Introduction to passkeys

A public key that is returned to the website or online service during user account registration.

A Bravura Safe-specific private key stored and managed in Bravura Safe and never exposed to anyone, including the Bravura Safe account holder.

Speed and efficiency - passkeys increase the speed at which you can create and log in to a web account

Increased security - passkeys are more secure than passwords; they are not susceptible to phishing, password theft or brute force attacks

Ease of use - passkeys replace username and password; no need to memorize or enter a string of characters (may require user verification via biometrics/PIN, etc.)

Flexibility - synced passkeys stored in Bravura Safe can be used from any browser (vs. those stored on a device, which rely on OS integration)

Availability and continuity - if a device is lost, synced passkeys can be accessed and used from another device (vs. a non-backed-up hardware key or smart card)

Hardened storage - the private key remains in Bravura Safe and is not sent to the service or over the internet, making it much more difficult for attackers to gain unauthorized access to user accounts

Increased privacy - personal information (such as an email address or username) is no longer required

Seamless user experience - Authentication takes place 'behind the scenes'

User convenience - synced passkeys accessed from various user devices are much more convenient than keeping track of device-bound hardware tokens

Discoverable: The ability of a website or online service to attempt to use a credential (passkey) without requiring the user identifying themselves.

Non-discoverable: These credentials cannot be invoked by a website or online service in a generic manner.

The user must first provide their identifier, and the authenticator uses that information to request the correct credential.

These are not considered passkeys.

Synced passkeys are accessible across multiple devices through a secure synchronization process, enabling users to effortlessly switch between different devices while maintaining their authentication capabilities.

Device-bound passkeys are tied to the specific device on which they were created; for example, a hardware key or smart card.

These can be lost or misplaced and often have no backup mechanism.

Authentication is restricted to the original device.

Employee authentication - Employees can use passkeys to access corporate systems. After identifying themselves and using a passkey generated by Bravura Safe, they are granted access.

Remote access - For employees working remotely, passkeys can be used with VPNs and other remote access tools to establish secure access to the organization's networks from outside the corporate firewall.

Cloud access management - As companies increasingly move to the cloud, passkeys can manage access to cloud-based resources and services, ensuring consistent security policies for on-premises and cloud environments.

Mobile and BYOD security - For companies allowing employees to bring/use their own devices, passkeys help secure access to company resources, adding a layer of security even if the personal device itself is not secure.

Endpoint security - Passkeys can lock down workstations, laptops and mobile devices so they can only be used by authenticated users.

Session control - Passkeys typically have a short lifespan (useful for contractors, vendors, etc.); only valid for a single session or limited time period, reducing opportunity for potential attacks.

Context-sensitive authentication - A passkey requirement can be based on the user's location, the device being used or the access time, etc. This can augment security while maintaining user convenience in lower-risk situations.

Single sign-on (SSO) - When used with SSO systems, a passkey may be used for the initial authentication process. Once authenticated, users can then access multiple services without having to log in again for each one.

Application-level security - In some applications, passkeys can be used to perform sensitive operations such as financial transactions, data modifications or accessing personal customer information.

Privileged Access Management (PAM) - Passkeys can provide an additional security layer for users with elevated access; for example, each time a user accesses a privileged account, a new passkey is required, reducing the risk of abuse or unauthorized access.

Audit and compliance - Companies may choose to use passkeys as part of their overall strategy to monitor and document access to systems for auditing purposes and to meet policy and regulatory compliance requirements.

Workflow and approval processes - For workflows that require approvals, passkeys can be used to authenticate the identity of the approver, adding a traceable security layer.