Make your agency more phishing-resistant in 2026
By Bryan Johnson, IT Director, Alliant National Title Insurance Company
Keeping your agency’s data and digital assets safe these days can often feel like a never-ending battle. Unlike you and your team, fraudsters and other criminals never take a day off. They don’t go on vacation, and they never get sick. Because of this, your agency needs a cybersecurity policy that is also always-on. While this requires many moving pieces all working harmoniously together, today we are going to focus on just one important element: passkeys.
What are passkeys and why do they matter?
You may already be familiar with passkeys. If you have an iPhone, you may have seen prompts to save a passkey for a supported app or website. If you choose to do so, you often won’t need to enter your password again on that device. Instead, you approve the sign-in with Face ID, Touch ID, or your device passcode, and the passkey authenticates you to the app or site.
Passkeys use what is known as “public-key cryptography.” In plain English, that means that passkeys create two linked digital keys—a public key, stored by the website or app, and a private key, which stays safely on your device. These keys work together upon sign-in to verify your access, all while never exposing a password that a hacker can pick off and weaponize.
This is obviously a nice thing for consumers from a convenience perspective, but passkeys also hold numerous security advantages. Traditional passwords are more vulnerable to thieves because users often reuse them across sites—making them easier to guess. Passkeys, on the other hand, cannot be reused, rendering that security concern irrelevant.
In addition, passkeys are never “housed” in the systems of a website or app. They stay safe on your local machine. This means that even if a company experiences a data breach (an all-too-common occurrence these days) there will be no sensitive user information to steal.
Perhaps most importantly, passkeys greatly reduce the prospect of a user getting “phished” by a criminal. Phishing is one of the most common cybersecurity concerns out there. It works so well because human error often happens online and hackers have gotten very, very good at tricking people into handing over their sensitive information.
Passkeys largely negate that concern. If a cybercriminal tricks someone into going to a fake website, for example, a user’s passkey will not work on it. Or to put it another way, with passkeys, users are not at risk of accidentally giving away a reusable asset that can be exploited. In fact, they are not giving away an asset at all, but half an asset that requires the other key to work.
Make passkeys central to your cybersecurity approach
Clearly, passkeys can be just as valuable to businesses as they are to individual users, especially businesses like title agencies that must routinely protect sensitive data and user information. There are multiple systems and touchpoints where deploying this technology would reinforce your overall security posture, such as employee email, escrow and transaction systems, document portals, and any client-facing accounts where closing information may be shared.
Once you’ve made the decision to deploy passkeys, the best way to start is with the systems you are using every day. Many agencies, for example, use some variation of Microsoft 365 or Google Workspace to handle employee emails and other business applications. Within these platforms, you can turn on passkey support and then start testing internally to see how it works. Once you get the lay of the land, you can expand it throughout the rest of your team.
You can, of course, build your own system, but it is generally not recommended unless you have strong identity management experience on staff. Creating your own passkey server can be expensive and time-consuming, and unless you know exactly what you’re doing, it can lead to a critical security incident.
Taking the bait
Our digital-first world is an amazing place, but it can also be a fatiguing one. While people can and must take breaks, our security systems cannot afford to. The criminals and hucksters out there are always circling, looking for a weak point in your defenses. While passkeys can’t keep all these threats at bay on their own, they can do a lot of good. Passkeys eliminate some of the most common methods thieves utilize to attack your team, harm your agency and steal your data. They disrupt routine phishing methods. And they ensure that even if you wind up taking their bait once in a while, there is nothing worth reeling in.
