Passkeys are winning, but security leaders must raise the bar says Yubico

Passkeys Are Replacing Passwords

Passwords are on their way out, and passkeys are replacing them.

Yubico warns that passwords are dying. Passkeys are taking over, offering stronger security and less hassle. They combine ease of use with real protection, unlike passwords alone. But if leaders stall, millions will stay exposed.

The Global Shift: From FIDO2 to WebAuthn

“The global momentum behind passkeys represents one of the most exciting shifts in authentication history. The technical specifications that enable this shift are FIDO2 and WebAuthn, and their implementations are now widely known by the consumer-friendly name ‘passkeys’. As the creator of the first passkeys, passkeys in security keys, Yubico is proud and humbled to have helped initiate and continue to drive this transformation. Yet, the work isn’t done. Not all passkeys are equal, not all users have the same needs, and leaving insecure fallback methods in place can provide a false sense of security,” said Christopher Harrell, Chief Technology Officer at Yubico.

This is how security leaders, builders, product managers, and individuals can make sure passkeys work for everyone.

Synced vs. Device-Bound Passkeys: The Critical Difference

Synced Passkeys: Convenience and Risks

For many, passkeys are synonymous with synced passkeys, where the private key is stored in the cloud and copied between devices. While synced passkeys provide a practical and user-friendly solution for certain use cases, they also rely heavily on the security and availability of the sync mechanism. Furthermore, their effectiveness depends on reliable recovery systems and processes, and ultimately, on the integrity of the cloud accounts to which they are tied.

For people and organisations that face higher risks, have greater sensitivity or accessibility needs, or individuals who just want the best protection for their finances or other critical accounts, synced passkeys aren’t enough.

Device-Bound Passkeys: Strongest Protection

Secure hardware creates and contains device-bound passkeys, giving them the strongest protection against phishing, account takeover, and recovery abuse. There are two primary implementations:

• Smartphone/laptop-based: These can be convenient, but aren’t always an available option and can provide inconsistent experiences. For example, most smartphone-based passkey solutions have usability challenges because of confusing QR codes, buggy or missing Bluetooth, and unreliable relay access.
• Hardware security keys (like YubiKeys): The gold standard and original passkey, offering the highest security assurance by providing portable, cross-platform, and consistent passkey experiences. They serve as a root of trust for every use case, across borders and in high-risk situations.

Bottom line: Synced passkeys should be the baseline. Device-bound passkeys must be an option, and in some cases, the requirement.

Closing the Recovery Gap

Moreover, even when device-bound passkeys are enabled, accounts can still remain vulnerable, especially if weaker recovery methods are still allowed:

• Text messages
• Code-generation apps
• Push notification approvals
• Number matching prompts

“Attackers understand this and actively downgrade to insecure, phishable mechanisms to avoid the phishing-resistant security passkeys provide,” said Christopher Harrell.

CIOs and CISOs: Demand Configurability and Control

According to Christopher Harrell, enterprise-grade protection means control over the authentication policies. He said: “Passkeys in YubiKeys and Windows Hello for Business are better together, offering non-exportable credentials that cannot be silently synced, phished, or copied. These passkeys can provide clear visibility into how and where they are stored, which enables more consistent support, audit, and incident response processes.”

Key requirements to demand from identity providers and partners:

• Enforce only device-bound passkeys in any identity providers
• Require them by policy, even for services outside the SSO
• Disable synced passkeys for enterprise use
• Use passkeys in security keys as a root of trust for self-service recovery, transition, and step-up
• Remove all non-FIDO fallback methods
• Enforce only device-bound passkeys in the identity providers
• Require them by policy, even for services outside the SSO
• Disable synced passkeys for enterprise use
• Use passkeys in security keys as a root of trust for self-service recovery, transition, and step-up
• Remove all non-FIDO fallback methods.

“To make this work, the services used have to allow it. Organisations should demand configurability from identity providers, workforce tools, and partners. Think about protecting your organisation with authentication designed for the realities of your threat landscape. Organisations that do this see fewer recovery events, lower costs, and greater resilience,” said Christopher Harrell.

Product Managers: Build in Choice

“Don’t exclude security keys; it often takes more effort to block them than to support them. And if you’re stuck—whether technically or with usability—Yubico is here to help. We’ve partnered with governments, Fortune 500s, and identity platforms to solve many challenges at scale across the globe,” said Christopher Harrell.

“As a product leader or engineer rolling out passkey support in your application, you are shaping the future of digital identity and safety. If you’re building a banking app, a social network, a government portal, or even an identity provider, then you’re not just writing code. Instead, you’re also making a crucial decision, because at the same time you’re deciding who gets access to higher levels of protection,” said Christopher Harrell.

Benefits for Enterprises and Individuals

• Enterprises that adopt strong security policies save time and money while hardening recovery flows against social engineering.
• High-value accounts can use the strongest phishing resistance to protect all assets.
• At-risk individuals and organisations, ranging from journalists and whistleblowers to those securing political processes or members of marginalised communities, depend on YubiKeys as a lifeline.
• Moreover, many people with accessibility needs choose portable hardware security keys because they provide a predictable, tactile, and cross-platform experience. As a result, these keys reduce screen reader challenges and remove the burden of dealing with complex or unfamiliar gestures.
• The stakes are global and personal: Build a passkey future that works for everyone.

“Authentication should be adaptable and flexible, not rigid and monolithic. Higher-assurance security is not just for the enterprise; it’s a lifeline for millions,” said Christopher Harrell.

Who Needs the Strongest Passkey Protections

Here are just a few people and groups who need the strongest passkey protections the most:

• Government officials, diplomats, and military leaders
• Legal workers, judges, and law enforcement
• High-profile executives, influencers, and celebrities
• Developers and maintainers of software and systems
• Security practitioners and researchers
• Survivors of domestic violence or trafficking
• Activists, journalists, and other vulnerable populations or organisations
• Those without reliable access to a personal phone or computer
• People with accessibility needs
• Every day individuals, who want the best protection.

Building a Flexible, Inclusive Passkey Future

A person or organisation can become “at-risk” overnight through a political event, security incident, or public exposure. Having the ability to quickly improve security posture can dramatically increase safety and peace of mind.

Whether you lead a security program and build products for millions, or simply care about your own accounts, you face the same challenge:

• Support or require security keys as a core part of your passkey strategy
• Demand configurability and the ability to disable insecure fallbacks
• Ensure everyone has the option to choose the protection level they need

For more information on passkeys, see Yubico’s new infographic and eBook.

About Cyber News Live

Stay ahead of the cyber curve with Cyber News Live, the frontline source for real-time cybersecurity reporting, threat intelligence insights, and educational content tailored for professionals, practitioners, and curious minds alike. From breaking breach news to deep dives on emerging attack vectors, our mission is to demystify complex cyber topics and make critical knowledge accessible to all.

We aim to bridge the gap between awareness and action—helping individuals, businesses, and communities stay resilient in an increasingly digital (and dangerous) world.