About Passkeys and Spying Keyboards

Technological progress plays into the hands of cyber attacks, which cause huge financial losses every year. At TITANS, we have summarised several security trends, such as passkeys and biometric factors, as well as overlooked threats that are worth avoiding.

Why would attackers bother hacking your computer when they can simply log in?

Stolen login credentials are among the most common vectors of cyber attacks that successfully compromise system security. While in the past, hackers needed 16 hours to create a convincing phishing email to gain access to a user account, today AI can do it in 5 minutes.

It is just as easy for them to refine and multiply the creation of highly personalised emails, photos, voices, and videos that mimic real people or brands. This makes their scams all the more difficult to detect. On average, attackers used AI in 16% of data security incidents, most often in the form of phishing (37%) and deepfake attacks (35%). Social engineering, data leaks, and malware also help them obtain weak authentication data such as passwords.

“Attackers then use bots to automate mass login attempts to various services, hoping that people have used the same credentials across them,” says Jeremy D’Hoinne of Gartner.

The time it takes to exploit account vulnerabilities will be cut in half by 2027.

A mobile phone display showing four received phishing messages. Passkeys are resistant to phishing.

Experts recommend passkeys

However, modern authentication methods that are resistant to phishing, such as passkeys, can reverse the situation. By eliminating the vulnerability of traditional passwords and single-use codes, they make it much more difficult for attackers to misuse login credentials.

Based on web authentication technology, two different keys are generated when passkeys are created: one stored on the website or service where you have an account, and a private key located on the device you use to verify your identity. This allows you to log in using physical biometric factors such as your face or fingerprint.

In addition, Microsoft reports that using passkeys for login has a 98% success rate, compared to only 32% for password-based accounts.

According to Akif Khan of Gartner, given the growing threat of more sophisticated cyberattacks, security leaders should accelerate the transition to passwordless, phishing-resistant multi-factor authentication. Not only account theft, but also more technologically advanced social engineering poses a significant risk to businesses. Gartner predicts that by 2028, 40% of such attacks will target company executives and the broader workforce.

“Organisations will need to keep pace with market development and adjust their procedures and workflows to be more resilient to attacks that use fraudulent techniques,” said Manuel Acosta of Gartner. “A key step is to educate employees about the changing threat landscape through training focused on social engineering and deepfakes.”

It should not be forgotten that AI agents are beginning to play an increasingly important role in organisations’ operations, so their identities must be protected as rigorously as those of humans. Up to 97% of security incidents involving company AI were targeted at systems without proper access controls.

A piece of paper attached to a laptop with a password written on it. Passkeys eliminate the vulnerability of traditional passwords and one-time codes.

Why are passkeys only one of the necessary measures

So what would be the ideal form of protection? The combined use of passkeys and behavioural biometrics. Using AI and ML, behavioural biometrics continuously analyses unique patterns in user activity and creates models of their typical behaviour. This includes, for example, characteristic mouse movements, touchscreen usage, typing speed, mobile phone position, and IP address.

The system then compares all of this with the current behaviour of the person using the device to verify their identity. If it detects any deviations from normal behaviour, it flags this as suspicious activity and blocks the user’s authentication.

While physical biometric factors are passive, based on unchanging characteristics, and usually checked only once at the beginning of a session, behavioural biometrics is something completely different. It is active and monitors the user continuously throughout the entire session.

It is commonly used as part of an adaptive authentication system that changes verification requirements based on the security context. For example, if a user logs in from their usual IP address, it may be sufficient to enter only a password. However, if they log in from an unexpected address, the system may require them to enter their password and scan their fingerprint.

In addition to strengthening organisations’ data protection and fraud prevention measures, behavioural biometrics has other uses. It can speed up and secure financial services transactions and detect accounts that are used to hide and transfer money for illegal purposes. Because it is non-intrusive and requires no additional effort on the part of the user, it helps ensure a seamless experience for employees and customers.

A man logging in by scanning his face. Passkeys and behavioral biometrics are the ideal protection system.

The cost of shadow AI

More than half of the organisations in this year’s survey said they are still recovering from a data breach. As many as 76% of companies that have fully recovered said it took them more than 100 days to do so.

And since AI is being implemented faster than security and oversight measures can be put in place, it remains largely uncontrolled. As a result, 20% of the organisations surveyed by IBM this year suffered security breaches due to incidents related to shadow AI. This term refers to AI that is used without the consent or oversight of the employer.

When organisations had high levels of shadow AI, their financial losses from data breaches increased by an average of $670,000. These incidents also led to the compromise of more personal identification data and intellectual property data. The study found that a single unmonitored AI system can cause a massive leak of sensitive information.

However, the widespread use of AI and automation in organisations has also brought good news. The time needed to identify threats and to stop security breaches has been reduced by an average of 80 days, which has also decreased financial losses.

Similar security tools can relieve overburdened IT teams, and the same goes for outsourcing freelance specialists. The lack of cybersecurity experts has long been a major problem for the sector. According to this year’s report, up to 48% of organisations suffered from a severe shortage of security experts, which increased their average financial losses from cyber attacks to $5.22 million.

However, companies with little or no talent shortage had to sacrifice “only” $3.65 million. IT outsourcing gives brands access to the key expertise and skills that an experienced freelancer brings to the team.