Does remembering or creating new passwords get on your nerves? From accessing your computer, mobile, banking application, the taxation system, your different emails, Spotify, Netflix, and social networks accounts; every time you use a service or subscribe to a new one, you must create a different and strong password.
Well, this is how it has worked for a long time, but soon this could change. If you’ve been wishing for a passwordless world, perhaps your wish will come true with the passkeys.
The term got popular not so long ago – sometime in the second quarter of 2022, when Google (May) and Apple (June) announced the addition of support for the passkeys standard. Later, Google included Google Chrome and Android saying that both would support the standard in October 2022. And more recently, in May 2023, it was said that the support was extended to personal Google accounts (login services).
After those announcements, for sure you will have started to receive and see news about passkeys. It is a controversial topic. The idea of getting rid of too many passwords in our lives sounds very attractive, but at what cost? Are they a real and viable solution? These and more questions came to our heads, so we decided to go deeper into the topic. Let’s explore it together!
What is the problem with the traditional passwords?
The main problem is us, the human factor. Against all the security experts’ recommendations, millions of users follow very unsafe practices that mean very dangerous risks. They create very weak and easy-to-guess passwords (birthday date, pet’s name, 12345, “password”, etc.), reuse their passwords, share them, use the same password for all their different accounts, never change them, and very commonly, they forget them. Additionally, many users easily fall into social engineering tricks and phishing attacks providing their passwords to criminals.
Besides, the existence of automated tools used in brute force attacks to crack passwords, and the stealing of databases containing passwords (security breaches), also contribute to state that passwords are not secure (ultimate password tips).
What are passkeys?
Passkeys refer to digital credentials used as a form of authentication to verify users’ identity as a condition to give them access to a device, system, website, network, or application. More specifically, passkeys are a login technology that combine a digital key and additional identifiers, for example, screen lock PIN, fingerprint scanning, or facial recognition. This authentication process can be used on a variety of electronic devices, your smartphone included. The point here is that instead of typing passwords, passkeys could be the future way for users to sign in to websites, applications, etc. A digital key that stays in your device and serves to verify that it is you.
The passkeys standard is promoted by the World Wide Web Consortium and the FIDO Alliance as a passwordless authentication method. If you find they are called WebAuthn or FIDOAuthn, don’t get confused, they are the passkeys. This last term is the one used in Marketing to promote the standard.
The FIDO or Fast Identity Online Alliance has been working on passwordless authentication standards for some time. This open association was launched in February 2013 with the mission of developing authentication standards to help reduce the world’s over-reliance on passwords.
Developers involved see passkeys, as a solution for the lack of securited passwords currently represent. Besides, you (the user) won’t have to create a strong password every time you get a new service, you won’t have to memorize it and type it every time you sign in. Other advantages of passkeys developers mention are:
• Private keys and biometrics (like fingerprint or face recognition) involved in this user’s authentication process can’t be shared and that means more security and less chances for criminals to attack and harm.
• Prevention of SIM-swap attacks, a dangerous trick of cybercriminals.
• Stronger security if you compare this with the one offered by one-time SMS codes because these can be compromised by hackers too.
• Stronger protection against risks connected with passwords, like phishing attacks.
• Human error prevention while typing passwords or forgetting them.
• The values (long strings of characters) of passkeys can’t be reused or guessed.
• They are stored in your device; therefore cybercriminals can’t steal your passkeys by hacking into the provider’s database or server.
What devices are compatible with Passkeys?
They are not designed to work on specific devices. A big confusion arose due to Apple’s announcement in June 2022, about supporting passkeys. Many people thought the standard was only for Apple’s devices. That is a mistake. Passkeys are meant to be used across different platforms and devices.
Mobile devices. Passkeys can be the authentication to enter your accounts from your phone or tablet.
Computers. You can use passkeys to log in to desktops and laptops’ operating systems. MacOS, Windows and Linux systems included. The standard also works to access accounts and online services via web browsers on computers. You can use one device like your phone to enter your computer, and later your computer to enter a particular account.
Networking devices. Modems and routers can prevent unauthorized users from accessing Wi-Fi networks by securing them using passkeys. At this point, IoT or Internet of Things devices, like smart home appliances and others, can be secured too by implementing this standard.
Gaming consoles. Platforms such as PlayStation Network, Steam, and Xbox Live need to secure online gaming accounts of many users. Passkeys also must work in this case.
Software applications. Every desktop software application, but especially those handling user accounts, and sensitive data can find a useful tool in passkeys. The standard can be implemented in encryption software to secure encrypted data.
Online services. Security for email accounts is essential to protect users’ information against unauthorized access. All social media platforms you know could use the standard to add an extra layer of security to the necessary user authentication process. Cloud services and financial services for sure could be interested in the use of the standard on their financial apps and online banking platforms.
Other authentication services. Passkeys could be part of multi-factor authentication methods to improve security.
How do passkeys work?
So far, passkeys sound like the solution for most of our current cyber nightmares, right? But the obvious question is how? How do passkeys work and have all these advantages? Let’s jump into this.
Here we will quote Wikipedia: “They (passkeys) are often stored by the operating system or web browser and synchronized between devices from the same ecosystem using the cloud, however, they can also be confined to a single device such as a physical security key. They are normally secured using possession (of the device or security key), and often utilize biometrics as an additional security factor, neither of which requires the user to memorize a password”.
For us, a clearer explanation is required, so let’s try to crack the process.
Passkeys rely on the use of the WebAuthn or WebAuthentication standard which uses public key cryptography to secure accounts. It works through the use of public and private keys, instead of the traditional passwords. The public key is publicly shared, meaning the application or website you want to sign in can see this key and store it. On the other hand, the private key must always be kept safe and secret, because it is the one used for decrypting the data that gets encrypted with the public key. Here, you have a big difference when compared with traditional passwords, the private key is never shared with the application or site you want to sign in to and, therefore, is not stored on their servers.
Passkeys are stored directly on the user’s computer or phone. Your device is the key! They are two related asymmetric cryptographic keys. Both are random and very long strings of characters. They are very different from each other, but one can decrypt the messages that are encrypted by the other. This way, they make the verification and authentication of users possible. The private key remains inside your device, specifically within a password manager supporting passkeys or passkey providers. It always remains inside your device because it is essential to keep it private and secure. It is protected or locked by the password manager through your device’s password, PIN, or biometrics. The public key is stored on the website you log in to. It can be shared without compromising your security.
Let’s look at an example: You visit a website and start to log in. Then the website sends a large random number as a login challenge. You will then unlock the passkey vault and the stored private key, through PIN, password, or biometrics. The private key will build a cryptographic signature based on the random number. The website will verify the legitimacy of this signature by using the public key. In a positive case, you will be authenticated as legitimate, and you’ll have access to the website.
You will only need to unlock your device and use it as a key without adding additional passwords or security to use different services.
Still different aspects related to the passkeys are getting solved. There are questions in the air coming from security experts. Usually, we have more than one device, do we have to create different passkeys on every device we use? What would happen if a hacker stole our mobile with our passkeys in its core? The risk of getting stolen or losing the phone is very high. It is said that passkeys can be backed up in the cloud, but is that safe?
Since we found many interesting questions, we will dedicate another article to exploring the answers. If the passkeys are the future as many enthusiasts have said, we must be absolutely sure they can guarantee our security. Getting rid of passwords sounds good but we must know at what cost, before celebrating the passkeys’ arrival. Don’t miss our next article!