What Exactly Are Passkeys?

• Ted Eiler
• 3 weeks ago
• Categories: Computing News, Computing Tips/How To

 

You may have noticed recently more websites asking you to create a passkey to use in place of a password for logging in.  Passkeys are a modern authentication method that eliminates to need to remember and enter passwords by allowing you to log into a site simply by entering your screen unlock PIN number, or through a biometric sensor such as a fingerprint reader or camera for face ID.

Though they simplify the login process, they are actually more secure than passwords.  Passkeys implement public-key (asymmetric) cryptography (PKC) for the authentication process, whereby a public key is created that resides on the server you are logging into, and a private key is created that is stored on your device.  When attempting to log into a site, the site will send a piece of data to your web browser or app that your device will sign (I’ll leave out all the technicalities of what signing is) using its private key.  The signed data is then returned to the server which will use the corresponding public key to verify the signature and that you are indeed in possession of the private key, thereby granting you access to the site.

Here are some key benefits of a passkey over a traditional password:

• Phishing Resistance:  Your private key is stored on your device and is never shared during the login process, making it resistant to phishing attacks whereby a fake website or agent seeks to get you to give up your password to the wrong party.  The passkeys generated will only work on the specific website or domain they were created for, so an attempt to use a passkey on the wrong site will immediately be rejected by your browser/operating system.
• No Reused Passwords:  A unique passkey is created for each service or site you are connecting to, so there is no risk of connecting to multiple sites with a same password, which can result in multiple account breaches when a reused password is compromised.
• No Passwords Stored on Server:  The site or service provider does not store any passwords and only has possession of the public key, which is useless without your corresponding private key.
• Local Authentication:  The authentication step using face ID, fingerprint or PIN happens entirely on your device, and your private key always remains safely in your possession and is never given out.
• Seamless Multi-Device Access:  Multi-device passkeys can be synced across your various devices allowing you switch devices without service interruptions, provided they’re linked to your Apple, Google or Microsoft account.  Synced passkeys are encrypted end to end and cannot be viewed by your cloud service provider.
• Multi-Factor Authentication (MFA):  Passkeys act as a multi-factor authentication system as it requires something you have such as your smart phone, along with something you are (biometrics – face ID, fingerprint) or something you know (PIN number)

Often the process of making a system more secure results in adding complexity and a greater burden for the user, however passkeys combine the power of modern public-key cryptography with the convenience of a simple pin number or biometric verification.  More and more websites, apps and services are enabling passkeys for better security, and passkey support is being integrated into major devices and operating systems such as Apple (macOS, iOS), Android and Windows, as well as the most common web browsers such as Google Chrome, Apple Safari, Microsoft Edge and Mozilla Firefox.

 

~Ted Eiler