Update, Nov. 22, 2024: This story, originally published Nov. 20, now includes a new warning from the U.S. Cybersecurity and Infrastructure Security Agency about stopping the theft of passwords and other credentials using FIDO authentication.
1Password has built a reputation on protecting and managing your passwords securely and Google has a security team that is renowned globally for the work it does to protect billions of users every day. Both have warned that passwords are less secure than an already available and easier to use alternative. Now 1Password has exclusively revealed to me how its users are flocking to passkeys as they seek to abandon passwords for a more hacker-resistant and passwordless future. Here’s what you need to know and why making the move is less painful than you might imagine.
Passkey Adoption Surges As Users Grasp The Passwords Replacement Nettle
According to statistics made available exclusively to me by 1Password’s head of passwordless technology ahead of publication, Anna Pobletts, passkey adoption has surged during the last 12 months among 1Password users. On average, 1 in every 3.4 1Password users has at least one passkey stored, and there are more than 2.1 million passkey authentications made every month. Since 1Password first launched passkeys in the market in Sept. 2023, there have been 4.2 million passkeys saved in 1Password. The most significant week for passkey adoption was April 15, 2024, when almost 90,000 passkeys were saved. This date correlates closely with an announcement by X that it was adding support for passkeys to iOS users globally on April 8. It would seem that consumers of 1Password are more likely to adopt passkeys currently, with 73% falling into this category and just 27% being business account holders.
The most interesting, and in my never humble opinion, important statistic is regarding the number of organizations that have added passkeys as a login option for users. “The number of companies in 1Password’s passkey directory has doubled from last year,” Pobletts told me, “we have seen more than 200 companies add passkeys as a seamless log-in option, including big names like Walmart, Amazon, Target, PlayStation, Discord, Canva and more.” Amazon has recently reported that it now has more than 175 million customers using passkeys, for example.
This data, alongside the fact that 1Password is seeing an average of 2.1 million passkey authentications a month, Pobletts said, “shows that apps aren’t just adding passkey support as an option, but people are choosing to use them over passwords. The more major service providers that go all-in on passkeys, the quicker we will see this switch.”
Passkey Technology Is More Secure And Easier To Use Than Passwords
Launched initially as an initiative by Apple, Google and Microsoft, passkeys are consumerizing security standards such as FIDO and WebAuthn. You can try a simple passkey demo at Passkeys.io and see just how painless they are to use and create. Google’s security team has gone on record to say that “passkeys are faster, more secure, and more convenient than passwords and multi-factor authentication, making them a desirable alternative to passwords and a promising development in the journey to a more secure future.”
Explaining how passkeys work, and how they are a more secure replacement for passwords, 1Password’s chief product officer, Steve Won, said: “Every passkey is made up of two keys—a unique public key, which is created and stored on that company’s server, and a private key, which is stored on the user’s device.” The public key is used to create a challenge that can only be solved by the private key. “Because of this,” Won said, “passkeys are nearly impossible for hackers to guess or intercept because the keys are randomly generated and never shared during the sign-in process.”
So Why Aren’t Passwords Dead Already?
I asked Anna Pobletts if passkeys are such a significant security advance, which I honestly believe they are, and I recommend that every reader investigate further: What’s stopping people from adopting them? I mean, the 1Password passkey uptake statistics are encouraging but hardly earth-shattering in scale.
“Since we’ve used passwords for decades, they’re just too ingrained in our culture to go away overnight,” Pobletts said, “a broader public understanding and comfortability with passkeys will be critical for mass passkey adoption.” I’d have to agree that it is mostly unfamiliarity that may be what’s holding most users back. Passwords are pretty rubbish at doing their job; we all know that, but at least we are comfortable using them. “For more organizations to receive buy-in to proceed with passkeys, or for individual users to feel confident in using them,” Pobletts said, “a focus on proactively educating the public about passkeys is key and can help reduce the amount of change management required for adoption.” This is, to be honest, one of the reasons for this article, so please share a link to it on your social media and with your friends so that more people can get the no-more passwords message!
Passkeys Are More Secure Than Passwords
Let’s look at some of the reasons why passkeys are way more secure than passwords, if that might help convince you to switch up your login security.Here are three compelling reasons according to Pobletts:
Passkeys are:
- Strong by default: Unlike weak and reused passwords, passkeys can not be guessed by hackers because of their innate complexity.
- Phishing and social-engineering resistant: Hackers can’t steal and use credentials if there are no credentials to steal in the first place. Since private keys don’t leave your device, passkeys completely eliminate these types of common attacks for users.
- Effortless to create and use: Passkeys are automatically-generated, leaving no room for human error and nothing to remember. They also provide a very familiar experience as users can authorize use of their passkeys to unlock any service with biometrics.
If Passkeys Are Linked To Your Smartphone, What Happens If It’s Stolen And How Is That Better Than Using Passwords?
Whenever I write anything about passkeys being a more secure alternative to passwords, I get emails and messages asking how that can be if all your security eggs are in one smartphone basket. After all, if your smartphone is lost or stolen, how do you access your accounts and can’t the thief or a hacker use this to their advantage? Pobletts insisted that in cases of either loss or compromise, passkeys are keeping people safe than passwords. “When a passkey is created on their device, it gets synced across all their devices in the ecosystem,” Pobletts said, “the passkey is not tied to their lost device, but to their overall account and they can recover their passkeys on another device by signing into their passkey provider, whether that be Apple’s iCloud Keychain or 1Password.”
When you don’t have access to another device, websites that support passkeys also hold responsibility to provide account recovery or backup options for users to prevent this situation from happening with SMS, email magic links or backup codes to re-authenticate, Pobletts told me. “The same is true for compromised devices,” Pobletts said, “the website and the passkey provider have joint responsibility to allow you to manage your passkeys and devices – including de-authorizing devices or passkeys you don’t control any more.”
Passwords Are Dead, Long Live The Passkey
1Password, along with many other technology companies, has been working alongside the FIDO alliance in order to publish a working draft of a new set of specifications that, once implemented by major passkey providers, will allow for the import and export passkeys in a way that’s convenient and secure. “In 2025, we’ll see more companies meeting users where they are. There will be critical improvements like the ability to automatically create passkeys for users, use passkeys across multiple domains for the same brand, and more that will make it easier for websites to provide a best in class user experience with passkeys,” Pobletts concluded. I genuinely hope that 2025 is the year we can say, without irony, that passwords are dead, long live the passkey.
U.S. Cybersecurity And Infrastructure Security Agency Warns Of Risks Of Relying Upon Passwords As MFA Bypass Attacks Increase
The U.S. Cybersecurity And Infrastructure Security Agency has published a new warning as threat actors increasingly turn to multi-factor authentication bypass attacks. “Malicious actors don’t break in—they log in,” CISA warned, adding that many organizations are now struggling to protect their staff from passwords and credential phishing.
While accepting that any kind of two-factor or multi-factor authentication is better than none, at all stance that I heartily support, CISA warned that what it calls legacy MFA is “no match for modern threats.” By legacy MFA CISA is referring to the likes of applications that produce authentication codes or text-based, email-based or even push notification-based second factors. 2FA bypass attacks are many and varied, but the prime objective remains the same: trick the user into revealing passwords and 2FA authentication codes.
CISA uses a case study detailing how the United States Department of Agriculture built out deployment of FIDO authentication capabilities to approximately 40,000 staff. As already mentioned in this article about passkeys, such authentication methods help address the issue of 2FA bypass using the cryptographic techniques already built into the operating systems, phones, and browsers in use already. “Here’s the remarkable part about FIDO,” CISA said, “even if malicious actors craft a convincing scheme to steal staff credentials, and the staff comply, the attackers still won’t be able to compromise the account.”
The case study, titled “Phishing-Resistant Multi-Factor Authentication Success Story,” explained how more than 130,000 U.S. Department of Agriculture employees have unique technical needs when compared to most of the federal government. Most apparent of these is the fact that USDA cannot rely upon the use of personal identity verification cards exclusively. Why so? Because the USDA has many seasonal employees who cannot be given the same PIV credentials, for reasons of security and also administration issues, to authenticate or prove their identity in order to access government systems. You can then add the fact that some of these employees also work in lab environments requiring decontamination procedures that would literally destroy PIV card capabilities.
USDA, therefore, turned to Fast IDentity Online capabilities to develop an authentication solution that could offer both the same protective measures as a PIV card but in a way that could survive decontamination procedures and be phishing-resistant, “allowing users to authenticate without the threat of malicious actors tricking them into supplying login credentials,” such as passwords and authorization codes. The FIDO centralized technology architecture that was already supported enabled USDA to address the challenge of finding an authentication solution to counter credential phishing threats. USDA confirmed that this has enabled 40,000 users to access USDA’s network without introducing the risks associated with usernames and passwords.
“USDA encourages all organizations facing phishing-resistant authentication enforcement challenges,” the case study said, “where PIV or other certificate-based authentication is not an option, review USDA’s use of FIDO for guidance.”
1Password has also been busy pushing the passkey alternative to organizations by way of its work with key players across the industry, with Microsoft to enable seamless third-party passkey provider integration into Windows 11, and with the launch of 1Password’s Passage feature to make it easy for companies and developers to implement passkeys with just a few lines of code and hopefully push forward with the eradication of passwords sooner rather than later.