The era of the forgotten password and the dreaded “mandatory reset every 90 days” is drawing to a close. For years, the tension between security and convenience has been a constant struggle for IT departments. However, a shift toward passwordless authentication—specifically through the use of passkeys—is fundamentally changing how we protect digital identities.
The municipality of Alkmaar has emerged as a pioneer in this space, becoming the first municipality in North Holland to implement passkeys for employee logins. By moving away from traditional credentials, they aren’t just updating their software; they are redesigning their entire security posture to eliminate the most common vulnerabilities used by cybercriminals.
The Death of Phishing: Removing the Attack Surface
Most cyberattacks don’t “break” into a system; they “log in” using stolen credentials. Phishing and “Adversary-in-the-Middle” attacks rely on tricking users into revealing passwords or intercepting them during the login process. Passkeys neutralize this threat entirely.
Unlike a password, which is a shared secret, a passkey uses a cryptographic pair: a public key stored on the server and a private key stored securely on the user’s device (such as a smartphone, laptop, or physical security key). Authentication only happens when these two keys match.
Rick Meints, Chief Information Security Officer (CISO) at the municipality of Alkmaar, notes that this method effectively closes the door on hackers. “By implementing passkeys, we remove that attack surface for criminals in one go,” Meints explains, highlighting that since the certificate is tied to the specific device and website, an attacker cannot simply sit in the middle of the connection to steal access.
Beyond Security: Security as a User Experience
For too long, information security has been viewed as a series of hurdles—restrictions that slow down employees and hinder productivity. The transition in Alkmaar demonstrates that high security can actually improve the user experience.
By removing the need to memorize complex strings of characters or manage tokens, the technology “unburdens” the employee. Michiel Koster, Director of Operations and Services at the municipality of Alkmaar, argues that this shift changes the perception of security. “Information security is sometimes seen as restrictive, but ultimately it is a tool for municipalities to provide reliable services,” Koster states.
The result is a streamlined morning routine: employees log into their perform environment using tools like Windows Hello or the Microsoft Authenticator app, proving their identity in seconds without typing a single password.
The “Device Bound” Strategy: Solving the Loss Problem
A common concern with passwordless systems is: “What happens if I lose my phone or my laptop breaks?” While this is a valid concern for general consumers, enterprise-level implementations use a more rigid approach known as “device bound.”
According to the National Cyber Security Center (NCSC), binding the passkey to the hardware prevents the key from being easily moved or exchanged, which would otherwise create a novel security risk. In a professional environment, if a device is lost or stolen, the event is registered as a security incident, and the keys are simply regenerated for a new device.
Future Trends in Public Sector Authentication
- Standardization via Legislation: With the Cyber Security Act (Cbw) emphasizing risk management, more organizations will likely adopt passkeys to meet legal security benchmarks.
- Phased Migration Models: The “Alkmaar model”—combining clear communication, a dedicated support team, and a hard deadline—is likely to become the blueprint for other government agencies.
- Integration of Physical Keys: While software-based keys (biometrics/PINs) are popular, the use of physical authentication keys will increase for high-privilege accounts to ensure maximum isolation.
For more insights on securing your organization, explore our guide on modern MFA strategies or read about the evolution of FIDO2 standards.
Frequently Asked Questions
What exactly is a passkey?
A passkey is a cryptographic credential consisting of a public key (on the website) and a private key (on your device). It allows you to log in without a password using biometrics, a PIN, or a hardware key.
Are passkeys safer than traditional passwords?
Yes. Because they are phishing-resistant and do not rely on a shared secret that can be stolen or guessed, they eliminate the primary vectors used in Adversary-in-the-Middle attacks.
Do I need a specific brand of device to use passkeys?
No. Passkeys are based on FIDO2 open standards, meaning they can work across various operating systems and devices, while specific implementations (like Windows Hello) may vary by provider.
Join the Conversation
Is your organization moving toward a passwordless future, or are you still battling the “password reset” cycle? Share your experiences in the comments below or subscribe to our newsletter for the latest in cybersecurity trends.
