SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Clarifying perceptions related to passkeys and MFA

Yesterday

Passkeys have captured considerable attention in the past two years. Their meteoric rise in popularity can be attributed to the world's largest tech companies adopting and promoting them, which are the identity providers for billions of users. This shift has made passkeys more accessible, pushing them towards becoming the new de facto standard for secure authentication across apps and websites for consumers.

Unlike traditional passwords, which are highly vulnerable to phishing attacks, passkeys seamlessly authenticate users online using cryptographic security "keys" stored on their computers or devices. They are considered a superior alternative to passwords since users are not required to recall or manually enter long sequences of characters that can be forgotten, stolen, or intercepted. This method represents a leap forward in account security, offering an authentication approach vastly more secure than the outdated password model still used by the majority.

Although many consumers are likely aware of secure authentication practices like passkeys, cyber-attacks continue to run rampant. Yubico's new 2024 Global State of Authentication survey found that 58% of respondents still use usernames and passwords to log in to their personal accounts, and 39% believe that usernames and passwords are the most secure option. At the same time, 37% of consumers consider SMS-based authentication the most secure despite the well-documented risks associated with this method, including its susceptibility to phishing attacks.

This lack of awareness is concerning, particularly in a region as diverse and digitally connected as Asia Pacific, where mobile usage and internet penetration rates continue to rise. As organisations push to educate their users on secure multi-factor authentication (MFA) practices, they must also acknowledge the fast-paced digital adoption happening in this region and tailor their security solutions accordingly.

Demystifying passkeys and common misconceptions
One common source of confusion in discussions around passkeys is the subtle distinction between device-bound and syncable passkeys. Many use these terms interchangeably, but it's essential to understand the differences. Passkeys refer to both classic FIDO2 credentials that are bound to a single device, such as hardware security keys like a YubiKey, and syncable credentials that can be accessed across multiple devices, typically via a cloud service or identity provider.

The difference between device-bound and syncable passkeys may seem minor, but it has significant implications for how passkeys are implemented and the security levels each provides users. Device-bound passkeys, which reside on a single hardware security key, mobile phone or laptop, offer one of the highest levels of security available today. Syncable passkeys, on the other hand, are copiable and can be stored across multiple devices – creating the potential for more seamless user experiences while introducing certain risks regarding cloud security and identity management.

Despite these differences, passkey technology is familiar; it has existed in hardware security keys, such as the YubiKey, since 2017. However, passkeys and the different forms available are relatively new in cybersecurity. As a result, many software developers and security professionals are still exploring the best practices for integrating passkeys into their systems, particularly when transitioning from password-based methods to modern authentication models. Implementing passkeys in a way that is both secure and user-friendly remains an ongoing challenge as developers work to create the most seamless user experience (UX) possible.

As passkey awareness and adoption grow, several critical considerations exist for organisations integrating passkeys into their consumer-facing services. While the technology is promising, much work remains to optimise its use and adoption globally. Many best practices are still being refined, and organisations must remain agile in their implementation to ensure they provide their customers the most secure and best UX possible.

MFA and the Essential Eight 
In the context of cybersecurity frameworks such as the Australian government's Essential Eight, passkeys and MFA play a critical role in enhancing security. Under this framework, MFA requires the use of at least two authentication methods from different categories to verify a user's identity. These categories are:

1. Knowledge: Something the user knows, such as a password or PIN.
2. Possession: Something the user has, such as a physical token or smartphone.
3. Inherence: Something the user is, such as biometric verification (e.g., fingerprint or facial recognition).

A vital aspect of the Essential Eight's updated guidelines is that organisations should not rely on two factors from the same category, such as two knowledge-based factors. Historically, security questions were often used as a secondary factor, but this is no longer considered secure due to the increasing likelihood of those factors being compromised.

With phishing attacks and other cyber threats becoming more sophisticated, the Essential Eight requires phishing-resistant secure authentication methods for Maturity Levels 2 and 3. This is where passkeys can provide significant value. Using possession-based credentials, whether device-bound or syncable, means organisations can significantly reduce the risk of unauthorised access.

The future of authenticating with passkeys
Passkeys present a promising solution for MFA; they are cryptographically secured, eliminating the need for weak knowledge-based factors like passwords. Additionally, when combined with other MFA factors, such as biometric verification (inherence), passkeys offer a strong defence against phishing attacks and other forms of credential theft.

Passkeys are still evolving but represent a fundamental shift in the approach to online security. As they continue to develop and become more widely adopted, organisations embracing this change will be better equipped to navigate the challenges of digital identity management, ensuring that security and user experience remain at the forefront of their efforts.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X