What will passkeys mean for security?

May 2023 by Guido Grillenmeier, Principal Technologist, EMEA, Semperis

Passkeys limit the sensitive data that traverses the network and could potentially be grabbed by intruders in a classic phishing attack. Instead of needing to enter a username and password wherever the user logs on, the user will get used to never entering a password - and instead, where applicable, the authentication mechanism will request the passkey, which is bound to the device that they are using. Unlocking that passkey is typically done through the biometric capabilities of the device (e.g. face- or fingerprint recognition) and - unlike a password - is only valid for that device. So even if it were captured by an intruder on the network, the authentication data would not be valid for any other session that the intruder would want to invoke to connect with apps or data.

Eventually users will no longer need to know the true password of their account and will have no problem changing it to a very long and hard to guess password. Next to reducing other credential attacks such as password-spray or brute-force attacks against the account, the user’s expectation on where to enter passwords will change. Eventually they will become very cautious when any website requests their credentials and will think twice about whether it’s a legitimate site. Of course, this will help to avoid feeding credentials to any malicious phishing site.