July 10

It’s time to replace passwords with passkeys


Cybercriminals have, of course, been creating repositories of stolen passwords for decades. How many of these repositories have been created is unknown, but in recent years, it’s become apparent that more breaches are being enabled by stolen credentials than malware. In fact, many cybercriminals don’t see the need to craft malware to compromise IT environments when stolen credentials are readily available. That doesn’t mean they are no longer creating new strains of malware. After initially gaining access using stolen credentials, cybercriminals will often install malware that then laterally propagates across a distributed computing environment.

The issue is that far too many organizations continue to rely on standalone passwords that are relatively simple to steal. Fortunately, passkeys based on a specification defined by the FIDO Alliance have emerged recently as an alternative that employs some type of biometric authentication. Passkeys make use of public key cryptography techniques to provide phishing-resistant authentication. When accessing an application or service, a client device creates a new cryptographic key pair that is bound to the web service domain. The device retains the private key and registers the public key with the online service that is unique to that application or service.

Not every organization will be able to replace passwords overnight, but at the very least, any password created today should be system-generated, unique to one account, secured in a password manager, and used in combination with multi-factor authentication (MFA) that includes an authentication application.

Organizations that continue to rely on standalone passwords are now assuming a much higher level of risk than organizations that have embraced passkeys. There is, however, no such thing as perfect security. Cybercriminals can still, for example, abuse cookies to bypass passkey authentication mechanisms, but passkeys do reduce reliance on standalone passwords that are easily stolen.

The challenge is that passkeys require time and resources to implement. Organizations transitioning to passkeys or any other type of authentication alternative may find they will still need to manage passwords for many years to come. As such, organizations should, at the very least, routinely rotate passwords to improve their overall cybersecurity posture.

Cybersecurity teams should assume that previously stolen credentials have been used to plant malware in their IT environments, which they should hunt for before it inevitably gets activated. Just as importantly, cybersecurity teams need to make sure the senior leadership of the organizations clearly understands the limitations of passwords.

Moving away from passwords, of course, is as much a cultural challenge as it is technical. Passwords in various forms have been in use ever since the first guard asked someone for a countersign centuries ago. Passwords are, for better or worse, ingrained into the human psyche. The only difference between now and when the first password was created, as shown by the Rockyou2024 files, is that they are now just too easy to steal.


You may also like

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Get in touch

0 of 350