Benefits and challenges of passkeys in the enterprise
Passkeys overcome some of the critical security vulnerabilities plaguing passwords. But enterprises face some new challenges when deploying the authentication technology.
Despite the role passwords play as a primary user authentication method, they continue to be a weak link in enterprise security. High-profile data breaches and phishing attacks exploit stolen or weak passwords, triggering severe consequences. As a result, the security industry has increasingly turned to MFA as it moves toward a future without passwords.
Enter passkeys. The emerging technology -- backed by industry leaders, like Apple, Google and Microsoft -- promises stronger security and better UX. Yet, while passkeys offer a path forward to solving the password problem, it's unclear whether they are ready for widespread enterprise deployment. Indeed, enterprise security teams and decision-makers should approach passkeys with caution before committing.
What are passkeys?
Passkeys are digital credentials intended to replace traditional passwords. They authenticate users through public key cryptography -- a far more secure method than passwords, which are susceptible to theft, reuse and poor management practices. Passkeys rely on the following:
Biometrics. Techniques such as fingerprints, facial recognition or other unique biological markers.
PINs. Short numeric codes used in conjunction with a user's device.
With passkeys, authentication becomes seamless. Users simply unlock their device using a local authentication method -- for example, Face ID, Touch ID or a device PIN -- eliminating the need to remember or type in passwords that could easily be compromised through phishing or social engineering attacks.
The benefits of passkeys
Passkeys present several advantages over traditional authentication methods, including the following:
Strong resistance to phishing. Passkeys use cryptographic authentication. There is no shared secret between the user and the service that can be intercepted or stolen, making phishing attacks harder to execute.
Reduced password management burden. IT teams often spend significant time managing password resets and security policies. Passkeys, tied to biometrics or devices, lessen this burden and minimize dependence on cumbersome password protocols.
Improved UX. Passkeys streamline the authentication process, making logins faster and more convenient. Users no longer need to remember or input complex passwords; they simply authenticate using their biometrics or device PIN. A published analysis by Kayak indicated a 50% reduction in login time with passkeys.
Better security for endpoints. Passkeys are stored locally on devices and do not exit the user's hardware, reducing exposure to network-based attacks, such as brute-force or credential stuffing attacks.
Passkeys' advantages notwithstanding, they also face challenges that suggest it might be premature to regard passkeys as a one-size-fits-all option for enterprises today.
Challenges and limitations of passkeys in the enterprise
Passkeys' advantages notwithstanding, they also face challenges that suggest it might be premature to regard passkeys as a one-size-fits-all option for enterprises today. Among those hurdles are the following:
Device dependency and fragmentation. In many enterprise environments, users operate multiple devices and platforms. Ensuring compatibility across these systems is essential. Although Apple, Google and Microsoft have committed to supporting passkeys, enterprises using different OSes or legacy infrastructures could find it challenging to implement passkeys consistently. Cross-platform authentication can be particularly complicated when employees use corporate and personal devices.
Biometric data privacy concerns. Passkeys often rely on biometrics, raising questions about how this sensitive data is stored, used and protected. While enterprise passkeys are designed to be secure and biometric data is stored locally on users' devices, organizations must still navigate regulatory requirements and potential privacy issues, especially in areas with stringent data privacy laws.
Lack of comprehensive enterprise integration tools. Passkeys remain a relatively new technology. To that end, many enterprise-grade identity management systems might not yet fully support them. Most large organizations depend on comprehensive identity and access management platforms to oversee employee access to resources; these systems often integrate with legacy applications. Deploying passkeys without disrupting existing infrastructure could be a challenge.
In summary, while passkeys offer promising benefits for user authentication, their readiness for wide-scale enterprise deployment warrants careful consideration.
Jerald Murphy is senior vice president of research and consulting with Nemertes Research. With more than three decades of technology experience, Murphy has worked on a range of technology topics, including neural networking research, integrated circuit design, computer programming and global data center design. He was also the CEO of a managed services company.
