Authentication 101: Passkeys for Enterprises?

In my new blog post, I take a closer look at the development of FIDO Passkeys. Technology giants such as Microsoft, Google and Apple are pushing the topic of passwordless authentication on the consumer side. And on the corporate side?

The FIDO Alliance, founded by companies like Infineon, Lenovo, and PayPal, originally aimed to develop a standard for two-factor authentication (2FA). Over time, this initiative evolved into the passkey, a fully passwordless authentication method based on asymmetric cryptography.

Instead of storing passwords, passkeys utilize a private-public key pair: the private key remains securely stored on the user’s device, while the public key is associated with the specific domain of the service provider. This domain-specific binding makes passkeys inherently resistant to phishing attacks, as they won’t work on fake sites with mismatched domain names.

Passkeys come in two variants: device-bound and synced.

Device-bound passkeys, such as USB FIDO security keys like the iShield Key, store keys locally on a single device.

In contrast, synced passkeys synchronize key material across multiple devices through ecosystems like Apple’s iCloud Keychain or Google’s Sync, greatly boosting consumer adoption thanks to seamless cross-device compatibility.

But for enterprises, can Passkeys offer the same benefits, or do they introduce potential drawbacks and security concerns? Let’s take a closer look.

• Enhanced Security and Phishing Resistance: Passkeys provide a high level of phishing resistance, as each is tied to a unique domain, blocking access to fraudulent sites.
• User Familiarity and Reduced Training Needs: With growing use in apps like WhatsApp and Facebook, passkeys are familiar to users, potentially reducing training needs and easing enterprise adoption.
• Convenient Recovery Options: Synced passkeys offer easy recovery across devices via Google or Apple account processes, which benefits enterprises but may raise security concerns about third-party dependency.

• Inconsistent User Experience Across Platforms: While smooth on personal devices, inconsistent prompts across systems may cause confusion, as enterprises cannot customize these prompts to prevent spoofing. This inconsistency could increase support needs.
• Security Limitations Beyond Phishing: Passkeys resist phishing but remain vulnerable to social engineering, like helpdesk manipulation, so companies need robust internal security processes.
• Dependency on Third-Party Sync Services: Synced passkeys rely on Apple or Google, posing potential security and control issues for enterprises, especially when users authenticate across multiple or unauthorized devices.

The suitability of passkeys for enterprise deployment depends on a detailed assessment of security needs, user workflows, and MFA processes. Before introducing passkeys, companies should thoroughly review and update their MFA policies, which might have been designed with legacy hardware tokens in mind.

• Registration Processes: How are passkeys registered and managed within the company? Are there secure workflows for users who lose their passkeys?
• Device Control: How many and which devices should employees be permitted to use for authentication? Should only company-managed devices be allowed, or are personal devices acceptable?
• Recovery and Sharing Controls: Apple allows users to share passkeys with family or friends, a convenient feature for consumers but a potential security risk for enterprises. Are recovery and sharing mechanisms secure enough for corporate applications?

Passkeys represent a significant advancement in authentication technology, especially for reducing the risk of phishing attacks. However, their introduction into the enterprise setting requires careful consideration. Beyond technical integration, enterprises need to prepare for potential dependencies on third-party systems, manage device policies, and establish robust processes to safeguard against evolving social engineering tactics. In the end, passkeys may prove to be a valuable addition to enterprise security, provided they are part of a thoughtfully designed and resilient MFA strategy.

From my perspective, there is already a scalable solution for companies seeking enhanced security and phishing resistance: hardware authentication in the form of FIDO security keys. By far the most innovative and technologically advanced security key is the iShield Key Pro MIFARE. Always worth mentioning is the hybrid functionality of the iShield Key Pro MIFARE, which supports not only passkeys, but also conventional one-time password (OTP) and personal identity verification (PIV) as well as MIFARE for contactless physical access to company buildings, parking garages, use of the wallbox and payments in the cafeteria.

This once again underlines Swissbit's innovative leadership in the field of hardware authentication.