James Phang

View Original

Passkeys: The End of Passwords

Technology giants are moving to Passkey technology which is more secure and convenient than passwords. Apple and Google are updating their phone and web browser software to use passkey technology. The use of passwords has security issues such as breaches, phishing and stolen identities. The use of passwords can also be an inconvenience to users as they have to remember several passwords. Passkeys are a secure alternative to passwords that reduce security vulnerabilities.

What is a Passkey?

Passkeys remove the need for passwords and use public-key cryptography to verify your identity rather than a username and password. Passkeys were created by an industry group called FIDO Alliance that includes companies like Apple, Google, Amazon, 1Password, Dashlane, American Express, Intel, Mastercard, Meta, PayPal, Samsung, Visa and lots more.

How do Passkeys Work?

Passkeys are part of a new web standard called Web Authentication or WebAuthn. WebAuthn uses public-key cryptography to verify your identity. When you create an account using WebAuthn instead of creating a password, your device will create a unique pair of mathematically related keys. One is called the public key, and the other is called the private key.

  • Public Key – Gets stored on the service’s servers, it can be public knowledge without it affecting your security.

  • Private Key – Gets stored securely on your device, and this has to remain a secret.

 When you log into a WebAuthn-enabled web service, it uses the public key tied to your account to create a challenge for your device. As the public key and private key are mathematically related, your device will be able to solve the challenge using the stored private key without revealing it to the server. Your device can verify your identity without any sensitive information changing hands so there is nothing for phishers or hackers to steal.

From a user perspective, when you log in to an account that uses WebAuthn your device or web browser will prompt you to unlock your account using your PIN or biometric option like FaceID or TouchID. The pairing of the public and private key will happen automatically in the background.

To sign in from another device you will click Sign in with passkey, then Other sign-in options. From that, you will be shown a QR code that gets scanned by the device that contains the passkeys.

Why Are Passkeys More Secure Than Passwords?

Passwords are the current standard for sign-on. Users must remember their passwords and as more services require complex passwords for sign it can be a hassle to remember multiple passwords. Passwords are also vulnerable to cyber-attacks and data breaches. Bad actors can use phishing scams to trick people into sharing passwords on fraudulent websites.

Passkeys are more secure as the data is stored on the device and bad actors need access to the device and the fingerprint, FaceID or PIN to unlock it. If a user was to lose a device, the thief would be unable to access information without biometric authentication.

Each passkey is unique and created using a strong encryption algorithm therefore the user does not have to worry about weak passwords that can be guessed.

Summary

As companies are looking to strengthen their data security and privacy, passkeys offer a secure method to keep users' credentials secure and less prone to cyber-attacks. As passkeys involve the pairing of a public and private (stored on the user's device), they provide a more secure method to authenticate users.

From a user perspective, the use of passkeys means users won’t need to remember multiple complex passwords or use the forgotten password to log in. As more services look to digital, users will hold online accounts across multiple websites and services. Currently, if one site is compromised, advice is that users should go and change their password on all online accounts; which takes time to do.

Passkey looks to improve our online data security as we look to transition our services to digital. As more companies look to use digital transactions, passkeys would offer a secure method to help customers keep their online data secure even if a website is compromised by bad actors.

Video: Understand Passkeys in 4 minutes by Google