Passwords are gradually becoming a relic of the past, with passkeys emerging as their successor. According to Yubico, a leader in security technology, passkeys promise enhanced security and ease of use. However, without immediate action, millions could find themselves more vulnerable than ever before.
Christopher Harrell, Chief Technology Officer at Yubico, emphasized the significance of this shift, stating,
“The global momentum behind passkeys represents one of the most exciting shifts in authentication history. Yet, the work isn’t done. Not all passkeys are equal, not all users have the same needs, and leaving insecure fallback methods in place can provide a false sense of security.”
The Evolution of Authentication: Synced vs. Device-Bound Passkeys
Passkeys are often equated with synced passkeys, where private keys are stored in the cloud and shared across devices. While they offer convenience, they rely heavily on the security of the sync mechanism and the associated cloud accounts. For high-risk individuals or organizations, synced passkeys may not suffice.
Device-Bound Passkeys: The Gold Standard
Device-bound passkeys, which never leave the secure hardware where they are created, offer superior protection against phishing and account takeovers. These include:
- Smartphone/Laptop-Based: While convenient, these can be inconsistent due to technical limitations like unreliable Bluetooth connections or confusing user interfaces.
- Hardware Security Keys (e.g., YubiKeys): These provide the highest level of security assurance, offering a portable, cross-platform experience and serving as a root of trust in high-risk situations.
Harrell stresses that synced passkeys should be the baseline, while device-bound passkeys must be available and, in some cases, mandatory.
Bridging the Recovery Gap
Even with device-bound passkeys, accounts remain vulnerable if weaker recovery methods are allowed. Common methods like text messages or push notifications can be exploited by attackers to bypass security measures.
Harrell advises CIOs and CISOs to demand configurability and control over authentication policies.
“Passkeys in YubiKeys and Windows Hello for Business offer non-exportable credentials that cannot be silently synced, phished, or copied,” he noted.
Recommendations for Identity Providers
- Enforce only device-bound passkeys.
- Disable synced passkeys for enterprise use.
- Remove all non-FIDO fallback methods.
Harrell emphasizes the importance of demanding configurability from service providers to ensure robust security tailored to the threat landscape.
Implications for Product Managers and Enterprises
Product managers are urged to build choice into their systems. Harrell advises,
“Don’t exclude security keys; it often takes more effort to block them than to support them.”
By supporting security keys, enterprises can enhance security, reduce recovery events, and save costs.
High-value accounts benefit from the strongest phishing resistance, while individuals with accessibility needs prefer portable hardware keys for their predictability and ease of use.
Who Needs Strong Passkey Protections?
- Government officials and diplomats
- Legal professionals and law enforcement
- High-profile executives and influencers
- Developers and security researchers
- Survivors of domestic violence or trafficking
- Activists, journalists, and vulnerable populations
Harrell concludes,
“Authentication should be adaptable and flexible, not rigid and monolithic. Higher-assurance security is not just for the enterprise; it’s a lifeline for millions.”
As the digital landscape evolves, the stakes are both global and personal. Whether leading a security program, developing products, or safeguarding personal accounts, the call to action is clear: support or require security keys as a core part of your passkey strategy, and ensure everyone can choose the protection level they need.
