From Passwords to Passkeys: 5 Things to Watch Out

In the past year or so, passkeys have gained significant mindshare as a promising alternative to traditional passwords for user authentication. With passkeys, the goal is to eliminate the vulnerabilities associated with passwords, and enhance security. However, before organizations rush to adopt passkeys, it is important to understand the considerations and potential caveats associated with widespread passkey implementation. Let's look at five key considerations.

User Education and Adoption

Passkeys represent a significant shift from traditional password-based authentication. Educating users about the benefits of passkeys and providing clear instructions on how to set them up and use them across different platforms and devices is crucial for successful adoption. Clear communication and training can help users understand the value of passkeys and mitigate potential confusion or resistance.

Potential considerations to ease passkey adoption:

• Develop comprehensive training materials, including video tutorials, step-by-step guides, and FAQs, to help users understand passkeys and how to use them effectively.
• Leverage internal communication channels, such as email campaigns, intranet portals, and town hall meetings, to raise awareness about the transition to passkeys and their advantages.
• Implement a phased rollout approach, starting with a pilot group or specific departments, to gather feedback and refine the educational materials before organization-wide deployment.
• Provide dedicated support resources, such as a help desk or knowledgeable champions within each department, to assist users with passkey setup and troubleshooting.

Compatibility and Cross-Platform Support

While passkeys are designed to be a cross-platform solution, the implementation and support across different operating systems, browsers, and devices may vary. Ensuring compatibility and providing a consistent user experience across different platforms is essential for a seamless migration. Organizations must assess whether their existing systems and applications are compatible with passkey authentication or if modifications are necessary. Organizations should also stay informed about the latest developments in passkey standards and consider the potential impact on their adoption plans.

Potential considerations to improve passkey compatibility:

• Continuously monitor and track WebAuthn support across different platforms, browsers, and device types used within your organization.
• Develop a compatibility matrix and maintain updated documentation to help users understand which devices and browsers are fully supported for passkey authentication.
• Implement fallback authentication mechanisms, such as one-time passcodes or security keys, for scenarios where passkey support is limited or unavailable.
• Work closely with device manufacturers, platform providers, and browser vendors to stay informed about their WebAuthn roadmaps and provide feedback on your organization's specific requirements.

Account Recovery and Backup Mechanisms

Unlike passwords, passkeys are tied to specific devices and cannot be easily shared or transferred. This makes account recovery and backup mechanisms crucial to prevent users from being permanently locked out of their accounts if they lose their devices or face other issues. Organizations should assess the security guarantees offered by different types of devices, such as hardware security keys, modern mobile devices with secure elements, and laptops. They should then implement robust account recovery processes and ensure that users understand how to back up their passkeys and recover their accounts if necessary.

Potential considerations to manage passkey usage:

• Implement a secure backup and recovery mechanism for passkeys, such as cloud-based storage or local backups, to enable users to restore their credentials on new devices.
• Establish alternative account recovery procedures, such as using secondary authenticators (e.g., security keys or one-time passcodes) or predefined recovery questions.
• Provide clear guidelines and documentation for users on how to backup and recover their passkeys, as well as the steps to follow in case of a lost or stolen device.
• Integrate passkey recovery processes into your organization's existing account management and support workflows to ensure a consistent and streamlined experience.

Phishing and Social Engineering Risks

While passkeys offer improved security against many traditional password-based attacks, they are not immune to phishing and social engineering attacks. Passkeys introduce a new authentication mechanism, and understanding the potential risks and vulnerabilities is essential. Users can still be tricked into approving a passkey registration or authentication request on a malicious website or application. Organizations need to assess the security guarantees provided by passkeys and evaluate how they align with their specific security requirements.

Potential considerations to improve passkey threat model:

• Implement regular training sessions to educate users about the risks of phishing and social engineering attacks specifically related to passkeys.
• Conduct regular simulated phishing exercises to test user awareness and resilience against passkey-related phishing attempts.
• Ensure that all APIs handling passkey operations are secure, with strong authentication, authorization, and encryption mechanisms.
• Design passkey interfaces with clear, unambiguous indicators showing the legitimacy of authentication or registration requests.
• Implement confirmation prompts that require users to verify key details of the request, such as the website's URL, before approving passkey operations.
• Integrate passkeys with additional MFA methods, such as biometrics or hardware tokens, to provide layered security.
• Use contextual MFA, which adjusts the required authentication factors based on risk assessment.

Migration and Co-Existence with Passwords

For most organizations, the migration to passkeys will be a gradual process, and they will need to support both passwords and passkeys during the transition period. This requires careful planning and implementation to ensure a smooth coexistence of both authentication methods without compromising security or user experience.

Potential considerations to implement passkeys successfully:

• Conduct a thorough audit of your organization's existing authentication infrastructure, applications, and workflows to identify integration points for passkey support.
• Prioritize the integration efforts based on the criticality of the systems and the potential security impact of migrating to passkeys.
• Leverage existing identity and access management (IAM) solutions and authentication frameworks that support WebAuthn and passkey integration.
• Adopt a modular approach to passkey integration, allowing for gradual rollout and minimizing disruptions to existing systems and workflows.
• Establish a dedicated team or working group to oversee the integration efforts, coordinate with different stakeholders, and ensure consistent implementation across the organization.