From Passwords to Passkeys: Tailoring Your Business Journey

The FIDO Alliance is working to enable a world without passwords in which passkeys implement secure, phishing-resistant authentication based on public key cryptography. These passkeys are FIDO technology-based credentials that can be used to access a digital account or application. Backed by the world’s top tech titans, passkeys are already revolutionizing how people securely access these digital accounts and applications. 

It’s easy to see why – passwords are hard to remember, easy to steal or phish, and time-consuming for both users and IT teams to manage. Password-related cybercrime is on the rise and the average cost of a data breach is nearly 4.5 million dollars – not to mention the reputational loss. Besides these challenges, enterprises have also been facing stringent regulations for multi-factor authentication (MFA) and cyber insurance adoption. It is no wonder that, as of December 2023, more than 7 billion online accounts were leveraging passwordless sign-ins using FIDO technology.

Benefits of Passkeys

In the enterprise environment, passkeys offer many important benefits. They are resistant to phishing attacks and can’t be compromised through a corporate network breach, since only public keys are stored within corporate servers. Security is further strengthened by requiring users to confirm that they own the device through a PIN or biometric — reducing the risk of credential theft or loss. Realizing these and other security benefits requires a few deployment prerequisites, most of which can also enhance the convenience of the authentication journey.

For workforce use cases, passkeys help eliminate password inefficiencies for employees while enabling organizations to avoid the high costs and reputational risks of phishing-related incidents. This is particularly important for highly regulated state and local governmental entities, law enforcement agencies, critical infrastructure and other organizations where high assurance is crucial. Passkeys help combat these threats by facilitating the vital shift from legacy, knowledge-based credentials that users must remember to modern, possession-based credentials that they simply carry in their hand.

How Passkeys Work

Passkeys leverage the FIDO open standards to provide passwordless, strong authentication using public key cryptography.  Figure 1 shows how FIDO authentication eliminates the risk of a common phishing attack – man-in-the-middle –, since attackers don’t have access to the user’s private key.

Figure 1:  FIDO authentication begins with the challenge-and-response process. Each passkey or private key can only be used for a single account, and for optimal security, the user must prove ownership of this passkey with a user verification method like those used to unlock a phone (PIN or biometrics). Only then can the account be accessed.

Passkey Types – Which is the Best for my Use Cases?

Initially, passkeys could only be stored on dedicated hardware tokens known as security keys or smart cards. Users presented them to a computer or phone in order to authenticate themselves. Today’s passkeys can be stored in the cloud and used on ordinary smartphones to access digital accounts, thanks to expanded support for this type of passkeys from the high-tech ecosystem (e.g., Google and Apple). This offers a high level of trust while giving users more options through the choice of either platform-synchronized passkeys (“synced” passkeys) or device-bound passkeys. The differences are important for enterprise administrators to understand: 

1. Synced Passkeys: Stored in a cloud, synced passkeys are ideal for consumer applications. They can be accessed on different user devices, enabling users to employ multiple devices for accessing an account without having to re-enroll each one. These types of passkeys are user-friendly since they don’t require additional hardware or software, butleverage the most popular smart phones that users already have. 

2. Device-bound passkeys: These passkeys boost security and enjoy broad support while offering an extra layer of security since they require an additional piece of hardware that cannot be shared digitally. They bind a specific sign-in credential to a specific device (for example, a Crescendo Security Key or a Smart Card). The advantage with device-bound passkeys, specifically with a smart card, is that it can be used to access IT systems and doors – ensuring that the user is tethered to this device to access doors within the facility. This ensures that the smart card is not left  unattended, which would create a scenario for a security breach..  

A few enterprises, like AWS, support device-bound passkeys to authenticate B2B customers. This goes hand in hand with more common enterprise and workforce-facing applications. Device-bound passkeys offer greater security and tend to be more optimal for these applications that require a certified, user-friendly and portable authentication solution with cross-platform support. These passkeys also require minimal setup, are easy to use, and are available in small sizes and various formats that are easy to carry. 

In addition to the choice between synced and device-bound passkeys, there are a few other enterprise deployment best practices to consider. These include tailoring the user experience, strengthening the value of “converged access” smart cards across multiple use cases, and improving workforce productivity.    

Best Practices for Passkey Deployment

Each enterprise’s passkey adoption journey will be unique, depending on their industry, the systems they already have in place, and the employee use cases they need to address. Things to consider include ease of integration with their existing authentication systems (hardware and software), ease of onboarding one or more vendors, and disruption to employees’ current ways of authenticating (devices and systems). 

Ideally, passkey solutions should offer an end-to-end passwordless experience. This requires an end-to-end solution, including enterprise-class device-bound passkey authenticators that are read by contact and contactless readers (which can either be incorporated into the devices or connected to them), and backend authentication. This enables organizations – especially those with high regulatory or corporate requirements – to tailor unique, end-to-end workforce journeys with the highest time-to-value.

Credential options for enterprises should also, ideally, include both security keys and smart cards to provide flexibility based on the various use cases. Security keys offer a reader-free solution for strong multi-factor authentication (MFA) and passwordless authentication to enhance remote access security. Smart cards, on the other hand, provide the additional benefit of converged access, which means they can leverage ID badges employees are already used to for both physical access to facilities and passwordless access to digital resources (i.e., workstation login and network access). These multi-technology, converged-credential options often support FIDO2, PKI and OATH for logical access and also should, in turn, be supported by a variety of backend authentication capabilities to enable future-proof deployments.

Finally, a FIDO passwordless authentication solution can increase workforce productivity and operational efficiency with two important capabilities. First, the solution can offer the option to have a shared PIN across logical access technologies (FIDO, PKI and OATH), so employees don’t need to remember two PINs for the same device. It can also have a PIN recovery capability – with some credentials, if the PIN is forgotten or locked, the credential can no longer be used. This capability enables passkeys to be unlocked remotely, reducing helpdesk calls and maximizing the value of the investment made.

Enterprises increasingly need to consider passkeys within the larger universe of MFA options so they can strike the best balance between protection and ease-of-use.  Whether FIDO technology and passkeys are already part of an organization’s strategy or something administrators plan to gradually bring into their workforce, today’s end-to-end FIDO passwordless solutions pave the way for initial rollouts as well as future upgrades. 

Enterprises that select device-bound passkeys achieve the security they need, and for those who use smart cards, there is the additional advantage of using these passkeys as an employee ID badge to both get into the door and  access business applications and workstations. This high-value, converged-access capability is delivered with a single, convenient device that is easy to onboard in workforce/enterprise environments. It maximizes the time-to-value of security investments while increasing productivity through passwordless authentication.