Securing businesses with passkeys

Niall McConachie at Yubico looks towards the future of authentication

 

Organised crime groups are increasingly turning to artificial intelligence (AI) to supercharge their scams, a reality recently highlighted by Europol. This alarming shift is not only expanding the toolkit available to cyber-criminals, but enabling more sophisticated and convincing forms of fraud and cyber-attacks like phishing.

 

One of the main forms of phishing on the rise due to AI is ‘vishing’, where hackers exploit AI to clone voices and likenesses from audio, video, and even images found online. Combined with tools that mimic known caller IDs, an attacker can convincingly impersonate a colleague or employer seeking urgent assistance, tricking employees into making a costly mistake.

 

For enterprises of all sizes, this escalating threat is particularly acute. In fact, recent research shows that UK businesses are losing a total of £64 billion annually in remediation costs, staff overtime and lost business. And it is not just within the work environment that employees are being targeted: according to Yubico’s latest State of Global Authentication survey, 70 percent of respondents have been exposed to cyber-attacks in their personal lives in the past year.

 

With employees commonly accessing work applications on their personal devices, it’s clear they need a secure authentication method to protect their work accounts – no matter which device they access them on.

 

 

The unfixable problem with passwords

For decades, since the Internet was born, passwords have been the primary key to our digital lives. Yet, they are an out-of-date and fundamentally flawed method of security designed for an Internet not prepared for the sophisticated cyber-attacks of today.

 

This was recently highlighted by the discovery of one of history’s biggest data breaches, which revealed a treasure trove of 16 billion passwords from users on all of the world’s major platforms. This discovery is particularly frightening given that once a cyber-criminal has a user’s password, they can bypass outdated security measures like SMS-based verification codes, allowing them to access sensitive company and personal data.

 

As the threat landscape evolves,  cyber-criminals are leveraging AI to make their phishing emails virtually flawless. In the past, tell-tale signs like far-fetched details or clearly inaccurate information might have given a scam away.

 

Today, large language models (LLMs) like ChatGPT can instantly generate human-sounding, highly personalised messages that are nearly impossible for recipients to identify as fraudulent. These tools have made targeted ‘spear-phishing’ attacks, which once required time-consuming research, scarily easy to automate.

 

In light of these advanced threats, it’s no surprise that there is a growing consensus among security experts: passwords must be left in the past. The question for business leaders is no longer if they should move on from passwords, but what they should move on to to secure their company’s devices.

 

 

A more secure future with passkeys

In response to this challenging landscape, a global transition is underway; enterprises are moving away from passwords towards stronger, more resilient technologies. The clear successor is the passkey, which is rapidly emerging as the new standard for secure authentication.

 

This isn’t just a niche trend. The UK Government recently announced its plans to embrace passkeys for its digital services, citing them as the recommended method for enhanced security. The move is expected to not only offer users a more secure authentication option but also save millions of pounds annually, demonstrating a clear return on investment.

 

So, what exactly is a passkey? In its most secure form, a passkey is device-bound, meaning it is stored on a local device like a physical hardware security key instead of on a remote server like passwords. These cryptographic keys are bound to the device and pair a public key with an unguessable private key, which is never shared, meaning remote attackers are unable to intercept them – a powerful difference which makes them resistant to phishing attacks.

 

Rather than depending on something an employee has to remember, which can easily be forgotten, stolen, or phished, a passkey relies on something they have (the physical key), something they know (a PIN), and something that proves the identity of the user who is supposed to gain access (a physical touch of the key).

 

If an employee is tricked into clicking a link and lands on a fraudulent website, the passkey simply won’t work. The authentication will fail, and the attacker is stopped in their tracks, even if they have the user’s credentials. With device-bound passkeys, the phishing risk is significantly reduced, helping organisations to develop cyber-resilience in the face of unauthorised access from phishing attacks.

 

 

A strategy for full protection

However, simply handing out security keys isn’t always enough. For passkeys to reach their full potential, businesses must think beyond the technology and focus on developing phishing-resistant users. This requires implementing a proactive strategy to remove phishable moments from the entire employee journey, ensuring security is built in from the very beginning.

 

Doing so enhances cyber-security resilience and supports businesses in further strengthening the security of their company data.

 

This holistic approach must cover every interaction an employee has with their accounts. It starts with a phishing-resistant registration process, ensuring that the initial setup is secure and cannot be compromised. This is followed by the daily use of passkeys for phishing-resistant login, which provides seamless and secure access that protects both employees and company data. Critically, this strategy must also extend to phishing-resistant recovery.

 

Attackers are increasingly targeting account recovery procedures, as they are often weak spots that rely on easily phishable methods. If an employee loses their security key, the team must follow a procedure to get them back online that is just as secure as their daily login and prevents any bypass of critical security controls.

 

By implementing phishing-resistant measures at every stage, underpinned by the high-assurance security that hardware keys provide, businesses can build a truly resilient organisation. This strategy, combined with ongoing security education, puts organisations in the best possible position to defend against emerging AI-powered threats.

 

 

The conversation with security teams

Business leaders don’t need to be security experts, but they can lead the charge by starting the right conversations. By focusing on a holistic, lifecycle-based approach, leaders can help their security team build a powerful business case for moving beyond passwords and going passwordless.

 

The benefits are clear. Organisations gain not only the highest level of security against modern threats but also see a significant return on investment. The cost of providing every employee with a physical passkey is surprisingly affordable, especially when weighed against the financial and reputational damage of a single breach.

 

Furthermore, embracing modern authentication helps ensure compliance with evolving regulations like PCI DSS 4.0 and NIS2, helping businesses on their journey to cyber-resilience.

 

Ultimately, cyber-criminals will continue to innovate and add new AI tools to their arsenal. But businesses do not have to remain defenceless. By moving beyond the password and investing in a comprehensive, phishing-resistant authentication strategy, organisations can free up resources and grant their teams more time to focus on growth.

 

For any business leader, knowing their staff accounts and company data are safe and sound is a truly worthwhile investment – one that will pay off for years to come. 

 

---

 

Niall McConachie is regional director (UK & Ireland) at Yubico

 

Main image courtesy of iStockPhoto and tsingha25