PASSKEYS AND THE PARADIGM SHIFT IN AUTHENTICATION: A COMPREHENSIVE ANALYSIS OF PHISHING-RESISTANT IAM
Keywords:
Passkeys, Phishing-resistant Authentication, Identity And Access Management (IAM), Passwordless Security, FIDO2 StandardAbstract
This article examines the emergence of passkeys as a revolutionary authentication method in the Identity and Access Management (IAM) field. As cybersecurity threats evolve, traditional password-based systems have proven increasingly vulnerable to phishing attacks, credential stuffing, and other security breaches. Passkeys, leveraging public-key cryptography and the FIDO2 standard, offer a promising solution by providing phishing-resistant, user-friendly, and device-bound authentication. This article comprehensively analyzes passkey technology, exploring its functionality, advantages over traditional methods, and potential impact on IAM practices. We evaluate the security enhancements and improved user experience passkeys offer while addressing adoption challenges and future research directions. Our findings suggest that passkeys represent a significant paradigm shift in authentication, with far-reaching implications for cybersecurity across various industries and the potential to reshape the landscape of digital identity protection fundamentally.
References
A. Das, J. Bonneau, M. Caesar, N. Borisov and X. Wang, "The Tangled Web of Password Reuse," NDSS, vol. 14, pp. 23-26, 2014. [Online]. Available: https://www.ndss-symposium.org/ndss2014/programme/tangled-web-password-reuse/
S. Morgan, "Cybercrime To Cost The World $10.5 Trillion Annually By 2025," Cybersecurity Ventures, Nov. 13, 2020. [Online]. Available: https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
FIDO Alliance, "FIDO2: Web Authentication (WebAuthn)," 2021. [Online]. Available: https://fidoalliance.org/fido2/fido2-web-authentication-webauthn/
W3C, "Web Authentication: An API for accessing Public Key Credentials Level 2," Mar. 4, 2021. [Online]. Available: https://www.w3.org/TR/webauthn-2/
D. Hardt, Ed., "The OAuth 2.0 Authorization Framework," Internet Engineering Task Force (IETF), RFC 6749, October 2012. [Online]. Available: https://tools.ietf.org/html/rfc6749
NIST, "Digital Identity Guidelines," Special Publication 800-63B, June 2017. [Online]. Available: https://pages.nist.gov/800-63-3/sp800-63b.html
National Institute of Standards and Technology, "Zero Trust Architecture," Special Publication 800-207, August 2020. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
NIST, "Trustworthy Email," Special Publication 800-177 Revision 1, February 2019. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-177/rev-1/final
W3C, "Decentralized Identifiers (DIDs) v1.0," W3C Recommendation, July 2022. [Online]. Available: https://www.w3.org/TR/did-core/
