Adoption of passkeys, a password-less technology to secure user access to cloud-managed applications, continues to grow, findings this week from password manager maker Dashlane revealed.
While the use of passkeys is still common compared to passwords, the company said, in a report outlining the top 20 fastest growing sites driving adoption, “growth continues at a rapid pace. Passkey verifications through Dashlane have grown to 200,000 per month, an increase of over 400% since the beginning of the year.
The company, which added support for passkeys to its product two years ago, said that among the top places driving passkey adoption during the three-month period between April and the end of June this year, Amazon led the pack with 88.9% more growth. last quarter. Others on the list include Target (70.5% growth) Github (33.5%), PingOne (31.7%), and Google (28.6%).
In other recent developments, in June AWS announced that it has added support for FIDO2 passkeys, an authentication method under the Fast Identity Online (FIDO) framework, for multi-factor authentication – and will soon make MFA mandatory for login accounts -AWS.
And last May, Google said it has started rolling out password support for all Google Accounts on all major platforms, adding a new login option that can be used alongside passwords and two-step verification.
Carlos Rivera, senior director of consulting at Info-Tech Research Group, said in an email that, when it comes to passkeys, “many SMBs are looking to proven vault providers like Dashlane that support FIDO2 passkey synchronization and are not limited to SSO logins. With the addition of NIST SP 800-63B issued on synchronized credentials, I see a lot of interest from organizations that are fighting phishing without the discovery barrier of needing to manage hardware tokens or Windows Hello endpoints.”
But something is wrong, says David Shipley, CEO of Beauceron Security, based in Fredericton, New Brunswick: “Passkeys balance convenience and security, but the challenge with them (for them) is that they’re still passwords, but they’re passwords that are only used by devices and services. know. When you lose physical access to a device, or things like a YubiKey, that creates a whole new set of IT challenges for organizations.”
Which means, at worst, that there is a “trade-off between convenience and security, especially when we’re talking about remote or distributed workers.” One of the biggest challenges with what happened with CrowdStrike was how do you get all these devices back to remote sites where they need a manual keyboard to do it?”
According to Shipley, there is “a good case for using passkeys for very important information. I’m thinking about things like your IT managers and others, who are also very knowledgeable and experienced. You’ll still want to have security strategies in place related to the risk of password reuse or passwords being captured by malware. But you’re going to have a resilience strategy for hardware failure, device failure, those types of things. “
The whole premise of passkeys, he added, “is over-promised on the security side of things. As Dr. Ian Malcolm said in Jurassic Park, ‘life finds a way,’ and so does malware.”
Shipley said the high-tech industry often has “this bad habit of always looking for the next silver bullet. Instead, we need to be like our father. He had the tools for the right kind of woodworking, the right kind of work.”
He said, it’s time to “stop wanting everything to be a combination of hammer and nails.” It won’t happen. That doesn’t mean we can’t use new technology in smart ways. But there are old ways that work for a good reason.”
Jay Bretzmann, an analyst at IDC who covers identity and access management, said, “Passkeys are more secure than passwords, but how do they block characters? On the other hand, is it true that they are still vulnerable to attack by neutral enemies? Well, as Sean Connery once said, “Never say never,” but for all intents and purposes, no.
Passkeys, he said, “are built on central/private key encryption. PKI is the same technology that secures data and network sessions (TLS). As always, Bruce Schneier is right. One of the answers here echoes my sentiments: ‘Don’t let the perfect be the enemy of the good.’ A lot of things in IT and identity talk about current issues and may one day be replaced.”
Bretzmann’s advice to CSOs considering switching passwords to logins is this: “Do it completely across all platforms and applications that support them. Two advantages over passwords: 1) key pairs remain unique across websites and applications; 2) one does not need to produce and remember them.”
Source link