At RSA, passkeys have the buzz

When security professionals are all buzzing about the same thing, it’s a safe bet to pay attention.

Passkeys dominated this year’s RSA conference in San Francisco, where investors and security professionals alike were bullish on the technology and believe that a passwordless future is a matter of when, not if.

Anna Pobletts, 1Password’s head of passwordless, sees a future that lacks password authentication as a barrier to entry.

“Passwords have been trying to be dead for a really long time, and we’re finally at a point where I think that can really happen,” Pobletts told IT Brew.

Set up as a public and private key, passkeys allow users to verify their identity with a one-size-fits-all approach, using tools like biometrics—facial recognition, fingerprints—to protect the encrypted passkeys that unlock protected sites and services.

The passkey experience. Pobletts and the 1Password passwordless team have been working to simplify the passkey experience. Ultimately, she said, end users are going to want what’s most simple, whether they’re at the consumer level or on non-IT teams in company systems. And the rest of the industry is catching on.

“A year ago, if I was talking to someone about passkeys or the technology behind it, I had to do a lot of really in-depth explaining,” Pobletts said. “Now when I talk to businesses about it, they’ll say, ‘Yeah, I actually know about that; I’ve heard about passkeys, it’s on our roadmap.’”

GitHub CSO Mike Hanley told IT Brew that it’s still early days for the technology’s adoption. It’s still difficult to get people to use multi-factor authentication, he noted, largely because companies and organizations aren’t requiring it at the point of entry. Passkeys are the next leap forward in that evolution.

“Traditionally, even when you had some kind of strong authentication, the weak link was always like the account recovery scheme,” Hanley said.

Change in the air. Google announced on May 3 that the company would be rolling out passwordless authentication to all accounts. The transition would take time, Google said in a blog post, and two-step verification and passwords will remain available for accounts for the foreseeable future.

At RSA, Google security and identity product manager Christiaan Brand gave a presentation on the technology, explaining how passkeys will work, and how the FIDO Alliance will grant them interoperability across platforms.

“This technology won’t succeed if it’s only a Google thing,” Brand said. “We want the world to move away from passwords to passkeys.”—EH