How to Protect Customer Passwords From AI Targeted Attacks

Grace Lu
September 19, 2023

Artificial intelligence (AI) is already being employed by bad actors to increase the sophistication and targeting of phishing, account takeovers, and credential stuffing attacks. This trend makes it even more important for businesses to secure themselves and their users. In this guide, we look at examples of how AI-fueled attacks are developing and provide ideas on how businesses can protect themselves and consumers.

New threats online: Consumer security and AI

With new AI capabilities reaching the market, the goal post for security will continue to shift. We already know AI has altered the security landscape in three key areas:

1. AI models can crack 51% of passwords in less than a minute

A report from Home Security Heroes used a model called PassGAN to crack 51% of common passwords in under a minute, with that number rising to 80% over a month. While the time to crack increases exponentially with the length of a password, many consumers tend to lean towards shorter, easy-to-remember passwords. These statistics highlight the need for authentication methods that protect consumers against password attacks.

2. AI tools can steal passwords from keystrokes with 93% accuracy

Researchers at Cornell University published a paper that shows an AI model trained to eavesdrop on users’ keystrokes can derive passwords from audio with an astonishing accuracy rate of 93%. This form of attack can’t be mitigated with longer or more complex passwords, thus increasing the risk of entering credentials in public spaces or on a call.

3. Large language models (LLMs) increase the danger and frequency of phishing attacks

The leaps in productivity driven by advancements in LLMs can also give leverage to malicious actors. Phishing attacks have been increasing in frequency and sophistication, making it increasingly challenging to distinguish between genuine and fraudulent communications. This makes consumers more susceptible to account takeovers and credential stuffing attacks across all of their services.

Solutions for business leaders

Customers expect the information they share with businesses to be protected by the highest security standards. Here are a few best practices businesses should follow to keep their customers secure:

1. Consumer security education

Most consumer apps today offer educational content and in-product reminders to improve awareness of security risks, and provide a way to report suspicious activity. Common phishing scams are often detectable if a consumer pauses to consider them, but typically are overlooked when a consumer is in a rush or trying to get a job done. 

2. Multi-factor authentication (MFA)

Requiring multiple factors of authentication greatly reduces the surface area available to attackers by adding a device or proximity factor. However, businesses must balance the security benefits of MFA with the friction caused to the user. If balance isn’t struck, businesses risk this more secure option being skipped and can see churn if made mandatory.

3. Recovery support for account takeovers

The greatest source of frustration and anxiety for consumers who have fallen victim to phishing attacks is the confusion around how to recover accounts, data, and even manage monetary losses that result from the attack. Having robust verification and recovery support can diminish the stress caused by account takeovers.

4. Passkey authentication

Passkeys eliminate password or knowledge factor attacks by replacing the password and phishable forms of 2FA like one-time codes. Security is improved while improving the user experience.

The first three points in the above list are tried and trusted methods businesses have been using for years to protect their customers' most important information. Passkeys, comparatively, are relatively new, but can be one of the most effective ways to protect consumer accounts from outside threats.  

This sounds great, but what are passkeys?

Overview of passkey technology

Passkeys are a new form of passwordless login credential based on a standard by the FIDO Alliance, and backed by large platforms such as Google, Apple, and Microsoft. The core promise of passkeys is better security and a streamlined customer experience. With passkeys, customers can sign into apps and websites without the need for traditional passwords. Instead, passkeys are securely stored on the user's device or platform keychain and unlocked using biometric methods like FaceID or Windows Hello.

How passkeys work

When a customer registers, they're only prompted for their email. The device automatically creates a passkey that uses the existing biometrics on the device like TouchID or FaceID for user verification. All future logins will only require customers to scan biometrics – the authentication service will do all the work detecting the passkey, autofilling, and performing the passkey ceremonies. This process is so simple that Google reports that passkeys are on average 2x faster to login with a 4x success rate. Here is a demo of creating and signing in with a passkey on

Behind the scenes, passkeys utilize public key cryptography. Each website or application has a unique key pair – a private key stored securely on the user's device and a corresponding public key shared with the website. During login, the private key signs a challenge from the website, proving the user's identity, while the website verifies the signature using the public key.

Passkeys build trust between users and online services:

  • Users trust that their credentials can't be tricked, as passkeys require possession of a device, biometric authentication, and only work on specific sites.
  • Services trust authenticated users, allowing them to grant more permissions to customers.
  • Customers can sign in more quickly and accurately, enhancing productivity.

Security advantages of passkeys

In additional to the robustness of public-private key cryptography and on-device biometric verification, passkeys also offer several additional security benefits:

  • Challenge/Response Protocol: Passkeys employ a challenge/response mechanism that makes logins resistant to replay attacks.
  • Domain-Specific: Passkeys are site-specific, reducing the risk of phishing attacks on lookalike domains.
  • No Sensitive Credentials on Servers: Only public keys are stored on your servers, preventing the exposure of sensitive user data.
  • Strong and Unique: Passkeys are machine-generated and unique for each site, rendering AI credential attacks obsolete.

Passkeys are beginning to join the mainstream

In the history of the Internet, there have only been a few innovations that have increased both security and user experience: HTTPS on browsers, disk encryption by default on all operating systems, and Touch ID. However, all of these became widely adopted for the very reason that convenience was built in without anyone having to think about it. Passkeys are the next frontier.

The largest consumer applications in the world are embracing passkeys, with prominent websites such as Google, Instacart, LinkedIn, Paypal, Tiktok, Whatsapp, and X announcing that they’ve either released or are working on passkey support. These rollouts unlock access to passkeys for billions of consumers for use in everyday apps. You can try setting up a passkey today on the sites listed in our Passkeys Directory

Challenges in implementing passkeys

While passkeys hold immense promise for consumer security, their implementation can be challenging, which is why many organizations choose to use a passkey authentication service like Passage by 1Password. The user experience differs significantly across Android, iOS, and web platforms, requiring separate development efforts. Businesses have cited non-descript error messages, incomplete documentation, constant need to update and maintain, and difficulty in detecting edge cases as reasons they haven’t implemented full passkey support. You can read more about the three common mistakes businesses make with passkey implementation on our blog. 

Passage by 1Password allows businesses to support passkeys with just a few lines of code. This offloads the complexity of passkey implementation and maintenance to authentication experts, freeing up precious engineering resources that can be redirected to your core product. Best of all, Passage is transparent to the consumer. Your customers don’t have to be a 1Password customer to benefit from the security and user experience of passkeys. Sign-up today and passkey-enable your app in a matter of minutes.