Education
The future is here today! Ok, perhaps that’s a bit over dramatic, however there’s one thing in cyber security that is and has always been a general problem: Passwords! So enter the lord and saviour of all cyber security: Passkeys! (ok, they aren’t but they are cool and useful in a range of scenarios!) Let’s take a deeper look.
The UK NCSC Paper on Passkeys/FIDO2 for personal use
This is a good look here, go and check this out:
https://www.ncsc.gov.uk/paper/traditional-user-and-fido2-credentials-personal-use
The key thing to me:
A key point here is, look at the delta between passwords and FIDO2! It’s a huge delta. That doesn’t mean there are no issues or that vulnerability doesn’t exist.
Of the pushback I’ve seen on passkeys, I’ve seen all kinds of statements like:
Something could still go wrong so I’m staying with usernames and passwords.
This is like saying, I won’t wear a seatbelt because someone who wore one once died/got hurt.
Who Supports Passkeys today?
So I wanted to see what the landscape was like, personally I use Yubikeys and passkeys for a few services (important things) and I’ve been adding more and more as time goes on. So let’s look at the top (common) 20 services people tend to use:
| Microsoft / Outlook |
| Xbox Network |
| Google / Gmail / YouTube |
| Apple ID / iCloud |
| PlayStation Network |
| Nintendo Account |
| Steam (Valve) |
| Netflix |
| Disney+ |
| Spotify |
| X (Twitter) |
| TikTok |
| Discord |
| Amazon |
| PayPal |
| eBay |
So let’s look, what percent support passkeys?
70% of the ‘TOP 20’ services people tend to use support passkeys!
Making this work IRL
I’m still working through my passkey adventure! I’m going to start looking at edge cases etc. but this week I’ve deployed a playstation 5 using passkeys without fuss. When I am looking at mainstream use cases I’m struggling to find scenarios where I wouldn’t use them, I will however continue to test! Family/Sharing scenarios and some more complex/niche setups, but so far however, the passkey naysayers haven’t convinced me!
The Future of Authentication
The future of authentication can’t revolve around mum or dad forgetting their password or being scammed with an email saying: please change your password, please enter your password etc. We need to find a way to move on that works for the masses. Don’t believe me? Go and check out this NCSC blog: https://www.ncsc.gov.uk/passkeys and also go and look at how many incidents involve stolen credentials! Passkeys aren’t a silver bullet, but they look pretty handy to me!
