Yubico has called on security leaders to reassess the current implementation of passkeys as the industry moves away from traditional passwords.
Passkeys have been developed as an alternative to passwords, aiming to improve both security and user convenience. According to Yubico, the transition to passkeys is gaining considerable momentum globally, but significant risks remain if organisations and individuals do not address the nuances in passkey types and fallback options.
Christopher Harrell, Chief Technology Officer at Yubico, stated,
“The global momentum behind passkeys represents one of the most exciting shifts in authentication history. The technical specifications that enable this shift are FIDO2 and WebAuthn, and their implementations are now widely known by the consumer-friendly name ‘passkeys’. As the creator of the first passkeys, passkeys in security keys, Yubico is proud and humbled to have helped initiate and continue to drive this transformation. Yet, the work isn’t done. Not all passkeys are equal, not all users have the same needs, and leaving insecure fallback methods in place can provide a false sense of security.”
Harrell outlined a number of distinctions between passkey types, focusing primarily on two: synced passkeys and device-bound passkeys. Synced passkeys store credentials in the cloud and allow users to access them across multiple devices, providing convenience but raising concerns about the security of the sync mechanisms and cloud accounts on which they rely.
Individuals and organisations handling sensitive information, or those facing heightened risks, may find synced passkeys insufficient. In such cases, device-bound passkeys offer additional protection. These credentials do not leave the hardware device on which they are created, mitigating threats like phishing, account takeover, and recovery fraud.
According to Harrell, device-bound passkeys have two major forms. The first uses smartphones or laptops, which are convenient but sometimes inconsistent due to usability issues with technology such as QR codes, Bluetooth connectivity, and relay access reliability. The second form employs hardware security keys, such as YubiKeys, which Harrell described as offering the “gold standard” in passkey security because of their portability and consistent experience across platforms.
Harrell emphasised the importance of not allowing insecure fallback mechanisms, such as text message verification or code-generation apps, to remain in place, even when device-bound passkeys are implemented. He said:
“Attackers understand this and actively downgrade to insecure, phishable mechanisms to avoid the phishing-resistant security passkeys provide.”
For organisations, Harrell recommended that Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) demand configurability and control from identity providers. He commented,
“Passkeys in YubiKeys and Windows Hello for Business are better together, offering non-exportable credentials that cannot be silently synced, phished, or copied. These passkeys can provide clear visibility into how and where they are stored, which enables more consistent support, audit and incident response processes.”
Harrell suggested specific steps, including enforcing only device-bound passkeys within identity providers, requiring device-bound credentials by policy, disabling synced passkeys for enterprise use, and removing all non-FIDO fallback methods. Yubico’s recommendations reflect the company’s views on shaping more robust policy around digital authentication.
Harrell also addressed product managers tasked with implementing passkey functionality, advising them to support security key options rather than exclude them, and offering Yubico’s assistance to those encountering technical or usability challenges. He said,
“Don’t exclude security keys; it often takes more effort to block them than to support them. And if you’re stuck, technically or from a usability perspective, Yubico is here to help. We’ve partnered with governments, Fortune 500s, and identity platforms to solve many challenges at scale across the globe.”
He continued,
“As a product leader or engineer rolling out passkey support in your application, you are shaping the future of digital identity and safety. If you’re building a banking app, social network, government portal, an identity provider, or anything else, you are also deciding who gets access to higher levels of protection.”
Yubico outlined the practical benefits of robust passkey policies, stating that strong measures can reduce account recovery events, lower operational costs, and increase organisational resilience. For individuals, especially those at heightened risk, reliable and accessible authentication is essential. Device-bound security keys can also assist people with accessibility needs by providing a consistent and tactile experience that avoids the complications of screen readers and complex gestures.
Harrell asserted,
“Authentication should be adaptable and flexible, not rigid and monolithic. Higher-assurance security is not just for the enterprise; it’s a lifeline for millions.”
Groups identified as needing the strongest protections include government officials, legal workers, journalists, high-profile executives, developers, security researchers, activists, and those without reliable access to personal devices. The risks are not theoretical, as Yubico noted that status can change rapidly due to events or exposure, requiring swift improvements in security posture for protection and peace of mind.
Yubico recommended supporting or requiring security keys as a core element of passkey strategies, demanding configurability from service providers, and ensuring that all users can choose the level of protection suited to their circumstances.