Artificial intelligence (AI) is already being employed by bad actors to increase the sophistication and targeting of phishing, account takeovers, and credential stuffing attacks. This trend makes it even more important for businesses to secure themselves and their users. In this guide, we look at examples of how AI-fueled attacks are developing and provide ideas on how businesses can protect themselves and consumers.
With new AI capabilities reaching the market, the goal post for security will continue to shift. We already know AI has altered the security landscape in three key areas:
A report from Home Security Heroes used a model called PassGAN to crack 51% of common passwords in under a minute, with that number rising to 80% over a month. While the time to crack increases exponentially with the length of a password, many consumers tend to lean towards shorter, easy-to-remember passwords. These statistics highlight the need for authentication methods that protect consumers against password attacks.
Researchers at Cornell University published a paper that shows an AI model trained to eavesdrop on users’ keystrokes can derive passwords from audio with an astonishing accuracy rate of 93%. This form of attack can’t be mitigated with longer or more complex passwords, thus increasing the risk of entering credentials in public spaces or on a call.
The leaps in productivity driven by advancements in LLMs can also give leverage to malicious actors. Phishing attacks have been increasing in frequency and sophistication, making it increasingly challenging to distinguish between genuine and fraudulent communications. This makes consumers more susceptible to account takeovers and credential stuffing attacks across all of their services.
Customers expect the information they share with businesses to be protected by the highest security standards. Here are a few best practices businesses should follow to keep their customers secure:
Most consumer apps today offer educational content and in-product reminders to improve awareness of security risks, and provide a way to report suspicious activity. Common phishing scams are often detectable if a consumer pauses to consider them, but typically are overlooked when a consumer is in a rush or trying to get a job done.
Requiring multiple factors of authentication greatly reduces the surface area available to attackers by adding a device or proximity factor. However, businesses must balance the security benefits of MFA with the friction caused to the user. If balance isn’t struck, businesses risk this more secure option being skipped and can see churn if made mandatory.
The greatest source of frustration and anxiety for consumers who have fallen victim to phishing attacks is the confusion around how to recover accounts, data, and even manage monetary losses that result from the attack. Having robust verification and recovery support can diminish the stress caused by account takeovers.
Passkeys eliminate password or knowledge factor attacks by replacing the password and phishable forms of 2FA like one-time codes. Security is improved while improving the user experience.
The first three points in the above list are tried and trusted methods businesses have been using for years to protect their customers' most important information. Passkeys, comparatively, are relatively new, but can be one of the most effective ways to protect consumer accounts from outside threats.
Passkeys are a new form of passwordless login credential based on a standard by the FIDO Alliance, and backed by large platforms such as Google, Apple, and Microsoft. The core promise of passkeys is better security and a streamlined customer experience. With passkeys, customers can sign into apps and websites without the need for traditional passwords. Instead, passkeys are securely stored on the user's device or platform keychain and unlocked using biometric methods like FaceID or Windows Hello.
When a customer registers, they're only prompted for their email. The device automatically creates a passkey that uses the existing biometrics on the device like TouchID or FaceID for user verification. All future logins will only require customers to scan biometrics – the authentication service will do all the work detecting the passkey, autofilling, and performing the passkey ceremonies. This process is so simple that Google reports that passkeys are on average 2x faster to login with a 4x success rate. Here is a demo of creating and signing in with a passkey on Kayak.com:
Behind the scenes, passkeys utilize public key cryptography. Each website or application has a unique key pair – a private key stored securely on the user's device and a corresponding public key shared with the website. During login, the private key signs a challenge from the website, proving the user's identity, while the website verifies the signature using the public key.
Passkeys build trust between users and online services:
In additional to the robustness of public-private key cryptography and on-device biometric verification, passkeys also offer several additional security benefits:
In the history of the Internet, there have only been a few innovations that have increased both security and user experience: HTTPS on browsers, disk encryption by default on all operating systems, and Touch ID. However, all of these became widely adopted for the very reason that convenience was built in without anyone having to think about it. Passkeys are the next frontier.
The largest consumer applications in the world are embracing passkeys, with prominent websites such as Google, Instacart, LinkedIn, Paypal, Tiktok, Whatsapp, and X announcing that they’ve either released or are working on passkey support. These rollouts unlock access to passkeys for billions of consumers for use in everyday apps. You can try setting up a passkey today on the sites listed in our Passkeys Directory.
While passkeys hold immense promise for consumer security, their implementation can be challenging, which is why many organizations choose to use a passkey authentication service like Passage by 1Password. The user experience differs significantly across Android, iOS, and web platforms, requiring separate development efforts. Businesses have cited non-descript error messages, incomplete documentation, constant need to update and maintain, and difficulty in detecting edge cases as reasons they haven’t implemented full passkey support. You can read more about the three common mistakes businesses make with passkey implementation on our blog.
Passage by 1Password allows businesses to support passkeys with just a few lines of code. This offloads the complexity of passkey implementation and maintenance to authentication experts, freeing up precious engineering resources that can be redirected to your core product. Best of all, Passage is transparent to the consumer. Your customers don’t have to be a 1Password customer to benefit from the security and user experience of passkeys. Sign-up today and passkey-enable your app in a matter of minutes.