Passwords are fading, passkeys are rising — but unless CIOs and CISOs demand higher standards, millions may remain at risk.
Passwords are rapidly heading toward obsolescence, replaced by passkeys that promise to make digital authentication both simpler and more secure. But according to Yubico, the pioneer of hardware-based passkeys, organisations risk a dangerous false sense of security if they settle for weaker implementations.
At the heart of Yubico’s message is a critical distinction: synced passkeys versus device-bound passkeys. Synced passkeys, often stored in the cloud and shared across devices, deliver convenience but can expose users to risks tied to cloud account compromise or flawed recovery systems. Device-bound passkeys, by contrast, never leave the secure hardware in which they are created — with YubiKeys standing out as the most resilient option for high-risk users, enterprises, and individuals needing consistent, phishing-resistant protection.
“Authentication should be adaptable and flexible, not rigid and monolithic. Higher-assurance security is not just for the enterprise; it’s a lifeline for millions.”
– Christopher Harrell, CTO, Yubico
Yet Yubico warns that even strong passkeys can be undermined if organisations leave weaker recovery methods — like SMS codes or push notifications — in place. “Attackers understand this and actively downgrade to insecure, phishable mechanisms,” said Harrell.
The company is urging CIOs and CISOs to demand configurability from their identity providers, enforcing device-bound passkeys as policy and removing fallback methods altogether. For product leaders, the advice is equally direct: don’t exclude hardware security keys, and build choice into authentication systems.
Yubico stresses that stronger passkey adoption isn’t just about compliance — it’s about protecting those who need it most, from journalists and activists to executives and everyday users suddenly thrust into high-risk situations.
The future may be passwordless, but only if organisations raise the bar now.
