The Cybersecurity and Infrastructure Security Agency (CISA) plays an important role in safeguarding the nation's digital infrastructure. As a U.S. government agency, CISA is tasked with leading efforts to protect and enhance the security of the nation's cyber ecosystem. With increasing cyber threats, CISA regularly updates its guidelines and recommendations to address risks and ensure that both public and private sectors are equipped with the necessary tools and strategies to mitigate those risks.

In August, CISA extended its Secure by Design guide. This update specifically highlights passkeys for authentication. Let’s take a look, why this is the case.

The Secure by Design guide is a document that outlines best practices and security protocols to help organizations develop and maintain secure systems. The latest extension (Secure by Demand Guide) explicitly incorporates passkeys into its recommendations. This inclusion is not an isolated event but rather a continuation of a broader trend across various security frameworks, including the Essential Eight and NIST (National Institute of Standards and Technology) guidelines, which have also begun to emphasize the importance of passkeys.

The focus on passkeys is driven by a critical realization: while multi-factor authentication (MFA) significantly enhances security, it does not fully address the threat of phishing - a major cause of account takeovers. Traditional MFA methods, such as SMS-based codes or authentication apps, can still be vulnerable to phishing attacks where malicious actors trick users into revealing their credentials. This vulnerability underscores the need for a more resilient form of authentication.

Passkeys, which are based on public-key cryptography, offer a solution to this problem. Unlike traditional MFA methods, passkeys are inherently phishing-resistant because they do not rely on shared secrets that can be intercepted or tricked out of users. Instead, they use a combination of a private key stored on the user's device and a public key stored on the server. This ensures that even if a user is targeted by a phishing attempt, their credentials cannot be stolen or misused as the browser denies its use.

The push towards passkeys as a standard for authentication reflects that only phishing-resistant methods can truly protect users in today's landscape. Governments and organizations worldwide are recognizing that passkeys represent the future of secure authentication, offering a more user-friendly and secure alternative to traditional MFA.

MFA alone is no longer sufficient to protect against sophisticated phishing attacks. Phishing-resistant MFA is becoming the gold standard in authentication. The FIDO (Fast Identity Online) Alliance has been instrumental in this shift, advocating for stronger, more secure authentication methods for years. Their work, along with contributions from early pioneers like Yubico, has laid important groundwork for the adoption of WebAuthn – the web standard underlying hardware security keys and passkeys.

As passkeys continue to gain traction, they offer a promising future where secure, phishing-resistant authentication is accessible to everyone. This shift is not just a technological upgrade but a fundamental change in how we approach digital security.

In conclusion, while MFA has served as an essential layer of security, the future lies in phishing-resistant multi-factor authentication. Passkeys are the only technology for consumers offering a secure, seamless, and resilient way to protect against the prevalent cyber threats. As we move forward, the adoption of passkeys will be crucial in building a safer and more secure digital world that allows all consumers to benefit from the same security security keys have brought to high-tech and govermantal companies via security keys.