smartenterprisewisdom
Request a Demo
Get in Touch

Outline

Share Article

Understanding Passkeys and Hardware Tokens: Building phishing-resistant authentication

Passkeys and Hardware Security Tokens
Paul Horn
Paul Horn is the Chief Technical Officer (CTO) of Accutive Security; he has over 30 years of cybersecurity and software development experience with a focus on data protection and cryptography
Posted on January 16, 2025
Picture of Paul Horn
Paul Horn
Paul Horn is the Chief Technical Officer (CTO) of Accutive Security; he has over 30 years of cybersecurity and software development experience with a focus on data protection and cryptography

Phishing attacks evolved far beyond the poorly written email scams they were known for. Cybercriminals now employ advanced social engineering tactics that exploit human psychology and organizational vulnerabilities, leading to devastating ransomware attacks, data breaches, and other attacks. In fact, the FBI reports that phishing attacks resulted in over $44 billion in losses in 2023. These attacks can lead to stolen sensitive data, financial losses, and severe reputational damage. Here’s how modern phishing attacks have evolved:

  • Social Engineering Tactics: Attackers pose as trusted individuals, such as employees or vendors, to manipulate victims into revealing sensitive information.
  • Impersonating Employees: By leveraging stolen personal information, attackers trick IT help desks into registering new devices on a corporate network.
  • Infiltrating Systems: Once a malicious device is registered, it becomes a vector for deploying malware or ransomware.
  • Targeting the C-Suite and other well known employees: C-suite executives and other highly credentialed employees are often the primary targets due to their elevated access privileges.
  • Compromising MFA Mobile Devices: Traditional multi-factor authentication (MFA) methods, like SMS codes, are increasingly vulnerable to sophisticated attacks like SIM swapping, where attackers hijack a victim’s phone number to intercept authentication codes.

To combat this evolving threat landscape, organizations must adopt advanced security measures. Passkeys and hardware tokens provide robust, phishing-resistant authentication options that address these challenges.

What is a Passkey and How do Passkeys Work?

A passkey is a cryptographic credential based on asymmetric cryptography, specifically public-key cryptography, designed to replace traditional passwords. Unlike passwords, which rely on “something you know,” passkeys leverage “something you have” — a unique cryptographic key securely stored on your device. This eliminates the vulnerabilities associated with passwords, such as weak password choices, password reuse, data breaches, and susceptibility to phishing attacks. 

Here’s a deeper dive into how passkeys work:

Passkey Generation

  1. Key Pair Creation: When you create a passkey for a website or application, your device generates a unique key pair consisting of a private key and a public key.   
  2. Private Key Storage: The private key is securely stored in a dedicated secure enclave on your device (e.g., a hardware security module or the device’s operating system’s secure storage). This key never leaves your device and is protected by a local authentication mechanism like biometrics (fingerprint, face recognition) or a PIN.   
  3. Public Key Registration: The corresponding public key is sent to the website or application’s server and registered with your account.

Passkey Authentication Process

  1. Authentication Challenge: When you attempt to log in, the server sends a challenge message to your device.   
  2. Digital Signature: Your device uses the private key to generate a digital signature for the challenge message. This signature proves that you possess the corresponding private key without revealing the key itself.   
  3. Signature Verification: The server receives the digital signature and verifies it using the public key it has on file. If the signature is valid, your identity is confirmed, and you are granted access.   

Benefits of Passkeys

  • Phishing Resistance: Since the private key never leaves your device, it cannot be intercepted or stolen through phishing attacks.   
  • Stronger Security: Asymmetric cryptography provides a higher level of security compared to traditional password-based authentication.   
  • Improved User Experience: Passkeys eliminate the need to remember complex passwords, simplifying the login process for your users.   

Passkey Technical Details

  • WebAuthn: Passkeys are built on the WebAuthn standard, a web API that enables websites to integrate strong authentication mechanisms into their login flows.   
  • Credential Management: Passkeys can be managed by platform authenticators (like Windows Hello or Apple’s Keychain) or dedicated password managers, providing a seamless user experience.   
  • Cross-Platform Compatibility: Passkeys are designed to work across different devices and operating systems, enhancing user convenience.   

Passkeys refer to passwordless authentication that meets WebAuthn standards as part of the FIDO Alliance’s FIDO2 project.

What is the FIDO2 passkey standard and why is it important?

The FIDO Alliance’s FIDO2 standard is the gold standard for passwordless authentication, offering robust security and interoperability.

Why FIDO2 Matters:

  • Passwordless Authentication: Eliminates passwords entirely, reducing the risk of credential-based attacks.
  • Hardware-Backed Security: Requires device-bound credentials, such as those stored on smartcards or Yubikeys.
  • Compliance: Aligning with FIDO2 ensures adherence to global security standards, a critical factor in regulated industries. FIDO2 is the gold standard for passkeys and any authenticator or device your organization deploys should be FIDO2 certified.

Device-Bound vs. Synced Passkeys:

  • Synced Passkeys: Stored on cloud-synced devices, such as mobile phones. While convenient, they are vulnerable to attacks like SIM-swapping.
  • Device-Bound Passkeys: Stored on hardware tokens, offering greater security as the credentials cannot be extracted or transferred.

By aligning with FIDO2, your organization can provide secure, user-friendly authentication while minimizing the risks associated with traditional methods.

Soft vs Hard Tokens: Do you need hardware tokens or will software suffice?

Authentication methods can generally be divided into two categories: hard tokens and soft tokens.

Soft Tokens: Software-based authentication solutions, such as mobile authenticator apps or SMS codes.

Advantages:

  • Easy to deploy.
  • No additional hardware required.
  • Often more cost effective than deploying hardware tokens organization wide.

Disadvantages:

  • More vulnerable to phishing, social engineering and other attacks.
  • Relies on devices that may be compromised.
  • Can provide a buggy experience for users, particularly if they change devices or phone numbers.

Hard Tokens: Physical devices, such as smartcards or Yubikeys, used to securely store authentication credentials.

Advantages:

  • Highly resistant to phishing and tampering.
  • Provides device-bound security that travels with the user and is not reliant on a mobile device.
  • Provides an extra layer of security for regulated or secure environments.

Disadvantages:

  • Requires initial investment in hardware.
  • Users must keep the token accessible, potentially making them more inconvenient for users (e.g. “I left my Yubikey at the office on a work from home day”).

For organizations facing high-security risks, hard tokens provide unmatched protection, making them a critical component of any robust authentication strategy. IAM platforms, such as HID Global’s DigitalPersona platform, provides a versatile approach to authentication by supporting a wide range of authentication methods, including both soft and hard tokens. This allows organizations to tailor their security strategy to their specific needs and risk profiles.

A Question of Form Factor: Smartcards vs. Yubikeys

With FIDO2 certified options existing for various hardware token form factors, including smartcards and yubikeys, the right solution for your organization comes down to a question of preference, security and business needs.

Smartcard Features

smartcards

  • Physical card form factor that can fit into a wallet.
  • Supports integration with physical access control systems.
  • Can be used as for physical, logical and identity authentication, including use as a ID Badge.
  • Supports a wide range of authentication protocols including FIDO2, and is highly secure, making it ideal for compliance-heavy industries.

Use Cases: Government, healthcare, and enterprises requiring dual-purpose and triple-purpose cards for digital and physical security.

 

Yubikey Features

FIDO2 USB Security Key

  • USB or NFC-based device.
  • Lightweight and portable, but may be easily lost by users.
  • Cannot be readily used as a means of physical and identity authentication.
  • Supports a wide range of authentication protocols, including FIDO2.

Use Case: Individuals and organizations with the need for a single purpose hardware token that prioritizes convenience and versatility.

Which Hardware Tokens Are Best for Your Organization?

There is no one size fits all solution for every organization. Selecting the right hardware token involves evaluating multiple factors, including:

  • Compliance Needs: Industries like finance or healthcare may require smartcards to meet regulatory requirements.
  • User Experience: Yubikeys may be preferred for their ease of use in less complex environments.
  • Use Cases: Do you require hardware tokens in addition to physical access cards and ID badges? Does it make sense to consolidate these into one smartcard?
  • Integration: Consider compatibility with existing Identity and Access Management (IAM) systems.
  • Budget: Factor in the cost of hardware, deployment, and ongoing support.

For some organizations, such as those that require their hardware token to double as a physical access card, smartcards are an obvious choice. For other organizations that only need a hardware token, the primary consideration is the integration with your existing IAM framework and user ease of use. Passkey rollout can be fraught with challenges so it is important that training and change management actions are planned to maximize the odds of successful user adoption.

Building Phishing Resistance with Hardware Tokens

To combat the evolving phishing threat landscape, organizations must implement a phishing-resistant roadmap:

  1. Assess Your Needs: Identify your industry’s compliance and security requirements.
  2. Evaluate IAM Frameworks: Determine compatibility with FIDO2 authentication.
  3. Choose the Right Tools: Select hardware tokens like HID Crescendo smartcards or Yubikeys based on organizational needs.
  4. Train Employees: Ensure users understand how to use tokens effectively.

By investing in hardware security tokens, your organizations can elevate the security of your workforce identities and reduce the risk of successful phishing and credential theft attacks. Additionally, passkeys significantly improve the user experience compared with the traditional passwords that are difficult to remember and keep track of.

Secure your Workforce Authentication Assessment

Consult with an expert to incorporate FIDO-certified passkeys and hardware tokens into your workforce authentication framework

Learn more

Share Article

Contact Us

Comment

No Comments Found.

Leave a Reply

Recent Posts
Tags

Step up your cybersecurity posture with Thales Hardware Security Modules

Seamless integrate HSMs into your cybersecurity stack

Get Started
Contact Us

Share Article

Download this Resource