FIDO2 Passkeys
Go passwordless with FIDO2 passkey authentication for greater security and a simpler, seamless login experience for applications and services. Maintain accessibility while adding a secondary layer of protection to keep your digital estate secure and minimize your organization’s overall attack surface.
What are FIDO2 passkeys?
FIDO2 passkeys are cryptographic key pairs typically stored on a device that authenticate the user for various applications and services. A public key is stored on the application server, and a private key is stored on an end user’s device. When a user tries to log in to an application, FIDO passkeys leverage Bluetooth® across your organization by using FIDO authenticators to authenticate endpoint devices, simultaneously securing and streamlining your IAM strategy.
Benefits of Secure Passwordless Access
Resist Phishing
Generate unique key pairs for each application and eliminate the reuse of credentials that can cause password fatigue-based attacks.
Mitigate Remote-Based Attacks
Communicate with your users’ smartphones over Bluetooth when signing challenges with private keys.
Enable Passkeys With Ease
Use Entrust Identity as a Service to simplify the support of passkeys within your application.
Flexible Deployment
Deploy anywhere. Seamlessly integrate with your existing IAM. Built for cloud, hybrid, and on-prem environments, so you don’t have to compromise flexibility or control.
Increase Productivity
Passkeys cut login time, reduce password resets, and lower help desk calls—using biometric sign-ins your users already know and trust.
How do FIDO2 passkeys work?
FIDO2 passkey authentication uses Bluetooth to communicate between an end user’s registered device (FIDO authenticator) and the device upon which the user is logging into the application. The application issues a security challenge to the user’s registered device via Bluetooth. The user is then prompted to authenticate themselves into your organization’s system using biometrics to accept the sign-in request challenge, which is signed with the private key on the user’s registered device and sent back to the application to be verified with the corresponding public key, after which the user is signed in, if successful.
Enhance Security and the User Experience
With FIDO2 passkeys (which are based on FIDO authentication), proximity to the device upon which the application or service is being accessed is always necessary. This helps reduce risk against the most common attacks and enables a familiar user experience that is consistent across all platforms and devices.
Quadrant Knowledge Solutions has placed Entrust in the top-right corner of their 2022 SPARK Matrix™ for user authentication. This extensive research study of 31 vendors rated criteria for technology excellence and customer impact and provides a visual representation of their strategic performance. Find out why Entrust was placed in the top-right quadrant of the 2022 SPARK Matrix™, and where other vendors are placed in comparison.
KuppingerCole has selected Entrust as an Overall Leader for Enterprise Authentication, as well as a leader in Product, Innovation, and Market Vision. Some of the reasons cited include remote identity proofing and employee onboarding with biometrics and liveness detection, high assurance credential issuance, and an excellent admin interface. See why Entrust received perfect marks in security, usability, and deployment. We also won an award in 2019.
In March 2018, Entrust commissioned Forrester to conduct a study exploring approaches and challenges of user authentication and access management. The study surveyed 100 IT and IT security executives in North America who are responsible for authentication and identity access strategy and technology and/or security at their organization.
The company’s successful implementation of adaptive authentication procedures and appeal to the Zero Trust Security model impresses Frost & Sullivan’s analyst team and demonstrates its commitment to technological innovation in the identity industry.
Use cases for passkey authentication
Enterprise passkeys bring real security gains to high-stakes environments without adding complexity for users or IT. Here’s how organizations are putting them to work:
- Enterprise: Organization-wide passkey authentication reduces phishing risk and helps desk volume by replacing passwords across cloud and on-prem apps while keeping access simple for remote teams.
- Healthcare: Protect patient data and streamline clinical logins with passwordless access that aligns with HIPAA requirements.
- Government: Meet FIPS and NIST mandates with phishing-resistant passkey authentication for employees and contractors across hybrid environments. •
- Finance: Safeguard high-value systems and customer data with strong, credential-free passkey solutions that lower fraud risk.
FAQs
What are passkeys in identity and access management?
Passkeys are phishing-resistant credentials that replace passwords. They’re tied to your device and identity, and are used to authenticate with a simple biometric or device unlock—no memorization, no reuse.
How do passkeys improve security compared to passwords?
Passkey authentication eliminates common attack vectors such as password reuse, brute-force guessing, and theft. They use public key cryptography to ensure credentials can’t be intercepted or replayed.
Can passkeys resist phishing attacks?
Passkeys are bound to a legitimate service and can’t be tricked into connecting with fake websites or apps, making phishing attempts ineffective.
Where are passkeys stored?
FIDO2 Passkeys are securely stored on the user’s device or in a cloud keychain protected by the operating system. Private keys never leave the device.
Are passkeys supported across devices and platforms?
Passkeys work across major platforms like iOS, Android, Windows, and macOS, with syncing support through Apple, Google, and Microsoft ecosystems.
Ready to implement passkey authentication in your own environment? Our IAM experts can help you assess readiness, plan your rollout, and reduce risk. Start the conversation today.