This fall, as part of its newest software update, Apple will allow users to make those annoying passwords a thing of the past on apps and online accounts. Microsoft, Google, and about 250 other companies are also seeking to replace passwords with password-less technologies.
Passkeys operate as pairs, and each passkey, when generated, is unique. One key sits on the service provider’s server. The other on the user’s device. In the case of Apple, the two keys are connected by Apple on the backend, and the user authenticates this with FaceID or TouchID.
Businesses are keeping close tabs on the progress of these password-less technologies. Password-less authentication would make many business processes easier to use and more seamless, and many companies have announced their commitment to accelerate availability of password-less sign-ins. Gartner predicts that 60% of large and global enterprises will implement password-less methods in more than 50% of use cases.
“Any industry that handles personal and sensitive information, including banking, healthcare, technology… any organization that wants to keep data away from the hands of threat actors would benefit,” SAP Chief Trust Officer Elena Kvochko said.
“Businesses that are not working to implement this type of authentication in the future might be limited by cost, effort, and end-user skepticism,” the cybersecurity expert said. “Passwords have been the first line of defense for a long time, which makes it more difficult to introduce a new type of authentication.”
Two of the most prevalent cyberattacks are phishing, which accounts for about a third of breaches, and brute force attacks, which rely on passwords to access a network or application. Password-less authentication removes the burden of users having to create complex, difficult passwords, remembering them, or storing them in a safe place.
The technology could also help deter more serious attacks and prevent insidious outcomes if it’s used in conjunction with other security technologies and controls.
“If it is used with multiple factors of authentication, there is a strong possibility that it can deter both ransomware and identity theft,” Kvochko said. “Password theft has historically been used in ransomware to gain access into a network. By removing the need for passwords, it will be more challenging for threat actors to access your data and network.”
Password-less authentication is nothing new. Biometrics, one-time codes, and magic links have been used for years in different spaces, industries, and platforms.
“The difference now is that password-less authentication will become the standard rather than an advanced option,” Kvochko said. “With major tech companies like Apple, Google, and Microsoft championing the effort to make this type of authentication more available in their devices, software, and applications, I believe we’ll see it everywhere very soon.”
Passkeys will help make our information safer, but it is not a silver bullet, Kvochko warned. Voice recordings or other biometric features used in passkey technology have been replicated in the past, underscoring the critical need for several authentication factors for greater protection.
“Any technology can also become a vector of attack,” she said. “There is no authentication system that can’t be hacked. Password-less authentication is still vulnerable to malware, man-in-the-browser, and other types of attacks. With that said, password-less authentication can be a better option than relying on simple passwords, especially when combining it with other authentication factors making it multi-factor authentication.”