Did you miss a session from MetaBeat 2022? Head over to the on-demand library for all of our featured sessions here.
Password-based security is an oxymoron. With over 15 billion exposed credentials leaked on the dark web, and 54% of security incidents caused by credential theft, passwords simply aren’t effective at keeping out threat actors.
Passwords’ widespread exploitability has led to a range of vendors, including Google, Microsoft, Okta and LastPass, to move toward passwordless authentication options as part of the FIDO alliance.
In line with this passwordless vision, today Google announced that it is bringing passkeys to Chrome and Android, enabling users to create and use passkeys to log into Android devices. Users can store passkeys on their phones and computers, and use them to log in password-free.
For enterprises, the introduction of passkeys to the Chrome and Android ecosystem will make it much more difficult for cybercriminals to hack their systems.
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
Stopping credential theft with passkeys
The announcement comes after Apple, Google and Microsoft committed to expand support for the passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium in March of this year.
This move toward passwordless authentication is a recognition of password-based security’s fundamental ineffectiveness. With users having to manage passwords for dozens of online accounts, credential reuse is inevitable.
According to SpyCloud, after analyzing 1.7 billion username and password combinations the firm found that 64% of people used the same password exposed in one breach for other accounts.
Eliminating passwords altogether reduces the likelihood of credential theft and decreases the effectiveness of social engineering attempts.
Diego Zavala, product manager at Android; Christian Brand, product manager at Google; Ali Naddaf, software engineer at Identity Ecosystems; and Ken Buchanan, software engineer at Chrome explained in the announcement blog post, “passkeys are a significantly safer replacement for passwords and other phishable authentication factors.”
“[Passkeys] remove the risks associated with password reuse and account database breaches, and protect users from phishing attacks. Passkeys are built on industry standards and work across different operating systems and browser ecosystems, and can be used for both websites and apps,” the post said.
It’s worth noting that users can back up and sync passkeys to the cloud so that they aren’t locked out if the device is lost. In addition, Google announced that it will enable developers to build passkey support on the web via Chrome and the WebAuthn API.
The passwordless authentication market
With social engineering and phishing threats dominating the threat landscape, interest in passwordless authentication solutions continues to grow. Researchers anticipate the passwordless authentication market will rise from a value of $12.79 billion in 2021 to $53.64 billion by 2030.
As interest in passwordless authentication grows, many providers are experimenting with decreasing reliance on passwords. For instance, Apple now offers users Passkeys, so they can log in to apps and websites through Face ID or Touch ID, without a password, on iOS 16 and macOS Ventura devices.
At the same time, Microsoft is experimenting with its own passwordless authentication offerings. These include Windows Hello For Business (biometric and PIN) and Microsoft Authenticator (biometric touch, face or PIN). Both offer organizations passwordless user authentication capabilities which integrate with popular tools like Azure Active Directory.
As adoption increases, there will be increasing pressure on providers to offer more and more accessible passwordless authentication options, or risk being left behind.