Security

Are Passkeys Right for Your University?

Passkeys are an alternative to traditional authentication methods.

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

Passkeys are the latest version of an advanced web-based authentication, WebAuthn. Reducing the risk of phishing and data breaches, passkeys can be a great answer to the problem of passwords and two-factor authentication systems.

What Are Passkeys?

Passkeys are a form of public/private cryptography used for authentication. With passkeys, a user's browser (or hardware token) generates a public/private key pair for each web application. The web application is responsible for storing the public key in its authentication store, while the user's browser stashes the private key away. The passkey store is locked up with its own authentication system, typically a biometric such as a fingerprint, face or retina ID. Passkeys have all of the advantages of encrypted public key infrastructure with digital certificates, without the trouble of managing certificate authorities and certificate policies.

Click the banner to learn how IAM solutions protect complex higher ed IT ecosystems.

Will Passkeys Work with Our Central Directory for Authentication?

Yes and no. Passkeys are unique to each web application and never shared across applications; this is a feature that reduces phishing because a passkey won’t work except on the site for which it was generated. You can store the multiple public keys in a central directory for your own web applications, or they can be distributed into each different web application. If you choose to put them in a central directory, you’ll have to make significant changes to handle the additional per-user storage and create business logic for things such as authentication resets.

How Hard Is It to Modify My Applications to Support Passkeys?

It’s harder than you might think, but it is possible. Passkeys are not just another authentication method; the user interface and user experience are very different, the standard is hard to read, device support varies significantly, and detecting whether a user has set up a passkey and it's available in the device being used can be difficult. Your developers will be able to do it, but it’s not going to happen overnight.

What Do I Do About Apps or Devices That I Don’t Want to Touch?

A whole industry of privileged access management products has popped up to solve the problem of legacy and nonweb applications. Some of these products support passkeys. And, if you’re not using PAM for network and IT infrastructure already, now’s the time to start with passkeys for user authentication.

How Do Passkeys Fit in With Federated Identity?

Because these technologies do different but overlapping things, you can choose to take advantage of the best aspects of both. Passkeys are more secure than passwords or multifactor authentication, so they’re especially appropriate for high-risk/high-value applications. You can also use passkeys for the authentication to your federated identity system. You'll give up some of the security and phishing protection, but you can get started with passkeys and realize immediate security gains by eliminating passwords and MFA costs.

ArtemisDiana/Getty Images