How the Hospitality Industry can Shift to a Passwordless Future

Eliminating passwords to strengthen security and enhance the customer experience may seem counterintuitive, but it’s a move that can significantly benefit the hospitality industry. Even Google recently announced that it will start phasing out passwords, and instead support passkeys “as an easier and more secure alternative” – a major step that every organization should take. 

Passkeys are an easier, more secure way for users to sign into apps and sites, in the same way they unlock their devices – with a fingerprint, a face scan, or a screen lock PIN – which also make them less vulnerable to cyber attacks like phishing. By moving to passkeys, hotels and hospitality brands advance the protection of customers’ membership and rewards accounts, and also facilitate a more enjoyable on-site experience.

Benefits of Passkeys

The simple premise with passkeys is that ultimately, all devices will be better protected once we no longer rely on passwords. In this sense, a user’s phone becomes a trusted device and the physical hardware on which passkeys are stored. Newer phones already operate in this fashion – with complex PIN codes, fingerprint scanners, and facial recognition to ensure that the device is in the possession of the true owner and is able to store passkeys for other services.

Passkeys can also be shared across devices on the same account. For example, if you’re an Apple user, your passkeys can be shared to devices across your iCloud account. If you lose your phone or have the stomach-turning cracked screen, your passkeys are still accessible from your MacBook or iPad. The steps to transfer keys back to new devices outweighs the hassle of maintaining a password manager for all your various services – and Google, Apple, and other industry leaders are working together to ensure a standard that crosses platforms. 

Why Password Managers are Still Important

The move to passkeys doesn’t mean that password managers will go away anytime soon. In fact, organizations that don’t use password managers are leaving themselves vulnerable to an attack. In this era of remote work and BYOD environments, saving passwords to the browser is a leading cause of initial access by threat actors into corporate environments. Malware that targets browser password files (i.e. Redline, Racoon, Vidar) are continually being improved to evade detection from AV and endpoint protection. Once harvested from a victim’s machine, these files are offered on underground marketplaces for as little as $10. 

Two-factor authentication can help as a second line of defense but it’s not foolproof. For example, Uber admitted in September 2022 that a breach of their systems occurred when a contractor’s passwords were purchased from an underground market, and the attackers were able to social engineer the victim to give up the 2FA code that was sent to their phone. For the near-term at least, hotels and hospitality chains, which are frequent targets of malicious activity, should institute a corporate mandate around password managers to ensure that employees protect their devices and the data in their systems. 

Passkeys over Passwords for Customers’ Peace of Mind

The reasons for moving away from passwords are numerous. A few examples include:

• Over-use of simple passwords makes them easily hacked
• Passwords are easily harvested and sold on underground markets
• Lack of widespread adoption of password managers

Passkeys are good for giving customers peace of mind – and they’re good for business. Take the recent Bonvoy scammer who was arrested at a Marriott property in Florida after he used another customer’s rewards account to make a reservation. As George Clooney once famously said in the movie Up in the Air, “I don't spend a nickel, if I can help it, unless it somehow profits my mileage account.” I can relate to this statement in relation to my own Bonvoy account, which is seemingly protected with a complex password, but that seems to be the only layer of security currently offered. While these accounts don’t hold a lot of monetary value (let’s be honest that awards programs have been nerfed in recent years), they still represent years of loyalty that have been built up. Losing access to one of these accounts and having to start over would be devastating. Passkey protection can offer tremendous benefits here.

Hotels going passwordless also benefits customers’ on-site experience.  For example, many properties now offer guests the ability to log in to their various streaming accounts and enjoy movies and entertainment like they do at home. But there are drawbacks to this. For one, a user’s password is often a long stream of random characters that may be hard to remember, and which then must be entered using the TV remote – an overly cumbersome process. Second, even though the prompt on the TV claims that the guest’s login details are not stored and the session will be closed upon checkout, many people (myself included) don’t trust this process.  

Alternatively, enabling guests to stream from one of their trusted devices through the TV is a relatively easy and more secure option. When I see smart TVs and third-party devices like Chromecast and AppleTV in the room, it puts a smile on my face. And for anyone who travels with an HDMI cable (like me), they can simply unplug the hotel device from the back of the TV and hook up their laptop to stream shows or music on the TV.

A world without passwords may seem hard to imagine, but as Google and others move towards passkeys for better security and ease of use, the rest of us will have to as well. Given the examples above and the issues within the hospitality industry that exist today, a passwordless future can be a good thing - and one that’s not too hard to grasp.