Connected devices power modern industries, but passwords leave them exposed. Niall McConachie, regional director (UK & Ireland) at Yubico writes that passkeys offer stronger, phishing-resistant authentication, helping manufacturers secure data, meet regulations, and build lasting user trust.
The Internet of Things (IoT) is transforming our most vital industries, from healthcare – where hospitals and clinics use patient monitors and smart diagnostic equipment – to agriculture, where smart sensors optimise irrigation and monitor crop health. However, this wave of innovation has brought with it significant security challenges.
For example, a recent report sent a concerning message to healthcare institutions: more than a million medical devices connected to the internet are improperly secured. Having so many unsecured devices leaves a backdoor wide open for cybercriminals to access and steal confidential medical records.
This startling revelation highlights a dangerous overreliance on an outdated authentication method that is simply not equipped for the modern threat landscape – the password. Demonstrating just how prevalent this frightening overreliance is, Yubico’s recent survey revealed usernames and passwords remain the most common way for users to log in to both their work (56 percent) and personal accounts (60 percent) – despite being inherently insecure.
Meanwhile the report from Modat found that weak, factory-set passwords remain a common vulnerability for these critical devices, a practice that persists even after UK regulations were introduced to ban them. Clearly, there’s a worrying disconnect between policy and the operational choices of some device manufacturers.
As industries increasingly integrate connected technologies, it is the manufacturers on the frontline who bear the responsibility for building in security from the ground up.
Passwords: past their use-by date
For years, passwords have been the default for digital security, but they are no longer fit for a world where cyberattacks are powered by sophisticated technology. Criminal organisations now weaponise artificial intelligence (AI) to craft phishing attempts that are nearly indistinguishable from legitimate correspondence, making it easier than ever to trick staff into revealing login details.
Even strong, unique passwords can be compromised through data breaches or clever social engineering. Once an attacker has a password, they can often sidestep traditional multi-factor authentication (MFA) methods like one-time passwords (OTPs).
With a staggering 81 percent of hacking-related breaches linked to weak or reused credentials, it’s clear that building devices that rely on better password habits is a failing strategy. The time has come for manufacturers to lead the move to a more secure future.
Defending data through phishing-resistant authentication
In response to this escalating risk, a worldwide shift away from passwords and towards more robust technologies is gaining momentum. The clear successor to the password is the passkey, which is quickly becoming the new gold standard for secure authentication. This transition is being endorsed at the highest levels – the UK Government is in the process of adopting passkeys for its own digital services, recognising their superior security and long-term cost effectiveness.
So, what makes a passkey different? In its most secure form, a device-bound passkey is not a secret you remember, but a physical token you possess. The passkey is stored on a physical device like a hardware security key, and is resistant to phishing attacks – meaning it cannot be intercepted or stolen by remote attackers.
This is because it does not require users to recall or manually enter long sequences of characters that can be forgotten, stolen or phished – instead, a passkey is dependent on three elements: something the user possesses (the physical key), something the user is aware of (a PIN), and something that verifies the identity of the individual authorised to gain access (a physical touch of the key).
Physical passkey authentication is simple and strong, typically requiring a user to insert the key and touch it, sometimes in combination with a PIN. This method provides a powerful defence against phishing. For instance, if a healthcare worker is fooled by a phishing email and is directed to a fraudulent login page, the passkey will not authenticate the login attempt. The login fails because the key is programmed to work only on verified sites, stopping phishing attempts in their tracks. For IoT manufacturers, building this capability into devices is a crucial step to maintaining user security and trust.
However, a truly effective security strategy goes beyond the technology itself. Manufacturers must design their products to promote a security-first mindset across the entire user lifecycle. This means creating a secure, phishing-resistant enrolment process to ensure safe device setup, reinforced by continually using passkeys for seamless, protected authentication.
Security by design: the manufacturer’s responsibility
Adopting modern authentication technology like passkeys requires a concerted effort, with device manufacturers taking the lead. It is no longer enough to treat security as an afterthought; organisations need a comprehensive strategy that eliminates weak links, from initial account setup to daily logins and account recovery. The responsibility starts with building high-assurance security into devices from the ground up.
For manufacturers, this represents a significant opportunity. While there is an upfront investment, the cost of integrating modern authentication is minimal compared to the catastrophic financial and reputational fallout from a data breach linked to a product vulnerability. Offering phishing-resistant security by design is a powerful competitive differentiator, helping manufacturers stay ahead of evolving compliance regulations and building long-term trust amongst customers.
Cybercriminals will always be on the hunt for new vulnerabilities, and no industry connected by IoT devices can afford to be an easy target. By leaving passwords behind and embracing phishing-resistant authentication as a core design principle, IoT manufacturers can safeguard their customers, build public trust, and create a more secure foundation for the future of connected technology.
About the author: Niall McConachie is currently serving in the capacity of Regional Director (UK & Ireland) at Yubico AB. He has previously served as Sales Manager UK & IRL Banking & Consumer Authentication at HID Global.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
