Passkey

Passkey represents a groundbreaking advancement in online security. It is an alternative to traditional passwords, offering a more secure and user-friendly authentication method. Unlike passwords, which can be cumbersome and susceptible to various security risks such as phishing and theft, passkeys rely on biometric authentication (like fingerprint or facial recognition) or a PIN or swipe pattern for access. 

Passkeys operate on a sophisticated cryptographic framework consisting of a private and a public cryptographic key. The service provider securely stores the public key, while the private key remains locally on the user's device, ensuring robust security measures. This setup enhances security by minimising the risk of interception or compromise of sensitive authentication data.

To use a passkey, users must enable an authenticator, which can be their smartphone, computer, tablet, browser, or a dedicated password manager. Once set up, users can seamlessly access their accounts without the hassle of remembering passwords. During the login process, the account server sends a challenge to the authenticator, which then utilises the stored private key to solve the challenge and confirm the user's identity, a process known as "signing" the data.

By offering a passwordless login experience, passkeys eliminate many risks associated with traditional password-based authentication methods. This advancement enhances security, improves convenience, and provides a streamlined user experience across various devices. Passkeys represent a significant step towards a password-free future, ushering in a new era of online security.

How does a passkey work?

A passkey operates as an advanced password form, revolutionising how user identities are verified during sign-up and login processes. Unlike traditional passwords, passkey work through a unique cryptographic system.

When a user signs up for a service supporting passkey authentication, two keys are generated: public and private keys. The public key is stored on the website's server, while the private key remains on the user's device, be it a phone, tablet, desktop, or laptop. With both keys, the authentication process is successful.

During login, the server sends a request to the user's device, which responds with the related passkey. The user's identity is also verified on the device level through biometrics. If the pair of keys match, access to the account is granted.

Passkeys are widely regarded as more secure and convenient than passwords since they mitigate the risk of forgetting or reusing passwords. Moreover, they resist phishing attacks as a third party cannot steal them from the user's device. 

Passkeys function on public key cryptography, ensuring that the secret element of the credential isn't shared with the website and that no secrets are exchanged between the user's device and the server. An authenticator, such as a mobile device or password manager, generates two cryptographic keys for each account to enable passkeys. One key is public and stored on the website, while the other is private and stored in the authenticator.

The WebAuthn API facilitates the creation of passkey, with most of the complexity handled by the software. User approval for passkey creation or usage can involve biometric checks, such as fingerprint or facial recognition, or a local device password or PIN.

Users can use passkey across devices, even if not synchronised, as long as the device is nearby and login approval is granted. As passkeys adhere to FIDO standards, they can be adopted by all browsers.

Passkey vs Password

A future where passwords are no longer necessary is becoming increasingly probable. However, it's important to examine the differences and implications of this development so that we can make informed judgments about whether we like where we are headed. 

Why passkeys are more secure than passwords

Passkeys offer enhanced security compared to passwords for several reasons. Firstly, passwords require users to remember them, often creating weak or easily guessable passwords. In contrast, passkeys are less susceptible to such vulnerabilities because they rely on biometric authentication or PINs stored on the user's device, making them harder to steal.

The unique nature of passkey, each created using robust algorithms for encryption, ensures greater security. Additionally, passkeys are less prone to phishing attacks since they are stored locally on the user's device rather than on a web server.

Moreover, passkeys support Two-Factor Authentication (2FA) by design, providing an additional layer of security. While 2FA is often overlooked for inconvenience, passkeys seamlessly integrate this feature, enhancing security without adding complexity to the login process.

However, the tie between passkey and the devices they are generated on can complicate their management across different operating systems and devices. For example, logging in from a different device may require the presence of the original device where the passkey was generated, potentially limiting accessibility and convenience. 

The biggest differences between passkeys and passwords

There are several significant differences between passkeys and passwords:

1. Creation process:

   Passwords require users to follow best practices to be strong and unique. This process can be challenging and often leads to the reuse of passwords across multiple accounts. In contrast, passkeys are generated for the user, eliminating the need for users to create and remember complex passwords.

2. Phishing resistance:

   Passwords are susceptible to phishing attacks, where users may unknowingly enter their credentials on fraudulent websites. Passkeys, however, are resistant to phishing because there is no data for users to enter on spoofed websites, making it difficult for cybercriminals to steal passkeys through such attacks.

3. Security level:

   Strong passwords are essential for account security, but many users need help creating and maintaining them, leaving their accounts vulnerable to compromise. Passkeys offer higher protection as they consist of public and private keys. Even if a server storing passkeys is breached, cybercriminals would only have access to the public key, which is useless without the private key.

4. Availability and support:

   While passwords are universally supported across websites, passkeys are a newer technology and, therefore, have yet to be widely adopted. Only a few companies like Apple, Google, PayPal, Best Buy, Adobe, and Microsoft support passkeys. This limited support may only allow some users to use passkeys once broader adoption occurs. 

Overall, passkeys offer enhanced security and convenience compared to passwords, particularly regarding resistance to phishing attacks and eliminating the need for users to create and manage complex passwords. However, their limited availability and support may present challenges for widespread adoption in the short term.

Are passkeys going to replace passwords?

Indications suggest that passkeys are likely to replace passwords in the near future. Passkeys provide greater convenience and enhanced security, making them a superior authentication option. However, for this transition to occur, significant platforms, services, and applications must adopt passkeys as the primary authentication method. 

The FIDO Alliance has been actively developing standards for passwordless authentication, and a significant advancement came with the proposal of a method to synchronise cryptographic keys across devices. This development, known as multi-device FIDO credentials by FIDO, lays the groundwork for broader adoption of passkeys, a trend already underway.