Skip to content

Passkey Security is the Future of Account Access

Christiaan Brand talks about passkey security and why it's the future of authentication.

Phishing and account breaches have been a problem for years, and it’s not going away. In fact, with the advent of AI, it’s just getting worse. Passwords seem like a logical way to protect our accounts. And while they served our needs in the past, they’re no match for today’s cybercriminal tactics. It’s time for a new solution. Passkey security is that solution. It’s both more secure and more user-friendly, and it could reshape how we protect our online accounts and identities in the future.


See Next Gen Account Security with Christiaan Brand for a complete transcript of the Easy Prey podcast episode.

Christiaan Brand works for Google as part of the team that works on security for Google accounts. Before his time there, he had a startup working on phishing-resistant authentication. He also represents Google in the FIDO Alliance, which works on standards for all tech companies to make sure their users are safe. Within the FIDO Alliance, he holds a volunteer position as co-chair of the FIDO2 Technical Working Group, which focuses specifically on standardizing robust online security protocols and advancing the use of passkeys. As the Google representative in the FIDO Alliance, he then takes these standards and security protocols that the Alliance comes up with and figures out how to implement them to secure Google users.

[I’m] figuring out how to take all this cool technology and then bring it to the billions of Google users out there.

Christiaan Brand

Passwords Aren’t Enough

In 2007 and 2008, Christiaan was working at his security startup, and they saw that smartphones were on the horizon. There was going to be a need to make sure that information was also protected and provided in a secure way. The technology industry was starting to realize that passwords just weren’t good enough for security anymore. That’s when two-factor authentication (2FA) started gaining traction. People realized passwords just weren’t secure enough anymore.

Passwords are not good enough to protect information.

Christiaan Brand

The first company to implement 2FA was an online game that had a big problem with players’ passwords being compromised. Google was one of the first consumer services to start using the function and helped it catch on. Google also released Google Authenticator, one of the first 2FA authentication apps. The idea of doing 2FA through an app was important. Before that, you got your 2FA through a physical fob that displayed a code. If you had multiple accounts with 2FA, you’d end up with a unique fob for each one, and that got really inconvenient to carry around. Being able to make all of the codes display through an app instead was a big step towards making security more accessible.

2FA technology has evolved since then. SMS authentication is popular because you don’t need an app for it, but it has pros and cons. Google also added another version with a push notification instead of a code. But what they’re focusing on going forward is passkeys. Passkeys are the next iteration of account security. Traditional 2FA is a band-aid. You have to add it on top of a password. Passkeys are great for security because it replaces both the password and the 2FA step. Not only is it more secure, it’s easier to use.

Passkey security is better because it's both more secure and easier to use.

How Passkey Security is Better than Passwords

You probably already know how a password works – it’s a unique code that you put in to let you log into your account on a service or website. When you have a lot of passwords, you have a few options. You can try to remember them all, write them down in a notebook or something similar, or use a password manager. A passkey is very similar to a password in that it’s a unique code that unlocks your account. But it’s far too long and complex to write down. It has to be stored in a password manager.

Normal passwords use a matching function. The site has your password, and so do you. When you try to log in, the site checks to see if what you put in matches what they have. If it matches, you’re logged in. But if the site gets breached, the hackers could easily get your password. Now they can get into your account, and if you reused that password, you’re vulnerable to credential stuffing. But passkeys use asymmetric cryptography. That means that the passkey is actually in two parts. You have one part, the site has the other. This is great for security because criminals can’t get your passkey by tricking you into logging in on a fake site. And even if the site’s half leaks, it can’t be used to authenticate you to the system.

Passkeys Provide Security Against Phishing

With a password, it’s your job to provide your identity to the service. You enter the password to prove it’s really you trying to log in (and enter the 2FA code to prove that it’s really, really you and not someone who stole your password). But with a passkey, that security proof goes both ways. You’re proving your identity to the service, but the service is also proving its identity to you. It’s like a key and a lock. You have the key, and the site or service has the lock. If you put the right key in the wrong lock (eg. try to log into a fake site), it won’t work. Passkeys can never be accidentally revealed.

Phishing [is] the number one problem that we deal with on a daily basis … it’s so easy to pull off. It’s so easy for users to fall for it.

Christiaan Brand

FIDO’s reason for existing is to improve authentication and make sure users aren’t getting phished. Research shows that over 40% of users will fall for a well-crafted phishing message. Education only goes so far; we also need tech solutions. 2FA helps if someone gets your password, but they could trick you into giving them that code. This happens a lot in India, where they rely heavily on SMS authentication. The whole system comes down as soon as someone social engineers you into sharing that secret code. Unfortunately, social engineering works. Passkeys boost security by entirely skipping that second authentication step and making the first step much, much stronger.

How Passkeys Navigate Common Authentication Issues

Every 2FA method has its own drawbacks. What happens if you lose your fob, your phone crashes, or you get a new phone or a new phone number? With many services, it’s possible to get around these issues, but it’s not an easy process.

In the past, most people had one password that they remembered and used for everything. We’ve had to move beyond that for security purposes. Reusing passwords is a bad idea, and if you can remember it easily, it’s probably not long or complex enough. Some people choose to write all their passwords down in a notebook. But then you risk losing the notebook or not having it when you need it.

Password managers are more convenient for passwords, since you can log in on any machine and get access. But then you run into the problem of using your password manager to store the passkey that gets you into your password manager. It’s a bit of a chicken-and-egg issue. Google’s password manager will store your passkeys, but if you get a new phone and you want to sign in, you first need to sign into your Google account – which requires the passkey.

Passkey security still has challenges, but it's much more secure.

This is a challenge and an opportunity. The EU has done a lot of work on digital identities. In the future, there may be something like a digital driver’s license you can use to authenticate. There is also the option of external phone numbers, but that has a drawback if you get a new phone number. And what happens if your device is lost or stolen, or for people who have to sell their old device before they can afford a new one? These are all future problems to solve. External sources of identification are going to be important for this.

Passkeys are Catching On

Christiaan just recently came back from FIDO’s annual Authenticate conference in San Diego, which brings together companies interested in passkey security and those who have implemented it before. There are a lot of organization working on passkeys right now. Christiaan has yet to see any large service saying that they’re not interested. Everybody is interested, and those who have implemented it have seen a lot of adoption. Amazon has something like 170 million accounts now with passkeys enabled. Google has over 800 million.

I’ve yet to see any large, institutional online service who is saying, no, we’re not interested in doing [passkeys] at all.

Christiaan Brand

Social media services are going a similar way. TikTok has done some work on passkey security. There’s a lot of work happening in all sorts of areas. In the phases of product adoption, the first wave of a product is the early adopters. They don’t care if it’s rough around the edges, they want the newest stuff. Next is the early majority, where the technology is getting more polished and more companies are getting on board. That’s where Christiaan thinks we are in terms of passkey adoption.

You’re not signing into Google or Amazon multiple times a day. Once you’re logged in there, you stay logged in. If we want to really get passkeys into our daily lives, we have to integrate them in the things where we authenticate daily, like banking, government services, and healthcare. That’s how we’ll really see traction. Christiaan and FIDO are focused on what’s holding it back in those spaces, and it’s mostly just that they’re more cautious and slower environments. Once we get that late majority on board, we’re going to see great things for account security.

What’s Next for Account Security

Christiaan doesn’t think there’s a “next” for account authentication. With passkey security, he thinks we’ve solved the problem. But passkeys only have a benefit if accounts stop supporting the old stuff. If you have passwords available as a fallback, even with 2FA, a criminal can still crack the password, social engineer the 2FA code, and get in. The tech industry has to think about moving away from the old tech, but they can only do that once users are comfortable using passkeys to authenticate. Over the next few years, Christiaan thinks we’ll see some changes. There will be industry guidelines around turning down passwords and adding more friction so users choose passkeys.

If your password is still there, that’s just what the attacker will trick you into using when they want to phish you.

Christiaan Brand

On the authentication side, attacks are starting to shift to session hijacking. Every time your browser makes a request, it’s basically a new request. Logging in saves a cookie to your device that can be attached to web requests to let a site know you’ve already authenticated. Once logged in, that cookie has to be kept safe. With the authentication side now secure through passkey security, we’re starting to see malware trying to steal that cookie. New technology is looking at how to better secure those cookies. Now that authentication is solved, the next step is to lock down other ways bad actors can target us.

Learn more about passkey security technology from Google’s resource at g.co/passkeys. For developers, check out fidoalliance.org and passkeys.dev. FIDO Alliance also recently launched Passkey Central, which helps make the business case for passkeys to executives. Connect with Christiaan Brand on X @christiaanbrand.

Related Articles

All
  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking Basics: Learn How Networks Work
  • Online Privacy
  • Online Safety
  • Uncategorized
Jill Knesek talks about CISO challenges and solutions.

CISO Challenges in a Changing Security Landscape

The role of a Chief Information Security Officer (CISO) is constantly changing. The shifts in technology and…

[Read More]
Michael Lyborg talks about the promises and risks of business automation.

Business Automation is Great – But Some Things Should Be Left to Humans

As we see an increase in cyberattacks, it’s more important than ever for companies to be able…

[Read More]
How to Spot Fake Emails.

How to Spot Fake Emails and Avoid Danger

The good news is that you don’t have to become a cybersecurity pro to protect yourself from...

[Read More]
Introducing the Brick

The Brick Turns Off Distracting Apps, Makes Your Life Less Distracted

Here are some details. Brick is a combined software and hardware app that helps temporarily “remove” distracting...

[Read More]
Howard Goodman talks about cybersecurity and business.

Education and Communication are Key to Business Cybersecurity

The landscape of both technology and cyber threats is constantly changing. That means that cybersecurity and business…

[Read More]
Money Lender “Dave”

Money Lender “Dave” is In Hot Water with the FTC and DOJ. Scam or False Advertising?

Money-lender Dave does the one thing that all scammers do: It lied to its target through its...

[Read More]