Passkeys have a marketing problem, in which they get presented as a holy grail that eliminates all forms of phishing. In reality, that story is much more nuanced; they actually only address one specific form of phishing. Even though passkeys cannot live up to the promises of the marketing stories, security specialists are convinced of passkeys and their usefulness. Because of its ease of use, it can better address the adoption problems faced by MFA, KnowBe4 believes.
“Compare it to a car that gets equipped with just one airbag in the steering wheel,” argues Jelle Wieringa, Security Advocate at KnowBe4. “It will certainly provide protection, but the car salesman cannot claim this airbag makes the whole car safe. More measures are needed for this claim.” He says the same is true for passkeys. Perfect password hygiene does not currently equate to using passkeys. It must be a layered protection in which a strong password is used, a password vault remembers this strong password for the user, MFA is involved where possible, and passkeys are also involved where possible.
Little support for business solutions
For now, it is even impossible to create a password policy only consisting of passkeys. “In the business market, there are still too many platforms that don’t even support passkeys at all,” Wieringa knows. Waiting for these platforms to change equals putting your own cybersecurity at risk. “As a company, don’t let that stop you from installing other technologies, and certainly don’t forget MFA.”
Because even once passkeys are offered by the majority of enterprise solution providers, other security tools will remain relevant. “Passkeys have a marketing problem. Providers dare to state that passkeys will eliminate phishing, which is wishful thinking,” Wieringa argues. As a cybersecurity specialist at KnowBe4, a provider of security solutions and training to protect companies from phishing attacks, he can give insides on hackers’ phishing techniques. Passkeys appear to be a solution only for authentication phishing. An important nuance because this form of phishing is also technically difficult and time-intensive, which makes authentication phishing only holds for a small number of phishing attacks.
No protection for most popular phishing technique
“Phishing, in most cases, proceeds through social engineering techniques. These techniques are immune to passkeys and will therefore remain possible,” Wieringa says. With social engineering techniques, attackers try to capitalize on the human side of the victim. For example, they call a victim and pretend to be a helpful bank employee willing to solve a problem in the banking environment for the customer. All the bank clerk needs for this is the victim’s password. With a passkey, the scammer can still ask for things like the PIN or unlock pattern used to secure the passkey. If the victim already agrees to cooperate with the hacker posing as a bank employee, this additional authentication will no longer pose a difficulty.
Embracing the passkey at this point as an additional security feature can certainly be a good thing. “Passkeys are the next evolution in cybersecurity and are tremendously easy to use,” he said. This certainly gives the technology the potential to grow into something big. In using passkeys, therefore, Wieringa sees no problem at all. He encourages it
It is only necessary to keep in mind that the technology is not yet perfect. For companies, it is, therefore, a matter of looking at what deserves priority. With the technology not yet widely embraced and certainly with many business solutions not yet in place, it may be wiser to tackle bigger problems first. “I heard someone say the other day that passkeys do certainly plug a hole, but that hole is much smaller than a good patching policy can solve. I have a hard time proving that person wrong, so it’s still a matter of prioritization for companies.”
Complementing a good foundation
That leaves us with the question of how to implement the solution. “At many companies, password hygiene is not even in order yet. Pushing passkeys in these organizations as the new standard is a very bad idea. It is important to get the base in order first and work from there,” says Wieringa. He says this depends on the password first, then a password vault on top of it, and then MFA and passkeys should definitely be used wherever possible. So MFA and passkeys are just the extra layers on the base.
It is important to get that message right with companies and to dispel misconceptions about passkeys being the holy grail against phishing. “It’s important to realize exactly what passkeys solve. That list is not all too long, and those details are often forgotten by marketing campaigns.”
Also read: What does effective security awareness training look like?
2 days ago
