Latest news with #WebAuthn
Techday NZ
4 days ago
- Business
- Techday NZ
Yubico urges stronger passkey rules to boost digital security
Yubico has called on security leaders to reassess the current implementation of passkeys as the industry moves away from traditional passwords. Passkeys have been developed as an alternative to passwords, aiming to improve both security and user convenience. According to Yubico, the transition to passkeys is gaining considerable momentum globally, but significant risks remain if organisations and individuals do not address the nuances in passkey types and fallback options. Christopher Harrell, Chief Technology Officer at Yubico, stated, "The global momentum behind passkeys represents one of the most exciting shifts in authentication history. The technical specifications that enable this shift are FIDO2 and WebAuthn, and their implementations are now widely known by the consumer-friendly name 'passkeys'. As the creator of the first passkeys, passkeys in security keys, Yubico is proud and humbled to have helped initiate and continue to drive this transformation. Yet, the work isn't done. Not all passkeys are equal, not all users have the same needs, and leaving insecure fallback methods in place can provide a false sense of security." Harrell outlined a number of distinctions between passkey types, focusing primarily on two: synced passkeys and device-bound passkeys. Synced passkeys store credentials in the cloud and allow users to access them across multiple devices, providing convenience but raising concerns about the security of the sync mechanisms and cloud accounts on which they rely. Individuals and organisations handling sensitive information, or those facing heightened risks, may find synced passkeys insufficient. In such cases, device-bound passkeys offer additional protection. These credentials do not leave the hardware device on which they are created, mitigating threats like phishing, account takeover, and recovery fraud. According to Harrell, device-bound passkeys have two major forms. The first uses smartphones or laptops, which are convenient but sometimes inconsistent due to usability issues with technology such as QR codes, Bluetooth connectivity, and relay access reliability. The second form employs hardware security keys, such as YubiKeys, which Harrell described as offering the "gold standard" in passkey security because of their portability and consistent experience across platforms. Harrell emphasised the importance of not allowing insecure fallback mechanisms, such as text message verification or code-generation apps, to remain in place, even when device-bound passkeys are implemented. He said: "Attackers understand this and actively downgrade to insecure, phishable mechanisms to avoid the phishing-resistant security passkeys provide." For organisations, Harrell recommended that Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) demand configurability and control from identity providers. He commented, "Passkeys in YubiKeys and Windows Hello for Business are better together, offering non-exportable credentials that cannot be silently synced, phished, or copied. These passkeys can provide clear visibility into how and where they are stored, which enables more consistent support, audit and incident response processes." Harrell suggested specific steps, including enforcing only device-bound passkeys within identity providers, requiring device-bound credentials by policy, disabling synced passkeys for enterprise use, and removing all non-FIDO fallback methods. Yubico's recommendations reflect the company's views on shaping more robust policy around digital authentication. Harrell also addressed product managers tasked with implementing passkey functionality, advising them to support security key options rather than exclude them, and offering Yubico's assistance to those encountering technical or usability challenges. He said, "Don't exclude security keys; it often takes more effort to block them than to support them. And if you're stuck, technically or from a usability perspective, Yubico is here to help. We've partnered with governments, Fortune 500s, and identity platforms to solve many challenges at scale across the globe." He continued, "As a product leader or engineer rolling out passkey support in your application, you are shaping the future of digital identity and safety. If you're building a banking app, social network, government portal, an identity provider, or anything else, you are also deciding who gets access to higher levels of protection." Yubico outlined the practical benefits of robust passkey policies, stating that strong measures can reduce account recovery events, lower operational costs, and increase organisational resilience. For individuals, especially those at heightened risk, reliable and accessible authentication is essential. Device-bound security keys can also assist people with accessibility needs by providing a consistent and tactile experience that avoids the complications of screen readers and complex gestures. Harrell asserted, "Authentication should be adaptable and flexible, not rigid and monolithic. Higher-assurance security is not just for the enterprise; it's a lifeline for millions." Groups identified as needing the strongest protections include government officials, legal workers, journalists, high-profile executives, developers, security researchers, activists, and those without reliable access to personal devices. The risks are not theoretical, as Yubico noted that status can change rapidly due to events or exposure, requiring swift improvements in security posture for protection and peace of mind. Yubico recommended supporting or requiring security keys as a core element of passkey strategies, demanding configurability from service providers, and ensuring that all users can choose the level of protection suited to their circumstances.
Forbes
30-06-2025
- Business
- Forbes
Why The Slow And Steady Adoption Of Passkeys Is A Good Thing
Kevin Dominik Korte: IT Innovation Strategist, Board Member. Expert in identity management, AI and open-source solutions. Since its initial launch in mid-2022, passkey technology has led a relatively quiet existence without garnering much attention. However, an increasing number of websites have recently started supporting the new concept of passwordless sign-ins. Built on the FIDO2 and WebAuthn standards, passkeys have been heralded as the long-awaited solution to replace insecure passwords. The technology quickly gained the support of tech giants, major brands and open-source enthusiasts. After all, it promises an end to phishing and credential theft, bringing with it phishing resistance, no shared secrets and seamless biometric integration. Two years since the first implementations, we've seen an uptick in adoption on consumer websites, as the FIDO alliance highlighted on the occasion of the first "World Passkey Day" on May 1. To date, almost half of the top 100 websites offer passkey integration. Unfortunately, success on the consumer side of things is only half the story. Enterprise adoption remains stubbornly slow. While passkeys offer security and usability advantages, sprawling legacy systems and complex regulatory obligations have caught enterprises between the allure of innovation and the inertia of established processes. Let's dive into the three major types of problems slowing down broader passkey adoption. Despite technological advances, passkeys also come with several technical disadvantages in enterprise settings. The keys are device-bound, relying on secure enclaves or hardware security modules to store private keys. Transferring them between different devices hinges on proprietary and incompatible protocols. Apple's passkeys do not seamlessly interoperate with Android and vice versa, leaving IT departments to wrestle with compatibility gaps and inconsistent user experiences. This dependency introduces a host of complications for organizations, such as employees switching between corporate laptops and desktops, bring-your-own-device policies and shared workstations. Unlike passwords, which are platform-agnostic, passkeys require careful orchestration across a fragmented ecosystem of devices, operating systems and browsers. While some enterprise password solutions offer support for passkey technology, this adds another piece of software to the growing list of applications. And then there's legacy integration. Enterprises have invested in their IT systems, and many legacy systems rely on non-web applications. Passkey was not available yet when IT departments mapped out their application and system requirements. As a result, retrofitting these environments demands significant engineering resources, ongoing maintenance and specialized expertise in protocols like WebAuthn. The cost and complexity of such projects can be daunting, especially when weighed against the perceived incremental benefit over existing multifactor authentication (MFA) solutions companies already have in place. It's no wonder many organizations choose to maintain parallel authentication systems, undermining the very security and efficiency gains that passkeys are meant to deliver. Beyond the technical, there is the human element as well. Decades of password-centric workflows have defined habits for users and administrators. The introduction of passkeys represents a fundamental shift. It's not only how people log in, but also how they think about it. For passkeys to be widely adopted, we must change how people perceive authentication, passwords and cybersecurity in general. The adoption rates of similar security technologies, like MFA, and the responses to cybersecurity training give us a flavor of the challenges that lie ahead when it comes to convincing administrators, who in turn have to convince their end users. Yet, IT departments are even more worried about the lack of fallback and reset processes. These threaten to disrupt established help desk routines. What happens when a device is lost, stolen or otherwise compromised? How do you provision passkeys for temporary staff, contractors or disabled users who cannot use biometrics? While it's true that most IT departments have long-established procedures for these questions, they will face these questions again when transitioning to passkeys. The lack of unified support for passkey resets and recoveries compounds the issue. Today, passkey recovery depends on proprietary cloud services or complex key escrow arrangements, which may not align with corporate security policies or regulatory requirements. Until we find a standardized solution for these operational questions, IT leaders will remain hesitant to mandate passkeys as the sole authentication method. Even if we solve the human and technical issues, regulatory and compliance considerations will slow deployment. Enterprises operate under stringent compliance mandates, including GDPR, HIPAA and PSD2. While passkeys offer strong security guarantees, they introduce new ambiguities around data privacy, especially involving biometric data. Biometrics are typically stored locally and never transmitted, but organizations must still demonstrate compliance and reassure stakeholders that sensitive data is adequately protected. Further, IT and HR have to harmonize these arrangements with bring-your-own-device and similar IT policies. What's more is IT departments must carefully plan and secure partial deployments and transition periods. Partial adoption creates security blind spots, though, combining the shortcomings of passwords and passkeys. We're Getting There: Incremental Progress Is A Feature, Not A Bug Despite these headwinds, surveys suggest that nearly 90% of enterprises are piloting or already using passkeys for customer-facing deployments. However, only a fraction of them have rolled out passkeys organization-wide. On the enterprise side, the most successful implementations have taken a phased approach. High-risk user groups are migrated to passkeys first while existing authentication methods remain an option for everyone else. This incremental strategy allows organizations to realize immediate gains. It reduces phishing, improves security and enhances the user experience, while gradually building the trust and expertise needed for broader adoption. Ultimately, the slow path to enterprise passkey adoption is not a failure of technology but a reflection of the complex realities of large-scale IT. As with any paradigm shift, success depends on a pragmatic blend of technical innovation, user education and regulatory alignment. For now, passwords may be on notice, but writing their obituary—at least in the enterprise—would be premature. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
International Business Times
14-05-2025
- Business
- International Business Times
Namrata Barpanda: The Quiet Force Behind Smarter, Stronger Cybersecurity
Cybersecurity has progressed from being an essential technical requirement into an essential business operation as our world grows increasingly connected. Modern corporate cybersecurity operations depend on people who link system functionality knowledge to risk prediction as well as guidance for digital evolution and community-wide resilience development. Namrata Barpanda, a Staff Security Engineer, operates with strategic strength by developing secure systems along with creating resilient defensive culture in cybersecurity. Namrata brings over decades of cybersecurity expertise and detection engineering experience to deliver strategic vision combined with deep technical mastery. She takes security threats as opportunities to engineer systems which track the natural progression of the security landscape. Throughout her career Namrata has worked across various cybersecurity areas including detection engineering and DevSecOps together with threat intelligence, adversary emulation, 5G security and infrastructure security. The true essence of Namrata is defined by her leadership approach which combines awareness with group participation and proactive planning. Breaking Boundaries With Pass wordless Authentication Her significant work includes leading the development of FIDO2 and WebAuthn enable passwordless authentication tools that leverage her expertise. As part of Zero Trust Architecture, this system implements advanced security measures that reinforce corporate defenses for stopping phishing attempts as well as unauthorized access. Through her work, Namrata creates a path to authentication systems that maintain elevated security standards while providing effortless user experiences. Full-Spectrum Technical Expertise Her competencies extend past authentication processes. The extensive domains that Namrata masters include: Web Application Firewalls (WAF), Security Information and Event Management (SIEM), intrusion detection and prevention systems (IDS/IPS), firewalls and proxy servers, bot mitigation and brand protection, vulnerability management and penetration testing, DevSecOps and 5G security among many others, which illustrate her years of cyber defense experience. Proactive Threat Hunting And Real-Time Defense Through her approach, Namrata focuses actively on security matters. She demonstrates expertise in threat hunting, log correlation, behavioral analysis which enables her to identify and stop security threats before they spread throughout the network. Her extensive management of major security incidents coupled with high-volume threat intelligence operations positions her as an essential presence in critical high-risk settings. Adversary Emulation: Thinking Like An Attacker Through her leadership Namrata conducts sophisticated adversary emulation exercises that use MITRE Caldera alongside Atomic Red Team tools. Organizations benefit from these simulation tools to duplicate authentic attacker methods for validating and perfecting their detection systems. The customized attack code Namrata developed targets specific vulnerabilities in her organization's environment which has led to improved security readiness and widened protection areas. Driving Enterprise-Wide Cybersecurity Transformation Namrata's strategic view goes past just technology execution. Through her leadership, Namrata has successfully deployed security embedding programs to change the DNA of major enterprises. In her work, she establishes cybersecurity as an essential tool for innovation and growth that does not create bottlenecks. Through her work, organizations experience faster incident response times while gaining the ability to undertake digital transformation measures safely. Namrata works passionately to promote Zero Trust Architecture. The organizations she leads have adopted Zero Trust frameworks as she guides them from traditional perimeter security models to identity awareness and context-based protection systems. She manages third-party risk management projects which help organizations identify vulnerabilities within their supply chain networks while reducing security threats from external dependencies. Championing Diversity And Future Talent In addition to her technical and strategic work Namrata dedicates herself to the cybersecurity community. She uses her experience by speaking at industry forums and by serving as a mentor to young professionals who aim to create tech and security careers with a special focus on women. As part of her wider vision Namrata focuses on advancing diversity because she believes it will enhance the cybersecurity field with more innovation and greater preparedness for the future. Building Security Culture Of Tomorrow According to Namrata the upcoming path stands plainly visible. Businesses need to establish multiple defense systems which adapt to threatening developments. Organizations need to make people investments while modernizing outdated processes followed by security culture promotion across all departments. Through her leadership Namrata has developed cybersecurity tools while promoting fundamental changes in the way cybersecurity operates. Conclusion Through her work, Namrata Barpanda demonstrates the true value she brings to the cyber landscape, although she keeps it subtle. Her deep technical skills together with foresight and human-centered leadership allow her to create a new generation of cybersecurity that is stronger and smarter for any challenge that comes.
Tahawul Tech
04-05-2025
- Tahawul Tech
World Password Day: Replacing the weakest link with smarter security
Experts urge enterprises to ditch outdated password routines for behavior-driven, passwordless solutions as cyber threats evolve. World Password Day is no longer just a day to reset a password—it's a wake-up call. As cyberattacks become more sophisticated, industry leaders agree: the password, once the gatekeeper of digital identity, has become the weakest link. From evolving best practices to the behavioral science behind poor password hygiene, experts across the cybersecurity spectrum are calling for a fundamental shift in how organizations approach authentication. World Password Day, observed on the first Thursday of May, was established in 2013 by Intel Security to raise awareness about the importance of strong password practices. Inspired by security expert Mark Burnett's call to dedicate a day to password hygiene, the day encourages individuals and organizations to strengthen their digital defenses through secure passwords, multi-factor authentication, and passwordless technologies. The first line of defense: strengthen it or replace it 'A strong password is your first barrier; don't let it be the weakest link,' says Ezzeldin Hussein, Regional Senior Director, Solution Engineering – META at SentinelOne. 'A password is more than just a key; it's the gateway to your digital identity. Strengthen it, protect it, and complement it with multi-factor authentication. On World Password Day, let's commit to better security habits—because a strong password today means a safer digital world tomorrow.' Passwords remain foundational to digital security—but they must evolve. Hussein advocates for strong, unique passwords backed by multi-factor authentication (MFA) and password managers. More importantly, he emphasizes a shared responsibility: users and organizations must adopt secure habits and champion next-generation alternatives like biometrics and passkeys. The end of the password: a necessary evolution 'We need to move away from reliance on passwords and shared secrets,' insists Chester Wisniewski, Director and Global Field CTO at Sophos. 'Access keys or passkeys today represent the most robust solution for building a future without passwords, phishing, and, hopefully, large-scale compromise.' Sophos' 2025 Active Adversary Report reveals that compromised credentials remain the top cause of cyber incidents for the second consecutive year. Traditional authentication methods—whether passwords or MFA codes—are being bypassed through advanced phishing kits and cookie theft. Wisniewski endorses WebAuthn, a protocol that leverages cryptographic key pairs and physical devices, including biometrics. This model not only prevents phishing but also authenticates both the user and the service—making unauthorized access significantly harder. Understanding why password fatigue persists 'It's not that people don't understand the risks. It's that the need for uninterrupted access often outweighs the promise of long-term protection,' explains Niresh Swamy, Enterprise Evangelist at ManageEngine. Swamy examines the human side of cybersecurity—specifically the psychological patterns that drive password fatigue, reuse, and weak security habits. Concepts like bounded rationality, availability heuristics, and loss aversion reveal that the struggle with passwords isn't about ignorance, but about mental efficiency. Organizations often respond with stricter protocols, but Swamy argues that the real fix lies in removing the need for passwords altogether. Solutions such as passkeys, Single Sign-On (SSO), and magic links reduce cognitive load and eliminate the risk of human error Designing behavior-aware systems To effectively tackle risky password behavior, organizations must bridge the gap between convenience and security. That means: Adopting passkey-enabled vaults to eliminate password memorization. Using SSO to centralize access and reduce the number of logins. Deploying PAM (Privileged Access Management) solutions that automate, restrict, and audit access. Embedding AI into access control policies to detect and prevent standing privileges and risky behavior in real-time. These are not just security upgrades—they're behavioral interventions. 'When an organization removes decision points where things go wrong, they're not just securing systems—they're correcting flawed human design,' Swamy notes. Policy must match progress The technological path forward is clear, but without supportive policy, security tools lose their impact. Shared credentials, over-permissioning, and legacy access controls remain common pitfalls. Progressive companies are implementing dynamic, AI-powered access policies that adjust privileges based on context and usage—reducing friction while increasing protection. Rethinking the absurdity of passwords 'In many ways, our daily interactions with passwords feel a lot like Sisyphus' burden,' Swamy reflects. 'We push the boulder uphill every day, only to start over. The solution is not to make the boulder lighter. It's to remove the hill.' Tools like passkeys, SSO, PAM, and AI do more than simplify access—they eliminate the absurdity of forcing humans to defend digital fortresses with mental gymnastics. When systems account for how people actually think and behave, security becomes sustainable. This World Password Day, the message is unified and urgent: secure systems must evolve beyond passwords. Whether by strengthening existing routines with MFA and password managers or by advancing toward passwordless authentication, the time for action is now. Because as our digital lives expand, so too must the way we protect them. Bernard Montel, EMEA Technical Director and Security Strategist at Tenable wants to remind us that we live in a digital world and we need to protect it. With passwords the virtual key to our online world, it's time to consider our password habits and what – if anything – can be done to make these virtual locks stronger: Securing Our Digital World: The Paramount Importance of Strong Passwords and Credential Hygiene This World Password Day is a timely reminder that strong passwords are more than just a best practice—they are critical to safeguarding our personal and professional digital lives. In a world where our data is stored, processed, and accessed online, the strength and security of our credentials can determine whether we remain protected or become vulnerable to cyber threats. Strong passwords serve as the frontline defence against unauthorised access. They protect not only emails and personal files, but also critical infrastructure, cloud platforms, and autonomous systems that run in the background—such as service accounts, APIs, and automated workflows. As these digital agents increasingly interact without human oversight, securing their credentials becomes just as vital as protecting user logins. Using complex, unique passwords—blending uppercase and lowercase letters, numbers, and symbols—significantly reduces the risk of brute-force attacks. However, password strength alone is not enough. Each credential should be unique and managed with care, especially for software accounts with elevated privileges or persistent access. Weak password practices can lead to devastating consequences: data breaches, identity theft, financial loss, and reputational harm. For organisations, compromised credentials—especially those tied to automation or backend systems—can trigger widespread service disruptions, intellectual property theft, and costly compliance violations. To combat these risks, organisations must adopt a layered approach to password security. This includes implementing multi-factor authentication (MFA), enforcing password complexity and rotation policies, and using secure credential management solutions to protect both human and machine accounts. Regular security training, audits, and awareness campaigns ensure that employees understand the stakes and uphold best practices. Ultimately, securing our digital world means protecting every entry point—human or machine—with diligence and care. Morey Haber, Chief Security Advisor at BeyondTrust, said: World Password Day on May 2nd, 2025, remains cybersecurity's most ironically misguided celebration. As a yearly event, it is a reminder of our collective failure to promote good password hygiene and highlight bad habits and silly mistakes. Despite endless warnings and breaches demonstrating password fragility, we have decided to dedicate a day to celebrate the weakest link in cyber defense; us – human beings. So, on May 2nd, we will recognize that as humans, we are fundamentally inept at password management and reuse secrets, refuse complexity, forget, and share passwords, creating a lucrative opportunity for threat actors to capitalize on our flaws. Therefore, for future celebrations, I would like to propose that World Password Day focus on marking a proactive pivot toward biometrics and passwordless authentication options, so we can ultimately change the narrative of identity attack vectors. Instead of promoting stronger passwords and a day when everyone should rotate their passwords, perhaps we should promote a technological revolution and replace passwords with modern solutions that can minimize our own human weaknesses: biometrics, MFA, and passkeys for everyone. Ziad Nasr, General Manager – Acronis Middle East On World Password Day, Acronis is reminding individuals and organizations across the UAE that a strong password remains one of the simplest, yet most powerful defenses against cybercrime. According to the Acronis Cyberthreats Report H2 2024, the UAE ranked among the top three countries globally targeted by malware attacks. A striking 16.2% of malicious URLs detected globally were blocked on UAE endpoints, signaling high exposure to credential-stealing threats. Compounding the risk, email-based attacks surged by 197%, with phishing responsible for 74% of all cyberattacks during this period. These phishing schemes are often designed to harvest login credentials, exploiting weak or reused passwords to gain unauthorized access to critical systems. Passwords are often the weakest link in cybersecurity. When attackers steal them through phishing or data breaches, they can bypass most security systems unless multi-factor authentication is in place. Acronis urges users in the UAE to: Avoid common passwords like '123456' or 'admin'—still alarmingly prevalent in breach data. Use a password manager to create and store strong, unique passwords. Enable two-factor authentication (2FA) wherever possible. Educate employees about phishing tactics to prevent password theft. In today's threat landscape — where AI-powered cyberattacks are rapidly growing — strong password hygiene isn't just an IT recommendation; it's a frontline defense.
&w=3840&q=100)
Business Standard
02-05-2025
- Business Standard
Microsoft to make new accounts password-free by default: What changes
Microsoft is rolling out changes to streamline its sign-in experience, prioritising passkeys and other secure alternatives over traditional passwords New Delhi Microsoft is moving further towards a password-free future. Starting May 1, all new Microsoft accounts will be created without a traditional password by default. Instead, users will be prompted to use more secure alternatives such as passkeys, which rely on face, fingerprint, or PIN authentication. The company confirmed that users will no longer be prompted to set up a password during the account creation process. These changes are part of Microsoft's broader effort to make its authentication systems simpler and more secure. Microsoft Account: New Changes New sign-in user experience (UX): Earlier this year, Microsoft introduced a refreshed visual design for its sign-in and sign-up flows. The company said the new experience is more modern and streamlined, with a focus on guiding users towards passwordless options. New Microsoft accounts will now default to passwordless sign-in. Instead of requiring a password during set-up, users will be offered several secure alternatives such as passkeys. Existing users can also opt in by removing their passwords through their account settings. Passwordless-preferred sign-in: Microsoft is also rolling out a smarter sign-in experience that automatically selects the most secure method available for the user's account. For example, if a user has both a password and a one-time code configured, they'll be prompted to use the one-time code. After signing in, users will be encouraged to enrol a passkey for future use. The company says that as more users adopt passkeys, reliance on passwords will continue to drop—paving the way for their eventual removal altogether. What is a passkey A passkey is a cryptographic alternative to passwords. When a user creates a passkey, two keys are generated: a public key stored by the service (in this case, Microsoft), and a private key stored securely on the user's device. To authenticate, users can simply use their device's built-in security features like facial recognition or a fingerprint scan. Passkeys are built on the WebAuthn standard and are designed to work across devices. In the event a device is lost, users can regain access through back-up or synced credentials through cloud services like iCloud Keychain or Google Password Manager.
