound.

Synched passkeys are synchronized between user devices via a cloud service, which can be part of a given device’s operating system or third-party software. This allows users access to their credentials frictionlessly across multiple devices. Whether logging into a website on a laptop or accessing an application on a smartphone, synced passkeys ensure a consistent and seamless user experience.

Device-bound passkeys are tied to specific hardware, such as a smartphone or a USB security key. By leveraging the unique characteristics of each device, these passkeys boost security by adding another layer of protection against account compromise. This type of passkey also reduces the reliance on centralized servers, mitigating the risk of data breaches and server-side attacks.

While the experience of using passkeys is incredibly frictionless, a significant barrier remains – the level of support by services, websites and software. To use passkeys, each site that wants to be passkey-enabled must update its authentication mechanism to be able to support and accept passkeys. That said, many of the major mobile operating systems and web browsers such as iOS, Windows, Android and Chrome support this technology – which will help spur others to make the change in the short term, and push towards a tipping point in mainstream adoption.

How best to implement?

To ensure a smooth and secure transition, businesses would do well to bear the following in mind before implementing passkeys within their organization:

Firstly, adopting an MFA approach, incorporating biometrics or hardware tokens alongside passkeys, is well worth considering. This enhances authentication integrity and resilience against unauthorized access attempts because, ideally, passkeys should be registered when the identity of the user is already highly trusted. Enabling enrolment outside an MFA step can create a security hazard as the typical session or token-based mechanisms lose their assurance after a while. People leave their phones and laptops lying around unlocked, for instance.

The most essential step to avoid implementation challenges is understanding your users. This may seem obvious, but for any passkey implementation to succeed, it has to be configured to match the user authentication journey. Consider how employees actually use applications and access data in the real world, as opposed to how security teams might want them to. The two may not always match.

Next, know your appetite for risk. Although there are certainly ways to avoid excessive conflict between security and user experience (UX), until passkeys enjoy more ubiquitous support across devices and environments, some difficult decisions need to be made about where the business believes it is most vulnerable to attack.

Finally, it pays to keep on top of updates. Passkey providers are constantly updating their compatibility with browsers and ecosystems, which means that just because support isn’t in place for a particular piece of software, the situation may be very different in the near future. Increasing amounts of new hardware also passkey or biometric authentication out of the box.

What next?

With increasing support across operation systems, websites and other services, it really does feel like passkeys could eradicate the password for good. Thanks to a range of innovative authentication methods, such as biometrics, hardware tokens, and cryptographic protocols, companies now have the tools to hand to finally move beyond the limitations of traditional passwords and boost their security posture.

We list the best identity management software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Simon McNally is Identity and Access Management Expert at Thales.