In conversation with: Cole Hecht from Passage by 1Password

8 September 2023 · 15 min read

No time to read? Listen instead:

I believe passwordless methods, particularly passkeys, will become the new norm within the next few years.

As more research points to the risks of traditional passwords – with stolen credentials being one of the top methods used by attackers to infiltrate businesses – there’s a growing shift towards more secure options like passwordless authentication. This emerging trend is backed by major tech players who are expanding passwordless functionalities across mobile, desktops, and browsers.

Cole Hecht, who heads up the Passage division at 1Password, recently spoke with SoSafe to offer expert perspectives on this topic, provoding valuable insights on how passwordless authentication is transforming the cyber security landscape, particularly regarding passkeys. He dove into both the advantages and challenges of implementing this approach, offered essential tips for successful adoption, and evaluated the substantial business impacts of this emerging authentication method.

Before we jump into it, tell me a little about yourself.

I started Passage to focus on passwordless authentication after working in application security consulting. At 1Password, I lead the Passage by 1Password team to help businesses quickly implement passwordless authentication in their web and mobile apps.

So for the non-technical user, how would you describe passwordless and what this means for them?

Passwordless can take many forms, so one of the things I hope we can explore today are the various meanings of passwordless. In its best form, passwordless is a way to humanize login experiences. People are not well-programmed for passwords. The ability to remember and then type in a bunch of letters, numbers, and special characters is not really how our brains work. With passwordless, people can sign into websites and apps like they unlock their phones. They can use their fingerprint or simply glance at their device to use Face ID or Windows Hello. These very human login experiences can be used to access every service, app, and website.

Maybe diving a little bit deeper into the nitty gritty, how exactly does it work, and how is it different from a password?

Now seems like a good time to discuss the many forms of passwordless. When you think about the term passwordless, it simply implies the absence of a password. There are many ways one can sign into something without using a password. You could type in a four-digit pin, click a button asserting your identity, or adopt an entirely different method.

When I discuss passwordless, I specifically like to focus on passkeys. Passkeys represent the latest and greatest iteration of WebAuthn or Web Authentication. This advancement is part of the amazing work done within the FIDO alliance through the FIDO 2 protocol. Passkeys enable individuals to sign into apps and websites using their Face ID, Touch ID, Windows Hello, and other native technologies.

To be more precise, instead of a traditional password, WebAuthn uses public and private keys – otherwise known as public-key cryptography – to check that you are who you say you are. Public and private keys are mathematically linked to one another. Think of them like interlocking puzzle pieces. They’re designed to go together, and you need both pieces to authenticate successfully. The public key can be shared publicly, meaning the website or app you want to sign in to can see and store your public key. The private key is kept secret and safe.

When you create a passkey for your Google account, you create a private key and keep it safe. It’s either stored locally on your device or in your cloud and synced between your Apple or Android devices. You could also use something like a YubiKey if you’re more security inclined, so the YubiKey would store your private key and the public key is shared.

With a passkey, there isn’t any super-sensitive material sitting on the server like with a password, which, even if hashed well, can often still be cracked. With a passkey, all the server has is a public key. So if an attacker were to completely compromise a database, they would have a bunch of public keys that they could do nothing with. A private key is associated with this public key, but the attacker would have no way to crack it and derive the private key to access the user’s account.

Passkeys also make reused passwords irrelevant. Many people reuse passwords for two different services, meaning if someone gets a hold of one, they can try that across other websites. That threat vector completely goes away in a passkey world.

What are some of the advantages and disadvantages of using passwordless?

While I might be slightly biased, I’d say the advantages far outweigh the disadvantages. Nonetheless, there’s something to be said for each.

Starting with the advantages, I think it’s almost immediately clear when I describe the experience of using a passkey that one big advantage is the user experience. People can sign in easily and don’t mistype a passkey because all they’re doing is glancing, touching, or using whatever authentication system is built into the device. This is a seamless user experience with a great security story, which is also important. In fact, it’s critical for passwordless to really take off. Passkeys do everything people want when they think about securely proving their identity.

There are numerous ways you can create secure and user-friendly passwordless systems. One particularly attractive feature of passkeys is their adaptability. Many of the giant tech companies are promoting passkeys in a really strong way.

They’re signaling this as the version of passwordless technology they’re investing in and betting on. They are promoting it to their users and integrating it directly into their operating systems. This means it’s not some random vendor offering proprietary versions of passwordless. It’s readily available to developers and accessible via our fingerprints. These are the big advantages that immediately come to mind.

As for the disadvantages, let’s discuss passwordless methods outside the passkey context, such as the six-digit code texted or emailed. While this is certainly passwordless, it doesn’t necessarily offer stronger resistance to phishing compared to a password. In these cases, a malicious actor could still send users to a counterfeit website and relay the login information to the actual site to gain unauthorized access to a user’s account. This leaves them no more secure than a password. In fact, people are still vulnerable to this with most forms of Multi-Factor Authentification (MFA). For example, an attacker could do that with a password plus text code system or even a Time-Based One-Time Password (TOTP) authenticator app if they gain access to your device or conduct a SIM swap attack.

Passkeys effectively solve both these problems. They are associated with a specific domain, meaning a passkey created for cannot be used on a deceptive site like with two zeros. This security measure is built into the protocol level, providing robust resistance against phishing attempts. There is no risk of SIM swap attacks because all passkey authentications occur independently from SMS channels.

Implementing passkeys can be somewhat challenging. Passwords, on the other hand, are straightforward to set up. There are countless blog posts and comprehensive libraries across every tech stack providing a framework for how to get passwords up and running. Unfortunately, the same cannot be said for passkeys. Users need a device that supports passkeys, a browser that supports them, and a correct version of software that facilitates their use. One reality most apps and websites must grapple with is that not all their users can use passkeys all the time. This means they must provide intuitive sign-in experiences for these users, which can be a complex task. That’s where our focus lies at Passage. We aim to simplify this process for developers.

Fallbacks and recovery also present a significant challenge. If a user loses their unique private key, a method to get a new one is essential. We’ll delve into this later. 

Finally, any new approach comes with questions. One drawback of introducing something new is the time people need to understand and become comfortable with it before adopting it. With passwords, there really aren’t many questions that have not been addressed yet. This is not yet the case with passkeys.

With passkeys, people can essentially forget about many password-related hassles.

Let’s assume I’m a Security professional, a CISO, CIO, or Head of IT, and I’m thinking about rolling out passkeys. What are some of the things I need to think about?

In the next few years, and even in the present, I anticipate that workforce identity providers will embrace passkeys and swiftly introduce some form of passwordless narrative in a workforce identity context. As a CISO or Head of IT, you’d likely look to your identity provider, Active Directory (AD), Okta, or something else for ways to incorporate passkeys.

This requires some consideration to think about, right? It’s a new paradigm. Not everyone may fully adopt passkeys immediately, but it’s important to envision the goal as you make the shift. Therefore, there are a few things to consider.

Educating the workforce is crucial. As a CISO of a large company, you are confronted with many employees who just try to get their daily tasks done. You are now planning to change their day-to-day routines – something they have been conditioned to for potentially decades. It is important to be respectful of people, make them feel comfortable, and explain how this shift can simplify their lives while improving security. Delivering this message to the workforce in an easy and digestible manner will be vital.

Consider the concept of recovery. Let’s say you’re an organization that issues YubiKeys to all your employees. While this approach is commendable, there are inevitably scenarios when someone loses their YubiKey and, with it, their private keys. In such cases, a recovery process is crucial, allowing them to establish a new key and regain access to their account. This is not unlike the existing recovery process for lost passwords or locked accounts – it merely needs to be modified for passkey use.

Addressing reporting and revocation is also important. In the YubiKey example, it’s easy to conceptualize because it’s a physical object that was lost. It’s in the company’s interest to ensure a lost YubiKey doesn’t grant access to malicious actors. A process for reporting a lost passkey or device and revoking the compromised passkey combination is necessary. In this process, just like with the phishing simulations some companies run to identify weaknesses. So, it’s important not to judge people who are just trying to do their jobs and accidentally click a link they shouldn’t have. Instead, we should just be constructive, train, and empower the employees to do better next time. This provides the psychological safety and openness to learn and improve. This also applies to YubiKeys, passkeys, and all other topics in security. It’s about helping people and enabling them. 

Regarding backups, the challenge may not be as great if you’re dealing with multiple devices rather than depending on one single physical object. For example, 1Password now supports storing passkeys, which can be synced, stored in vaults, and managed by corporate IT – a significant advantage. If a company uses multiple devices where corporate accounts may exist, platforms can also assist with this problem. For example, passkeys can be synced on iCloud. This way, a passkey set up on a Mac can also be accessed from a work phone, ensuring continued access or the addition of new passkeys as long as one device with the passkey on it is accessible.

How quickly do you see passwordless becoming the new norm?

I understand the skepticism people may feel toward passwordless becoming the norm. After all, we’ve been promised the demise of passwords for quite some time, with people like Bill Gates predicting the death of passwords years ago. Yet, they remain. Ubiquity will take time and may never be fully realized. However, I believe passwordless methods, particularly passkeys, will become the new norm within the next few years. Using passwords will soon start to feel a little bit strange, even annoying.

What encourages me to make such a claim now is that there is so much merit in the current form of passwordless authentication – improved security, enhanced user experience, and great privacy. It offers benefits for everyone. For customer-facing websites aiming to optimize conversions and get more sign-ups, putting in your password again slows people down. With passwordless, there is a UX conversions benefit. You can help customers sign up through a glance or touch instead of entering a password. For CISOs concerned about security and account takeovers, the advantages are significant.
On the other hand, there are reservations about passkeys. People are wondering, “Is the technology legit? Is it here to stay?” Slowly, people are starting to feel confident with this technology and understand that the answer is “Yes.” Last month, Google rolled out out passkeys to over a billion people, ensuring every Google account holder can access their accounts with passkeys. This isn’t a hidden option buried in settings. Google is actively promoting this, and many people see that as a signal of the legitimacy and longevity of passkeys.

For people like me who have been following the technology closely, Google’s move isn’t surprising given their substantial contributions to its development over the years, along with Microsoft and Apple. Also, every day another service adds support for passkeys. For example, Binance added support for passkeys recently, and that’s really cool. We are in a phase where the merits of passkeys are increasingly recognized. Plus, the adoption momentum is growing. I expect that to become the new norm over the next few years.

We’ve covered the potential impact of passkeys on CISOs and Heads of IT, along with strategies for adoption. But what implications might this have for the average person sitting at their computer just trying to do their job? Do you think that they’ll need to change their behavior when it comes to password security? Do we basically discard all the previous trainings about password length, combinations of uppercase and lowercase letters, and the like?

For years, people have practiced good password hygiene, updating passwords quarterly, crafting complex combinations, and finding ways to remember them. With passkeys, we want you to stop rotating passwords and keep one single strong password. That is a tough mental shift people have to make. But with passkeys, people can essentially forget about many password-related hassles.

While it is still vital to be cautious about the websites where you enter credentials, the threat of entering a password into a malicious website is significantly reduced when there is no password. This eases one of the core subjects of security awareness training – phishing and credentials safety.

Moreover, passkeys could lead to increased productivity. Although password management doesn’t consume vast portions of the workday, the minutes and hours dedicated to it add up over days, weeks, months, and careers. This involves entering passwords, resetting them, interacting with IT, and more. The reduction in ‘password time,’ especially when multiplied across a large workforce, has a big cumulative effect.

I think that this translates into a measurable business impact as employees become more productive. They’re spending time logged in and working rather than logging in. I believe the adoption of passkeys will ultimately benefit employees.

Final question: Aside from passwordless authentication and passkeys, is there anything else in the security field that currently excites you?

Given my focus on customer identity, I’m interested in how consumers log into apps and websites rather than workforce identity or employee logins. With that said, I find many aspects in this field exciting.

For example, authorization is intriguing. While authentication, proving who you are, is a critical and longstanding issue that passkeys help address, there’s another layer – permissions. It’s not enough to confirm you are who you claim you are. We must also determine what you’re allowed to do, such as which messages you can read or documents you can access. Being a verified user doesn’t mean you should have permission to do anything you want. This challenge of authorization is fascinating to me, and interesting technologies are emerging in this field.

Another thing that’s even more nascent is verifiable credentials. This is about storing and verifying real-world identification like a driver’s license, insurance card, or university degree. Rather than sharing all information, you could cryptographically assert certain subsets of the data. For example, you could prove you’re over 21 without revealing your home address, eye color, or full date of birth. Possessing such technology in our digital wallets is an exciting prospect and something we can watch for in the upcoming decade.

Main insights and key takeaways from 1Password

As we delve deeper into the world of passwordless authentication, one thing becomes clear: This method is about to revolutionize the way we see and use authentication. According to Cole Hecht, it will soon be hard for companies to ignore the clear benefits that passwordless – and passkeys – can bring to their businesses. From driving more conversions and improving the user experience to increased security and privacy and higher employee productivity, passwordless can transform the everyday operations of businesses and contribute to their success. 

However, new methods bring new challenges. Beyond technical difficulties, employee adoption may also be an obstacle. Whether employees like or dislike traditional password methods, they are used to them, and changing habits takes time, effort, and, most importantly, training. As Cole Hecht points out, educating your workforce on passwordless authentication or any cyber security topic will empower them to make better decisions and incorporate secure habits into their daily lives without resenting cyber security. A trained workforce is the key to a more secure organization.  

It’s important not to judge people who are just trying to do their jobs and accidentally click a link they shouldn’t have. Instead, we should just be constructive, train, and empower the employees to do better next time.

If you want to learn more about how you can implement Passkeys in your organisation and you’re a SoSafe customer, get in touch to see how you can claim your SoSafe Perk and get 25% off 1Password as a new customer.


Claim your perks

Discover how SoSafe can help you find the best security vendors for creating a world class security culture

Do you want to stay ahead of the cyber game?

Sign up for our newsletter to receive the latest cyber security articles, events, and resources. No spam, only content that truly matters.

Newsletter visual