Is 2023 the “beginning of the end” of our #1 IT vulnerability?
I don’t know about you, but I find myself connecting to more and more “systems” in an attempt to be more efficient and productive with my day—and that means properly managing how I access those systems. As a security professional, I use strong, complex password management techniques and rely on trustworthy password vaults to protect the sensitive information I work with every day. Sometimes, I have to redo everything in response to threats to my passwords, and that’s why I excited to think of 2023 as the beginning of the end for passwords as we’ve known them.
It’s well known that users reuse passwords, create similar passwords or implement passwords that are very easy to crack. While that may be convenient for the user, it increases the risk of a password being compromised, and accounts using a compromised password may be one of the most dangerous threats we face in healthcare, because once an account has been compromised, the danger is difficult for the Operations Security teams to detect. To them, an attacker using a compromised account looks like a legitimate user, and that masquerade can be leveraged to do malicious things, most often of which involves launching additional attacks inside the network.
But all of that is about to change (and the sooner the better in my opinion). Starting late last year and continuing into the first half of this year, a new approach to passwords is emerging that increases both security and convenience. It’s an established standard that has been well-vetted and is already being implemented by Apple, Google and Microsoft, and with those vendors in the lead, I’m sure it will become more common soon. This approach centers on using “passkeys,” and it will revolutionize how we access our applications and protect the credentials associated with them while we do.
What are passkeys?
A passkey is a passwordless login. Instead of using the traditional approach of an account name and password, you use a designated “authenticator,” such as your smartphone, tablet or a software-based password manager that supports passkeys. You log in, verify your identity (most often with a fingerprint sensor or a facial scan) and then you can start accessing your websites and applications right away, knowing that your “secrets” are safe. No more passwords!
How do passkeys work?
Behind the scenes, the device (or software) that acts as your authenticator creates two mathematically related but strongly encrypted text strings. One is public and can be shared easily, but the other is private and only you have access to it—it’s stored in your secret vault on (or in) your authenticator. When you try to access an application, the app knows to send a note to your authenticator, which will verify your identity (again usually through biometrics like a fingerprint reader or a facial scan) and then send some encoded data back to the application’s server, which verifies the encrypted data as legitimately coming from you. In other words, the application I’m trying to access will ask the public-facing part of my authenticator, “Is this Phil?”, and the private part verifies my identity (“Yes, this is Phil, and here’s some secured proof for you”) and from there I start using my application.
No passwords are exchanged in this process, and the application that I am logging into only verifies my private key, it isn’t shared. In fact, with passkeys, no secrets are passed between the application and your authenticator, and because there’s no “secret password” to share. There’s no password that can be compromised.
Why is this approach better?
As a user, you get to the data that you need more quickly and more securely. Using passkeys eliminates passwords and removes the need to remember them. As an IT administrator or a Risk Officer, it reduces the time, energy and attention your IT teams use to manage, rotate and preserve passwords and investigate attempts to compromise those passwords. Passkeys mitigate the attack vectors that compromise so many accounts today. They cannot be guessed or reused maliciously; they are resistant to phishing attempts, and since they are only stored in the secured vault on your device (or in your passkey-compliant password manager), they are difficult to steal. All of the communication between you as a user and the application that you’re logging into happens behind the scenes, so it’s almost a “click-to-open-and-go” user experience—but a secure one.
Will passkeys replace passwords entirely?
Not for several years, but these platforms are the future, and they are expected to replace passwords eventually. The teams behind the authentication standards body to support passkeys have been working on this approach for several years and with the new technical announcements it’s obvious that the leaders in identity management technology see it as a win-win for everyone. To borrow an old metaphor, it’s the network effect. Originally you couldn’t do very much with only a fax machine, but once everyone else started using fax machines, it became the best way to share information for quite a while. In fact, I’m sure I’ve still probably got an old fax machine somewhere in my technology closet.
I’m keeping an eye on the trends, and will update you as soon as I can. In the meantime, if you’d like to see a demonstration of passkeys in action, I recommend this one from Hanko and this great writeup about how to use Apple’s approach, courtesy of PCMagazine.
We’re anxious to adopt passkeys here at Altera because we know how important our clients’ data is, and we want to make accessing that data as easy and secure as possible. We believe healthcare technology should include data security tools designed with people, like you, in mind. And passkeys are the next step on our everyday journey to next-level healthcare, as we provide a higher-level experience that works for providers instead of against them. If you’d like to learn more about Altera’s work in cybersecurity, go here.