For decades, passwords have been used for securing our access to our user accounts. Users have faced the unpleasant challenge of figuring out how to remember hundreds of passwords, many of which need to be changed multiple times a year. IT administrators, despite following industry best practices, have found passwords to be increasingly ineffective as a security measure, partly due to the increasing use of phishing attacks. Passkeys are the solution that a major consortium of industry players, the FIDO Alliance, have developed.
There are three factors of authentication (i.e. validating that someone is who they claim to be): i. something you know (e.g. passwords), ii. something you have (e.g. physical token, phone, etc.) and iii. something you are (e.g. facial recognition biometrics). Security experts generally expect two of these factors to be combined to reach a reasonable level of authentication security. You have heard of this as “two-factor authentication” or “2FA”. Passkeys cleverly combine two factors by using a device such as your phone (something you have), which already authenticates you using something you are (facial recognition or thumbprint).
Instead of prompting you for a password, a passkey-enabled authentication mechanism gets you to authenticate yourself using a biometric, either on the same device or on a separate one. Unlike with a password, the critical information does not need to be stored on the server. Passkeys use public key cryptography / public key infrastructure (“PKI”); the server stores your public key (which may be freely made public); the device stores your private key (which is complementary to the public key and needs to be kept secret). PKI is not new technology; it has existed for decades and we have been using it to secure other parts of the internet for a long time.
The three major makers of operating systems and Browsers – Microsoft (Windows, Edge), Apple (MacOS, iOS, Safari) and Google (Android, Chrome) – are backing passkeys. All three have a stake in their users being secure. Watch the video below, from the link until 3:48 to get a quick feel for the passkey experience on an Android phone and how a new one can be set up on a Windows laptop. Watch the video in full to see how passkeys would be set up and used in Apple devices as well. It is similar.
Aside from the immense convenience of not needing to create and remember passwords, another big security advantage of passkeys is in their resistance to phishing. An entire industry of malicious hackers now exists, where hackers work in call centres that focus on tricking and phishing people into transferring sums of money to them. They are not deterred by one-time PINs (“OTP”s) sent by SMS. In some cases they may intercept the SMS; more often they convince their victims to recite the OTPs to them. Neither attack would work if a passkey were used instead.
Where can passkeys go wrong?
One problem could be if your authenticating device does not have an internet connection. I am not sure at present if there is a solution for this. Note that your laptop which has a biometric function can be set up as a passkey and a device that has an internet connection is needed in order to access an online service in the first place.
What if you lose your phone?
Passkeys can be backed up. Major vendors provide a method by which a passkey can be set up on a second device or backed up to the cloud. Apple provides the means to back up the passkey to iCloud, that makes it retrievable by the user. They state that the backup of passkeys is end-to-end encrypted, i.e. Apple cannot retrieve the passkey themselves. When you set up passkeys, look into your own backup and recovery options before doing without passwords altogether.
Are passkeys the most secure solution available?
Passkeys provide a great balance between availability and security. Businesses can achieve a higher level of protection for passkeys by restricting them to one device. As they centrally control access in any case, they will be able to re-issue access to a user who has lost their device.
Is this really the end for passwords?
I have written about my concerns with passwords many times in the past decade (in reverse chronological order – i. recent best practices, ii. challenges in password management, iii. the password re-use attack, iv. choosing your password manager, v. lessons from Target on password complexity, vi. passwords ain’t nothing but trouble). The industry has converged on passkeys as the solution to what has been a security and user-friendliness problem for decades. In the next five years, I believe we will start using services for which we have user accounts but need neither passwords nor connectivity to our existing online identities.