Passwords are in decline but passkeys struggle with an easy explanation

The technical head of the UK National Cyber Security Centre (NCSC) has given passwords another decade of use, before a predicted “material decline” happens in tandem with the adoption of new options such as passkeys and biometric authentication, finally putting passwords to rest.

“Humans have been shown to be very suggestible to work around pretty much every technical security control that we can imagine,” says Ollie Whitehouse in comments from the Tech World 2024 conference earlier in March, as reported by Verdict.

“I would suggest that we will start to see the material decline of passwords probably somewhere in the eight-to-10 year, with increasing noise around viable solutions over the next two to five,” he added.

Whitehouse is hardly the first to sound the death knell for passwords. Yet

“Everyone knows what a password is, even if they have a tendency to forget them,” says David Bicknell, principal analyst at research and analysis company GlobalData. “How do you explain a passkey? The terminology – and the process – to replace passwords must be easy to understand, for all generations.”

Whitehouse gives credence to that idea with his own explanation: passkeys, he says are “effectively identity tied to a device in your possession which you’re authenticating. Rather than the need for the kind of the running code on your phone, it is your phone, or it is the, you know, the hardware token of some kind.” As Whitehouse himself points out, this is hardly as simple as choosing a password based, for example, on the name of your cat.

Data breach reveals millions of 2FA codes for big social media sites

That said, necessity may end up expediting an easier way to tell the story of passkeys. Techlapse reports on the recent discovery by a security researcher of a database filled with millions of two-factor authentication (2FA) codes and other data, such as SMS messages and password reset links for social media sites including Facebook, TikTok, Google and WhatsApp.

The researcher, Anurag Sen, found that the database belonging to YX International, an Asian company that provides SMS text message routing services, was accessible to anyone on the Internet, with no password required. Since YX International’s database receives over 5 million SMS messages a day, the volume of available data was staggering. (The company sealed the breach as soon as they were notified.)

Granted, it appears that YX did not have even the most basic security measures in place. However, the standardization of newer and more secure options would mean stronger safeguards across the board. While Verdict points out that options such as authenticator apps, physical security keys and passkeys still have their own vulnerabilities – “passkeys, for example, could be vulnerable to session hijacking attacks, where malware steals session cookies, allowing attackers to bypass authentication processes” – it is clear that passwords are on their way to join ICQ and Winamp among forgotten digital technologies. A multi-layered approach is best, and Verdict recommends using app- or hardware-based tokens for multi-factor authentication whenever possible.

Android 14 enables passkey tools including 1Password

Adoption and availability on major platforms will likely be the largest factor in the mainstreaming of passkeys. A blog from provider 1Password says its passkey storage service will now work on any device running Android 14 or higher. Pitching itself as an alternative to Google Password Manager, 1Password aims for a comprehensive solution that lets users store, manage, share, and autofill credit card numbers, addresses, documents, and other sensitive information. It also offers versions for browsers such as Firefox, Edge, Brave, and Safari, in addition to Android, Chrome, and ChromeOS.

1Password, however, also struggles with some ambiguity in its attempt to sell users on the simplicity of passkeys. While there is no reason to doubt their statement that “we’re all in on passkeys, and believe they’re our ticket to a truly passwordless future,” their assertion that “creating a passkey for the first time couldn’t be more straightforward” raises questions; while the instructions on process are clear, many users will still want a more robust explanation of concepts like passwordless credentials, public-key cryptography, and the role of the FIDO Alliance.

Sony Playstation now offering passkey option

Another big name, however, will help the cause. Playstation is now offering passkeys as an alternative to passwords. According to an article on the Game Crater, passkeys mean “you can use the unlocking methods you’re already familiar with on your mobile device or computer, such as a fingerprint, face scan, or PIN” to access your Playstation account.

Again, however, the transition requires effort on the part of the user to create and activate passkeys. In a business that hates friction, the road to universal passkey adoption may still face a few bumps in the road.

Article Topics

biometric authentication  |  cybersecurity  |  FIDO2  |  passkeys  |  passwordless authentication  |  passwords