As organisations face increasingly sophisticated cyber attacks, and with 91% of all successful cyber attacks initiated by a password phishing attack, can or should we still rely on passwords to protect our digital front doors?
The crumbling foundation of passwords
Passwords, once the cornerstone of digital authentication, are no longer fit for purpose. From confusing complexity requirements to vulnerabilities like phishing, credential stuffing, and password spraying attacks, the traditional password has become a liability rather than a defence. The very design of passwords as shared secrets reliant on human behaviour makes them prone to failure in today’s cyber environment.
Even when users follow advice to create a strong password, they often weaken its effectiveness by reusing it on multiple websites. A breach at a single, poorly protected site can expose the password to attackers, who can then exploit the stolen credentials on other platforms (credential stuffing). This interconnected vulnerability makes even the strongest password vulnerable when used across several systems.
Attempts by organisations to strengthen passwords with two-factor authentication (such as SMS codes or authenticator apps) often face usability issues and security gaps. SMS codes are vulnerable to SIM swapping and social engineering attacks. Authenticator Apps (such as Google and Microsoft Authenticators), while more secure, remain inconvenient and face reluctant adoption from users.
Simple toolkits are easily accessible online, that allow an attacker to create a copy of a legitimate site and register it with a slightly different name so that when contained in a web link sent as part of a phishing attack (Google.com vs Gooogle.com), a user mistakenly provides their credentials to the attacker’s site and not to the real one. The attacker now has access to the user’s account.
The rise of passkeys: A simpler, safer alternative
Enter Passkeys, cryptographic credentials powered by WebAuthN, a standard built into all popular internet browsers, removing the need for users to create and manage passwords altogether.
Toro – “We are seeing a strong shift across the industry towards replacing passwords with passkeys. Big tech companies like Meta/Facebook, Google, Microsoft, Apple and Amazon are already using them, setting the precedent for other providers to follow. Those using passkeys feel that they are more secure and more convenient. It’s clear that passkeys are going to become the new normal for secure logins and sites that don’t leverage passkeys will be perceived as insecure and outdated.”
Passkeys consist of a pair of cryptographic keys:
• A public key which is shared with the website;
• A private key which is stored securely on the user’s device. These keys are bound to a specific domain (website), ensuring that a fraudulent site can never participate in the authentication process, thus protecting the user from a phishing attack.
The web browser creates the keys as part of the user registration process; the user keeps their private key and sends their public key to the website. The private key never leaves the device and is unusable without local authentication, such as a fingerprint, face scan, or device PIN. The user’s identity is proved by the website sending a random challenge to the user’s web browser, and the web browser returns the challenge to the website encrypted with the private key it holds for the site. The website verifies the user’s identity by decrypting the encrypted challenge with the user’s public key. if the result matches the initial challenge, the website considers the user authenticated.
This architecture means passkeys inherently provide strong, built-in two-factor authentication using:
• Something you have: the device that stores the private key (e.g., a phone, laptop, or security key).
• Something you are or know: biometric ID or PIN used to unlock and use the private key.
Additionally, passkeys can be synced securely across a user’s devices via platforms like Apple Keychain, Google Password Manager, or third-party tools like 1Password. For high-assurance environments, external, removable authenticators (such as USB/NFC hardware keys) can also be used to store passkeys, much like your front door keys.
Toro – “For most organisations, the simplest and most cost-effective way to use passkeys is to store them on the devices people already use, like their phones or laptops. It’s easy for the end user and adds a strong layer of security without changing how they work. For most businesses, that’s enough. But when you’re dealing with sensitive information or strict regulatory requirements, we always recommend hardware security keys. These physical devices are incredibly secure and much harder to compromise.”
By removing the user from password creation and eliminating shared secrets, Passkeys dramatically reduce phishing risk, credential reuse, and the burden of memorising many different passwords.
Passkeys are:
• Unique per site, ensuring no reuse across platforms.
• Phishing-resistant, the website never negotiates with a site that does not have registered credentials.
• Frictionless, especially when embedded in modern OS platforms and password managers.
Passkeys remove the user from the security equation in the best way possible by taking the responsibility of password complexity and single-use off their shoulders while increasing both security and convenience.
Conclusion
As attackers get more sophisticated, continuing to use outdated security practices, such as passwords, is no longer tenable. Organisations must shift towards stronger, user-friendly methods, such as Passkeys, or risk having a digital front door with zero kerb appeal.
Toro – “Passkeys represent a major step forward in authentication, and the best part is, they’re not difficult to implement. We are working with lots of organisations to help them integrate passkey support into their systems in a way that’s secure, scalable, and user-friendly. This technology isn’t just for tech giants anymore. Whether it’s a customer portal, internal system, or a full enterprise platform, passkeys help reduce the attack surface while simplifying the login experience. For many of our clients, it’s one of the fastest and most impactful security upgrades they can make.”
Implementing passkeys, especially if you run your own websites or web-based applications, is an attainable task.
This article has been written in partnership with Andy Clymer, CEO of Rock Solid Knowledge.
About Rock Solid Knowledge
Rock Solid Knowledge builds website authentication platforms for enterprises of all sizes with strong modern authentication. Ensuring its customers can sleep well at night, knowing that a modern, secure digital front door keeps out the bad actors.