“The password era is ending,” Microsoft has confirmed, warning its billion users that “bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.” And while the company “blocks 7,000 attacks on passwords per second… almost double from a year ago,” that’s not nearly enough. “Our ultimate goal.” it says, “is to remove passwords completely,”
Those billion passwords will be replaced with passkeys, which “offer an improved user experience by letting you sign in faster with your face, fingerprint, or PIN… They also aren’t susceptible to the same kinds of attacks as passwords. Plus, passkeys eliminate forgotten passwords and one-time codes and reduce support calls.”
But it’s not all smooth sailing. “Passkeys are the future of authentication, but widespread adoption faces challenges,” the UK government’s cybersecurity authority has just warned, outlining “significant bumps in the road ahead,” before Microsoft’s vision of a password-less future can become reality.
The use of passkeys seems to be binary — those who use them are likely to use them widely, while those that do not are yet to jump onboard at all. “In the two years since passkeys were announced and made available for consumer use, the FIDO Alliance says, “passkey awareness has risen by 50%… The majority of those familiar with passkeys are enabling the technology to sign in.”
The UK’s National Cyber Security Centre (NCSC) says “most cyber harms that affect citizens occur through abuse of legitimate credentials. That is, attackers have obtained the victim’s password somehow – whether by phishing or exploiting the fact the passwords are weak or have been reused… Passwords are just not a good way to authenticate users on the modern internet.”
But to go from where are today to ubiquitous deployment — enabling Microsoft and others to delete billions of basic, reused, crackable passwords — needs work. NCSC outlines ten critical issues holding back such mass adoption.
- “Inconsistent support and experiences: There are currently multiple ‘flavors’ of passkey available that providers and users need to understand… This complicates things for websites which want to offer effective passkey support but also want to know how the passkey is being handled by the user’s device
- Device loss scenarios: Users are largely unsure about the implications for their passkeys if they lose or break their device, as it seems their device holds the entire capability to authenticate. To trust passkeys as a replacement for the password, users need to be prepared and know what to do in the event of losing one – or all – of their devices.
- Migration issues: Passkeys are ‘long life’ because users can’t forget them or create one that is weak, so if they’re done well there should be no need to reset or update them. As a result, there’s an increased likelihood that at some point a user will want to move their passkeys to the Credential Manager of a different vendor or platform. This is currently challenging to do.
- Account recovery processes: For passkey-protected accounts, potential attackers are now more likely to focus on finding weaknesses in account recovery and reset requests – whether by email, phone or chat – and pivot to phishing for recovery keys. These processes need to be sufficiently hardened by providers to prevent trivial abuse by these attackers and to maintain the security benefits of using passkeys.
- Platform differences: Different platforms use different terms to describe the process of passkey logins, which can confuse users and put them off using passkeys. Vendors will need to work together and with the FIDO Alliance to agree on consistent, accessible language and avoid working in silos. This will help users have confidence in what they are using across their digital lives.
- Suitability for all scenarios: Using passkeys assumes that the user has exclusive, private access to an account or device for preparing and accessing the Credential Manager holding their passkeys. However, this is not always the case, such as in households where multiple people use the same phone
- Implementation complexity: It’s challenging to offer passkeys to users for services that currently use multiple domains for authentication (such as account.example.co.uk and account.example.com) and users might need multiple passkeys to sign in to what appears to be the same service.
- Inconsistent use: There’s no consensus on when passkeys should be used in a sign-in journey or how much assurance each ‘flavour’ of passkey provides. As a result, some websites choose to ask for a passkey and an additional factor, while others allow passkey-only sign-ins.
- Uncertainty around multi-factor status: Website owners and regulators haven’t yet reached a consensus on whether all ‘flavours’ of passkey count as ‘multi-factor’ (or equivalent) when the user is verified, typically with local-device biometrics or a PIN.
- Uncertainty around syncing and sharing: For critical and sensitive accounts where verifiable user identity is required, there’s uncertainty about whether passkeys which can be synced and shared are secure enough on their own.”
The good news is all of this is being worked, co-ordinated by FIDO and others and driven by technology providers and financial and other secure-by-design industries, all looking to finally end the scourge of all-too-easy attacks. “Achieving this vision,” NCSC says, “needs an intensified effort from all parties and greater collaboration to cohere the vision and prevent it fragmenting to the extent that users disengage.”
This is why Microsoft says it is moving slowly toward its goal, “understand[ing] where and when to invite users to enrol passkeys… We ran multiple user studies and tested every pixel in our nudge screen to answer the question, “What would motivate a user to stop what they’re doing and enrol a passkey?”
The challenge is that for passkeys to resolve the worsening threat landscape now being boosted by new AI-fueled attacks, this needs to go the whole way. “While enrolling passkeys is an important step,” Microsoft says, “it’s just the beginning. Even if we get our more than one billion users to enroll and use passkeys, if a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing. Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials.”
