Adopting passkeys before passwords rock you

Andrew Shikiar at the FIDO Alliance explains why passkeys are the future in a secure, passwordless world

 

Stop me if you think that you’ve heard this one before. Earlier this year we saw a staggering 10 billion passwords from a compilation of old and new data breaches leaked in an event called “RockYou2024”. The breach offers threat actors another new source of passwords to try in credential stuffing attacks to gain unauthorised access to individuals’ online accounts. It’s anticipated that this event will cause a wave of data breaches, financial fraud and identity theft to come... 

 

This is just one of many examples of serious password breaches that the public has, sadly, become accustomed to. The headlines are a dime a dozen - the industry has known for some time that passwords are insufficient to secure access to systems and services and consistently let us down. And yet, here we are again.  

 

As a result, many organisations introduced legacy second-factor authentication solutions such as SMS One-Time Passwords (OTP) or time-based one-time passwords (TOTP). These approaches are better than a password alone; however, they are still susceptible to phishing and social engineering as the password is still the ultimate factor. Not to mention that OTPs create a disjointed user experience and are expensive for organisations. 

 

How many breaches will it take for us to finally abandon passwords and their legacy approaches to strong authentication? Well, the good news is a direct alternative – not just a band-aid – is now available and gathering momentum to eradicate the vulnerabilities of passwords. Enter, passkeys. 

 

Preventing data breaches with passkeys

Based on open standards created by a cross-section of leaders in IT, e-commerce and internet services, passkeys present an unphishable and more usable alternative to passwords.

 

Passkeys provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. They simplify account registration for apps and websites, and work across a user’s devices and operating systems. From a user experience perspective, passkeys are used however you may usually log-in to your device, like biometrics or a PIN code, making them seamless and user friendly  

 

Passkeys use unique cryptographic keypairs specific to each site or service, making them impossible to find or use on unrelated services. This approach addresses a major problem with traditional passwords— their risk of being stolen and reused across different sites. Unlike passwords, passkeys are resistant to phishing, as they cannot be shared or attacked at scale in the same way. The private key is never exposed or stored on the servers, reducing the risk of theft, and even if someone tries to sign into a phishing site, the keypairs won’t match, preventing the attack. 

 

In short, passkeys are not just an add-on to improve passwords’ usability and security, they are a total replacement solution.  

 

Passwords’ problems are passkeys’ drivers 

We all know passwords are insecure and a bad user experience. Passwords are behind over 80% of data breaches, and about 51% of password credentials are reused, making them very vulnerable to credential stuffing attacks and social engineering. 

 

In the past year, 19% of people had at least one account compromised because of password issues, and 23% had to reset or recover a password every month. Passwords are hurting businesses too: 45% of consumers will abandon purchases if they forget their password. This is important for passkey adoption; 59% of people who know about passkeys find them more convenient than passwords, and 56% think they offer better security. 

 

The move from passwords to passkeys in the consumer world is driven by three main trends: better password security, less consumer frustration, and more passkeys available on major websites and services. 

 

Available and scalable

A key hurdle for passkey adoption was availability and scalability. But over the past year, the availability of passkeys has been steadily growing, and reaching major consumer sites. Recently, Microsoft announced that Microsoft Accounts, including a wide range of services such as Bing, Microsoft 365, and Xbox Live, now support passkeys. This addition complements the support from other major global brands like Adobe, Amazon, Apple, Google, Hyatt, Nintendo, PayPal, PlayStation, Shopify, and TikTok. 

 

In total, over 13 billion user accounts can now take advantage of passkeys for signing in as passkeys are now supported by 20% of the world’s top 100 websites.  

 

Thanks to these high-profile passkey implementations, awareness of this technology has significantly increased. According to global research, 63% of people are now aware of passkeys. Among those who have some knowledge about passkeys, a notable 72% have enabled them on at least one account.

 

Additionally, 28% have enabled passkeys on every account possible, indicating that adoption will keep ticking upward as more people become familiar with the benefits of passkeys. 

 

Converting the world to passkeys

Brands have long been looking for a true password alternative as events like RockYou2024 happen time and time again.  

 

Of course, passwords are deeply embedded in our digital lives, and only time will tell when the world will fully convert to passkeys. But the early pace of adoption is hugely encouraging and the foundations are in place for passkeys to replace passwords’ role in the digital ecosystem.

 

We expect to see a significant increase in the number of sites and services supporting passkeys over the next year, and our research makes it clear that when offered, people prefer the better security and usability of passkeys over passwords.  

 

---

 

Andrew Shikiar is CEO of the FIDO Alliance. For more information on how to enable passkeys, visit the FIDO Alliance passkey directory

 

Main image courtesy of iStockPhoto.com and Ekaterina79