An analysis of the most frequently lists of the most frequently used passwords shows that even today, passwords tend not to be very complex. This suggests that password managers, which would make it easier to create secure passwords, are rarely being used. As a consequence, many service providers rely on the addition of a second factor during the login process in order to reduce the dependency on the password. However, this solution is not an optimal measure as it does not fully address the problem of password security. A promising approach that could offer an alternative to passwords is the use of passkeys.
Table of contents
The Problem With Passwords
According to the Microsoft Digital Defense Report 2024, over 99% of attacks on Microsoft Entra accounts are password-based. In 2023, Microsoft blocked around 7,000 password attacks per second every day. These figures illustrate the scale of the problem with passwords. What is leading to this situation?
Many people tend to choose weak passwords and this can be seen again and again when lists of the most common passwords are published. Furthermore, in password audits carried out by Oneconsult in 2019, “companyname2017” was the most frequently observed password. Another problem is that the same passwords are being used multiple times by the same people. This means that in the event of data theft, these credentials could also be used to access other services.
It is therefore advisable to pay attention to a few points when using passwords in order to increase security. The article Passwords: Common Mistakes, Best Practices & Tips clearly describes what these points are. It also makes sense to use password managers. Further information on password managers can be found in this blog post.
The use of passwords is always associated with certain risks. However, there is a solution that makes the use of passwords outdated: Passkeys.
What Passkeys Are
The underlying protocol used with Passkeys is FIDO2. FIDO2 stands for Fast IDentity Online 2 and is an initiative of the FIDO Alliance in cooperation with the World Wide Web Consortium (W3C). The aim is to jointly develop strong authentication for the web. Members of the FIDO Alliance include Apple, Microsoft, Mastercard and Google. Passkeys can be stored on special hardware such as physical security keys as well as in most modern password managers, which now offer broad support for passkeys.
With services that support passkeys, the use of passwords is completely eliminated. Instead, a key pair is used: a private key, which is securely stored on a password manager or a security key and never leaves it, and a corresponding public key. During registration, only the public key is transmitted to the service.
When logging on to the service later, the service sends a random value to the client that is then signed with the private key (on the client’s device). This signing still requires user interaction, such as authentication by fingerprint. The signature is then sent back to the service. The public key the service has can then be used to check whether the signature was actually generated with the corresponding private key.
Why Passkeys are Better than Passwords
Passkeys offer a number of advantages over passwords. These include:
- With FIDO2, the key pairs generated for the platform are automatically unique and highly complex. This is the case because, unlike passwords, the key pairs are always generated automatically.
- Another advantage is that even in the event of a Data breach on a platform, the security of the passkeys is not compromised. The theft only affects the public key, which cannot be used to cause any damage.
- Passkeys are easier to use as users no longer have to remember several strong passwords and logging in is quicker.
- Another outstanding feature of passkeys is their resistance to phishing. This means that, due to their properties, they can only be used on the domains for which they were issued. This can prevent phishing attacks where a website is cloned in order to obtain the credentials of valid users.
Conclusion
The use of passkeys offers a significantly higher level of security than passwords, as it eliminates numerous problems. Ideally, passwords are completely replaced by passkeys, which are securely stored on security keys, for example YubiKey. In practice, however, passwords are still frequently used and not all services currently support passkeys. Our penetration tester team therefore offers a password audit to assess the risk. It is also advisable to regularly train employees in the use and potential dangers of passwords. For example, a company could use a cybersecurity awareness presentation for this purpose.
Lastly, solutions to password problems, such as switching to passkeys, should be internally discussed and, where possible, implemented.
