Passwordless options
In retiring passwords, security leaders will need to consider their options — passkeys, biometrics, and third-party login services — looking for the best technical, usability, and security fit. There are pros and cons for each option, and in many cases CISOs may be guided towards one based on their existing environment.
Passkeys, used by Microsoft, Samsung, and Zoho among others, use private device keys and public website keys to authenticate users with a device PIN, biometric, screen unlock pattern or hardware.
“Passkeys are hardware-backed, can be more phishing-resistant, and have a reduced liability of storing credentials. On the other hand, there’s a lot of overhead, especially with recovery complexity and device dependencies, and there are implementation costs,” says Rana.
