Are you ready for the passwordless future with passkeys?
It’s already here. Or near. Well, it’s a good goal for all of us.
Passwords are annoying. And many times they don’t do enough to prevent data breaches.
If you’ve ever heard our founder Alan talk for a while you’re guaranteed to hear him say:
Security and usability are fundamentally at odds.Alan Youngblood
This doesn’t have to be the case though. It is super easy to use Passkeys, but don’t take my word for it:
And it’s even more secure to use Passwordless systems.
By using the security capabilities of your devices like Touch ID and Face ID, passkeys are way more secure and are easier to use than both passwords and all current 2-factor authentication methods.
The Security Holy Grail
Why can’t we have both security and usability?
Typically this is a natural trade-off. Most security measures make your everday work and life a little bit more difficult while also making it much more difficult for hackers. So in practice it’s good security policy to take reasonable efforts that you know will be a slight pain to you and a major pain to hackers making them think twice.
Can’t we have both though? Every so often there is a truly different way that makes that possible!
That’s where Passkeys and passwordless systems come in. There’s a lot to say about this but the bottom line is simple: there are now computer systems that do not use passwords and are actually more secure than the systems that do.
Passwordless Future with Passkeys is More Secure
Do not mistake any of this to say we need to get rid of passwords. We’ll come back to this later but in some ways we may always have passwords for certain uses even in the passwordless future.
This also doesn’t mean wide open access or less secure systems. But how? In InfoSec we refer to authentication in a few ways. Authentication verifies a person or user of a system to make sure they are who they say they are.
Authentication can be:
- Something you know. For example: a password.
- Something you have. For example: a hardware token or smart badge/card.
- Something you are. For example: fingerprint scanning, Face ID, or other biometric data.
Two factor or multi factor authentication (MFA) is just a combo of more than one of those methods. More layers of security tends to give a more secure system.
But many passwordless systems actually combine several factors into one more simple action. For example, using Passkeys combine Something you have: your mobile smartphone and something you are: the phone’s biometric touch or face id. So instead of fumbling around with a 6 digit code or remembering a password that’s hard for you to remember and easy for a computer to guess, you already have MFA built-in with one simple step.
Passwords are the weakest link in security. Think about it: they are shared at some point in the login transaction with the server. It’s something you know but that doesn’t mean someone else might know it too. I can tell you about “MySUPERsecretPasswd456!” and you you already know that one. Pro-tip: we never use that password and we recommend you never use it either. With something like passkeys, the hardware of your smartphone is leveraged and authenticates to the server basically saying you are who you claim to be and everything’s fine to let you in.
I’m just going to assume for a minute that you do a good job managing your passwords and use significantly complex, unique ones on all your accounts. Even if that were true for everyone, there’s a lot of data that gets exposed when you are a part of a service, let’s just say Facebook because so many people are there. Let’s say someone on Facebook signs up with a password “Password123.” This laughably easy password then gives hackers a potential in to the entire system. While it may not expose everyone or everything, at minimum, it provides this hacker with the next step and clues to hack other data and people.
Why We Can Trust the Security of Passwordless Passkeys
What’s wilder about these systems is that they aren’t entirely new. That’s part of the reason we can trust them.
These are all built on well established protocols and technologies. Much of the magic of public/private key cryptography has been around in regular use for decades, since the 1970’s. Passwords we use now are still vulnerable because common wording or being knowable by people other than the authorized users.
Why We Can’t Have Nice Things
The biggest challenge is that even if there’s a better way, it requires change from a lot of people. Many of us are not ready for a passwordless future with passkeys if it involves doing things differently.
There’s two crucial requirements to be able to use Passwordless systems:
- Everyone using them has to have either an up to date smartphone, computer, or hardware key token.
- Every account and system software needs to have this feature integrated into them and users need to learn how to use it.
Easier said than done.
I don’t wanna change I’ll rise above it But it’s so damn hard to make that changeAdam Granduciel, song Change performed by The War on Drugs
Change isn’t always easy. I get it. Even when we’re in a bad place sometimes we want to cling to the “devil we know.” Why risk it doing things differently?
Plus this requires change from a lot of people, namely those we lack any control or influence over. As a company’s leader it would be easy enough to make it corporate policy to assure all employees make a change that helps everyone. But there’s still the other end of these systems, the platform holders that you can make requests to but ultimately don’t have to do anything. And there’s the bit about having updated computing devices. While this is good practice in general, it doesn’t mean we all do it. And there’s the training, why learn a new thing if what we all did a few years ago seems perfectly fine to get the job done?
Passwordless Future Goals with Passkeys
For all these reasons we recommend Passwordless systems as a great goal. We ourselves are working toward implementing and using these systems incrementally in our business and personal lives where possible. But it has to be opt-in.
You can lead an animal to water but you cannot make them drink.Old English proverb attributed first to John Heywood
Having the personal buy-in from each person who will use the system means they are showing up ready to learn something new and try it for its merits.
The Password is dead! Long live the Password!
You didn’t really think we’d be giving up the passwords everywhere so soon did you?
Because it’s simply not practical to expect everyone to give up their current systems we suggest you phase in the Passwordless tech where you can. Meanwhile, passwords are still the best standard way to secure everything from your WiFi connected toaster to databases with trade secrets.
So we’ll end here by pointing you back to advice that’s still great for using BitWarden as your password manager for all the systems that aren’t ready for that change yet. If you don’t feel like you can remember your master password or secure it in a safe place like a lockbox, you should consider using a different trusted system like 1Password in the video below.
And if you are already using LastPass, you need to use a different system as fast as you can make the switch. While we used LastPass previously but a number of reports of breaches and a general negligence of security practices at their organization mean that moving to a better system is the best thing you can do for your security right now.
Josh at All Things Secured has you covered on a step by step guide to make the switch from LastPass to 1Password.
Ready to ditch those pesky passwords for something more secure? Get in touch and see how we can help your organization make the transition!