Passkeys To The Rescue?



Despite widespread communication efforts on password safety, most of us remain sloppy, preferring patterns and words that are easy to remember over best practices in password hygiene. Techies say help is on the way via passkeys, which are likely to replace passwords—and better protect our accounts.


Ugh! Another Password…

Password fatigue is real, and poor password hygiene endangers the money and data in our accounts, while making the jobs of cybercriminals easier. For retirement plan sponsors, disseminating information on the proper use of passwords has become an especially pressing concern, since the Department of Labor has advised sponsors to ensure that Online Security Tips are properly communicated to all plan participants. (Hopefully, you’ve been keeping records of having done so!)


Amid efforts to ratchet up cyber vigilance for retirement plans, some experts point out

“The biggest risk in securing retirement plan participants’ data from cyber threats may not arise from any technological or design flaw. For many plan sponsors looking to boost security, the greatest challenge could lie in motivating individuals to take the necessary steps to guard against potential fraud.” When it comes to inspiring better cyber habits among employees and participants, good metaphors can be very useful and a retirement industry executive suggests this one: “When you think about the retirement savings account, for most people this is their largest asset outside their home….With your home, it’s much easier to physically secure and monitor, and then you go to assets in a plan, and you almost have to take as much care as you do to secure your home as you do when thinking about your retirement assets.”


Understanding Passkeys

Wirecutter reports that help for poor password practices is on the way, in the form of passkeys, which are gaining traction and are predicted to become a “ubiquitous” replacement for passwords over time. So what exactly is a passkey? Experts share this overview:


It might be best to think of a passkey as a “password 2.0”—a passkey is functionally the same as the username-and-password combination you’re used to, just without, well, an actual password. Instead, each account you have is linked to a key on a device, such as an iPhone or Android phone. On a technical level, your device uses what’s known as asymmetric cryptography (or public key cryptography) to register a public “key,” which is then stored on a website for which you have an account alongside a private key that’s stored only on your device; your device creates a new private key for each site you register. When you log in to the website, it checks with your device to see if the two keys match. To grant the website access to that key, you have to authenticate with whatever means you use to unlock your device, such as a fingerprint, your face, or a PIN.


Although passkeys sound complicated, developers, like Derek Hanson of Yubico, assure us they won’t be: The end goal is for the experience of logging in with a passkey to be easier than doing so with a username and password, and for it to work almost like shopping using a credit card, “where the experience is more or less the same everywhere you go….” Noting that the full shift to passkeys will be worth it, Wirecutter reports:


Experts predict that they are the future. The login process will standardize over time, and passkeys are expected to be implemented more seamlessly over the next year or so. When they work correctly, it feels a little like magic: The login process is smooth and fast, and account creation is less cumbersome than it is with usernames and passwords. There’s no real downside to trying out a passkey login when you come across one, and if you’re willing to put up with a little troubleshooting, you’ll be on the edge of what feels like an inevitable change.


Good To Know

Passkeys are deemed better then passwords because they offer a viable solution for two of the dangers associated with passwords: data breaches and phishing. That’s certainly good news for retirement plans—and those responsible for their security. As experts explain:


Passkeys aren’t reused across sites like passwords often are, so stolen credentials do less damage. And since one side of the key is linked to the web-based service itself, it can protect against phishing attempts, because your device should recognize a phishing website as a fake. Passkeys aren’t perfect, but they are expected to be an improvement over the status quo.

“There’s no password attacks when there’s no password present,” Microsoft’s Weinert said. “I’m hugely hopeful about the ability for this to get us to a new era in terms of end-user security.”

In the long run, passkeys will be easier and safer for website operators, too, as they will no longer need to store passwords, which means they won’t need to worry about password-database breaches (though they’ll still need to secure the rest of the data they collect).


Better protection is a great thing, so retirement plan sponsors will want to stay abreast of the shift to passkeys—and monitor changes and protocols put into place by third party administrators. Don’t forget: the Department of Labor’s Cybersecurity Guidance explicitly directs plan sponsors to check on the cybersecurity protocols of all service providers—and failure to do so can result in allegations of fiduciary breaches.

Legal experts additionally advise retirement plan sponsors to put cyber breach response plans in place and adhere closely to all of the other Cybersecurity Program Best Practices prescribed by the Department of Labor.


Across the country, plan sponsors and their third party administrators are getting expert response plans in place quickly and efficiently, via Colonial Surety’s affordable Cyber + Fiduciary Liability package, which includes:


  • Expert-led response services following a data breach.
  • Protection from lawsuits and regulatory actions related to the breach.
  • Legal services.
  • Computer forensic services.
  • Public relations and crisis management expenses.
  • Notification services.
  • Call Center services.
  • Credit and Identity monitoring


Available with just a one year commitment, Colonial’s Cyber-Fiduciary Package, also covers defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual breaches of duty in connection with the employee retirement plan. Colonial makes it so efficient and reasonable that protection can be secured in minutes, now:


Cyber and Fiduciary Liability Insurance Here.


Pension plan professional? Colonial can help you make sure your plan sponsor clients have the coverage they need—and we’ve got you too. From Errors and Omissions Insurance to Fiduciary Liability Insurance, Employment Practices Liabiity Insurance–and more, we’re HERE with the coverages pension professionals need to keep the business going—and growing.


Insurance for Pension Professionals Right Here.


Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.