Beyond Passwords: Yubico’s Take on Post-Quantum Security

Good news to those exhausted by password fatigue, this way of authentication is quickly becoming an instrument of the past, thanks to their ability to being compromised quite easily. Or as the saying goes: "Attackers don't hack in, they log in."

Taking away that age old trick from toolbox of bad actors, emerges the era of passkeys and hardware security keys which requires verifying both possession and intent.  

With AI in the mix, gone are the days when phishing emails contained grammar or spelling mistakes that made them easy to spot, thereby ushering in an age where phishing-resistant logins are necessary. 

Further complicating the security issue, the quantum clock is ticking down. There will come a time when quantum computers will be powerful enough to break current encryption standards.

This necessitates preparation for the move towards post-quantum cryptography. 

Speaking with Cyber Magazine, Nic Sarginson, Principal Product Manager at Yubico, explains the nitty gritty behind these major security movements. 

Passkeys are replacing passwords, but what’s the next leap beyond simple login?

The proven, most effective solution to combat stolen and fake identities is the use of verifiable credentials – specifically, strong authentication combined with digital identity verification.

In recent years, passkeys have emerged as a clear successor to passwords and legacy MFA – rapidly becoming the standard for secure, phishing-resistant authentication.

While they already provide seamless, secure access for everyday logins, their potential extends beyond this initial use case. As global adoption of passkeys accelerates, they play a growing role in encryption and the protection of digital identities in a post-quantum and AI-driven world. 

Ultimately, the adoption of post-quantum cryptography will be an evolution rather than a sudden transition. It will be critical to ensure digital identities remain secure against future quantum threats without sacrificing the usability and trust that have comprised our foundation from the start.

How are hardware security keys evolving from authentication tools to transaction authorisation devices?

Hardware security keys are rapidly evolving beyond their original role in authentication, emerging as powerful tools for transaction authorisation by shifting from identity verification to intent verification.

Traditionally, they have provided high-assurance protection for everyday logins by pairing a public key with an unguessable private key bound to a device.

Nowadays, however, their capabilities extend further, acting as a hardware root of trust for role delegation tokens (RDTs) and high-assurance digital signatures.

By tying sensitive operations directly to a hardware-backed cryptographic signature, these security keys provide proof of personhood and explicit consent for specific actions, like a financial transfer or AI-driven command. 

This closes the ‘accountability gap’ by ensuring that automated agents cannot execute high-consequence transactions without a human in the loop – someone physically touching the key to authorise the unique cryptographic envelope of that specific task.

What does “proving possession and intent” mean in practical security terms?

In practical terms, ‘proving possession and intent’ marks a transition away from legacy authentication methods like easily compromised passwords and SMS-based one-time passwords (OTPs).

Proving possession refers to relying on something the user physically has, such as a hardware security key.

Because these keys are device-bound, remote attackers cannot intercept or steal credentials, meaning only the individual in physical possession of the key can gain access. 

Meanwhile, proving intent involves a deliberate physical action that confirms the user’s identity – for example, touching the security key during authentication.

Together, these factors ensure that even if a user clicks a link to a fraudulent website, authentication will fail because both possession and intent are cryptographically bound to the legitimate domain.

How could passkeys power high-assurance actions like financial transfers or code approvals?

Passkeys are well suited to power high-assurance actions by extending their core security model beyond authentication. This evolution allows the same root of trust used for phishing-resistant logins to provide hardware-tested authorisation for automated and agentic workflows.

In practice, users can approve high-value actions – such as initiating a bank transfer, approving code deployments or closing the accountability gap in AI operations – by simply tapping their hardware security key. 

This process relies on RDTs and the new WebAuthn signing extension, which binds a unique cryptographic signature to a specific transaction payload.

By keeping private key operations local to user-controlled devices rather than in opaque cloud environments, this approach ensures a human-in-the-loop is physically present to authorise high-risk tasks, preventing autonomous agents from executing transactions without explicit, verifiable consent.

How are hardware keys converging with verifiable credentials to enable privacy-preserving digital identity?

Hardware security keys combined with verifiable credentials (VCs) enable robust, privacy-preserving digital identities. While passkeys confirm that a user controls a specific authenticator device, VCs verify attributes such as citizenship, employment status or professional licenses.

Together, they support selective disclosure, allowing users to verify personal details without revealing unnecessary sensitive information.

This convergence is transforming digital wallets into the essential ‘key’ for securing our digital lives. As these wallets aggregate high-value attributes, anchoring them to a physical hardware key becomes critical.

This ensures identities remain under the user’s sole control, protected by a hardware-bound root of trust that cannot be remotely intercepted or duplicated.

To advance this, collaborations are underway to develop and enhance systems like wwWallet – the first passkey-enabled digital identity wallet for the web.

The result is a single hardware key that supports both strong, phishing-resistant authentication and selective identity disclosure in one simple, familiar motion, ensuring sensitive operations remain securely tied to a physical device.

Why is crypto-agility critical in the move toward post-quantum-resistant security?

Moving towards post-quantum cryptography requires crypto-agility as adapting security systems to withstand future quantum computer attacks is both complex and time-consuming.

The industry’s commitment to crypto-agility ensures that protocols and products can be updated securely and methodically, avoiding the poor security outcomes that have historically resulted from rushed cryptographic transitions.

While progress is being made on standards, significant work is needed to implement post-quantum solutions effectively across elements like attestation, PIN protocols and registration user experiences. 

Furthermore, post-quantum algorithms involve more complex mathematics and have significantly larger footprints, meaning retrofitting them onto today’s existing security keys is not an option.

Because entirely new hardware and further maturity in industry standards are needed to support these advanced algorithms, a strong crypto-agile approach is essential for a smooth and secure rollout of post-quantum-resistant authentication.