Nov 4, 2022 - Technology

Companies are increasingly ditching passwords for passkeys

Illustration of a Mac loading screen with an iPhone icon instead of an Apple logo.

Illustration: Aïda Amer/Axios

Efforts to ditch easy-to-guess, phrase-based passwords are gaining more traction, paving the way for the passwordless future cybersecurity pros dream of.

The big picture: Companies are increasingly investing in technologies that let people log in to their accounts with passkeys, which replace passwords with biometric data or device PINs tied to a user's phone or laptop.

  • Poor password hygiene is the root cause of more than 80% of data breaches, according to the FIDO Alliance, an industry group whose members include Amazon, Bank of America, Intel and many others.
  • Many people reuse their passwords or use easy-to-guess phrases. Others have their passwords leaked onto the dark web, where hackers later buy them.
  • Passkeys are an attempt to completely replace passwords, and they go a step further than other login security tools — like multifactor authentication — that still rely on using a phrase-based password to begin with.

Driving the news: PayPal became the latest company to enable passkey logins last week, following similar decisions by Best Buy, Kayak and GoDaddy.

Details: Passkeys work by allowing people to log in to an app or website using just a username and a preauthorized device.

  • Those phones, laptops and other devices basically use a cryptographic token to prove a user is who they say they are — and those tokens are nearly impossible for hackers to steal or replicate remotely.
  • Many of these logins will mimic how people unlock their phones with a fingerprint or face scan or by entering a PIN.

Each company is basing its passkey framework on technology standards set by the FIDO Alliance.

  • Growing passkey adoption requires widespread availability, industry collaboration and regulatory support, says FIDO Alliance executive director Andrew Shikiar.

The intrigue: Around 430,000 Microsoft consumer accounts have enabled passwordless logins in the last year, says Vasu Jakkal, corporate vice president for security at Microsoft.

  • While other companies are in the early stages of passkey adoption and declined to share figures with Axios, Microsoft's numbers suggest there's widespread interest in the technology.
  • "We're seeing rapid adoption across the board," Shikiar says.

Yes, but: Hackers are uniquely talented at finding flaws in new technologies, so it's impossible to say something like passkeys is completely hackerproof.

Still, Shikiar says that passkeys will help eliminate hackers' ability to conduct and scale breaches remotely, and thus will make it so hackers need to reach a new level of sophistication to breach a company.

  • "It should require that level of effort to take over someone's account," Shikiar says.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper