What are Passkeys?

Passkeys offer a passwordless way to authenticate users. They rely on public-key cryptography and FIDO Alliance standards. They’re designed to replace traditional passwords by allowing users to log in using biometrics like fingerprints or facial recognition, or a device PIN. Each passkey includes a private key stored securely on the user’s device and a public key saved on the service’s server, ensuring the private key never leaves the device.

How Passkey Devices Work

1. Plug the device (e.g., YubiKey, Feitian key) into a USB port or connect via NFC/Bluetooth.
2. Authenticate by pressing a button, scanning a fingerprint, or entering a PIN.
3. The private key stored on the device signs the authentication request, securely verifying the user’s identity.

How Passkeys Are Used Passkeys are quickly becoming the go-to method for logging into websites, apps, and services. They provide a secure, streamlined alternative to passwords for individuals, businesses, and government organizations. With phishing attacks and credential breaches on the rise, industries like e-commerce, financial services, and healthcare are adopting passkeys to protect data and simplify user experiences. A CMMC implementation should strongly consider using passkeys.

Why Passkeys are Better than Passwords

• Phishing-Proof: Passkeys only work on the app or site they’re created for, blocking fraudulent attempts.
• User-Friendly: No more remembering passwords—signing in is fast and seamless.
• Stronger Security: Private keys stay on the user’s device, eliminating risks from server breaches.
• Cost-Efficient: Fewer password resets and lower support costs.
• Flexible: Passkeys work across platforms, from Windows to iOS, Android, and beyond.

Are Passkeys Allowed for CMMC?

Of course! If passkeys are used instead of passwords, the sections of NIST 800-171 dealing with passwords are not applicable. Your System Security Plan (SSP) should simply explain why these requirements are not applicable then an assessor can mark them as “MET.”

Passkeys are more than just an improvement—they’re a game changer in the fight against cyber threats. They simplify access while making authentication far more secure.