SHARE

Passkey

Passkey represents a groundbreaking advancement in online security. It is an alternative to traditional passwords, offering a more secure and user-friendly authentication method. Unlike passwords, which can be cumbersome and susceptible to various security risks such as phishing and theft, passkeys rely on biometric authentication (like fingerprint or facial recognition) or a PIN or swipe pattern for access. 

Passkeys operate on a sophisticated cryptographic framework consisting of a private and a public cryptographic key. The service provider securely stores the public key, while the private key remains locally on the user's device, ensuring robust security measures. This setup enhances security by minimising the risk of interception or compromise of sensitive authentication data.

To use a passkey, users must enable an authenticator, which can be their smartphone, computer, tablet, browser, or a dedicated password manager. Once set up, users can seamlessly access their accounts without the hassle of remembering passwords. During the login process, the account server sends a challenge to the authenticator, which then utilises the stored private key to solve the challenge and confirm the user's identity, a process known as "signing" the data.

By offering a passwordless login experience, passkeys eliminate many risks associated with traditional password-based authentication methods. This advancement enhances security, improves convenience, and provides a streamlined user experience across various devices. Passkeys represent a significant step towards a password-free future, ushering in a new era of online security.

How does a passkey work?

A passkey operates as an advanced password form, revolutionising how user identities are verified during sign-up and login processes. Unlike traditional passwords, passkey work through a unique cryptographic system.

When a user signs up for a service supporting passkey authentication, two keys are generated: public and private keys. The public key is stored on the website's server, while the private key remains on the user's device, be it a phone, tablet, desktop, or laptop. With both keys, the authentication process is successful.

During login, the server sends a request to the user's device, which responds with the related passkey. The user's identity is also verified on the device level through biometrics. If the pair of keys match, access to the account is granted.

Passkeys are widely regarded as more secure and convenient than passwords since they mitigate the risk of forgetting or reusing passwords. Moreover, they resist phishing attacks as a third party cannot steal them from the user's device. 

Passkeys function on public key cryptography, ensuring that the secret element of the credential isn't shared with the website and that no secrets are exchanged between the user's device and the server. An authenticator, such as a mobile device or password manager, generates two cryptographic keys for each account to enable passkeys. One key is public and stored on the website, while the other is private and stored in the authenticator.

The WebAuthn API facilitates the creation of passkey, with most of the complexity handled by the software. User approval for passkey creation or usage can involve biometric checks, such as fingerprint or facial recognition, or a local device password or PIN.

Users can use passkey across devices, even if not synchronised, as long as the device is nearby and login approval is granted. As passkeys adhere to FIDO standards, they can be adopted by all browsers.

Passkey vs Password

A future where passwords are no longer necessary is becoming increasingly probable. However, it's important to examine the differences and implications of this development so that we can make informed judgments about whether we like where we are headed. 

Why passkeys are more secure than passwords

Passkeys offer enhanced security compared to passwords for several reasons. Firstly, passwords require users to remember them, often creating weak or easily guessable passwords. In contrast, passkeys are less susceptible to such vulnerabilities because they rely on biometric authentication or PINs stored on the user's device, making them harder to steal.

The unique nature of passkey, each created using robust algorithms for encryption, ensures greater security. Additionally, passkeys are less prone to phishing attacks since they are stored locally on the user's device rather than on a web server.

Moreover, passkeys support Two-Factor Authentication (2FA) by design, providing an additional layer of security. While 2FA is often overlooked for inconvenience, passkeys seamlessly integrate this feature, enhancing security without adding complexity to the login process.

However, the tie between passkey and the devices they are generated on can complicate their management across different operating systems and devices. For example, logging in from a different device may require the presence of the original device where the passkey was generated, potentially limiting accessibility and convenience. 

The biggest differences between passkeys and passwords

There are several significant differences between passkeys and passwords:

  1. Creation process:

    Passwords require users to follow best practices to be strong and unique. This process can be challenging and often leads to the reuse of passwords across multiple accounts. In contrast, passkeys are generated for the user, eliminating the need for users to create and remember complex passwords.

  2. Phishing resistance:

    Passwords are susceptible to phishing attacks, where users may unknowingly enter their credentials on fraudulent websites. Passkeys, however, are resistant to phishing because there is no data for users to enter on spoofed websites, making it difficult for cybercriminals to steal passkeys through such attacks.

  3. Security level:

    Strong passwords are essential for account security, but many users need help creating and maintaining them, leaving their accounts vulnerable to compromise. Passkeys offer higher protection as they consist of public and private keys. Even if a server storing passkeys is breached, cybercriminals would only have access to the public key, which is useless without the private key.

  4. Availability and support:

    While passwords are universally supported across websites, passkeys are a newer technology and, therefore, have yet to be widely adopted. Only a few companies like Apple, Google, PayPal, Best Buy, Adobe, and Microsoft support passkeys. This limited support may only allow some users to use passkeys once broader adoption occurs. 

Overall, passkeys offer enhanced security and convenience compared to passwords, particularly regarding resistance to phishing attacks and eliminating the need for users to create and manage complex passwords. However, their limited availability and support may present challenges for widespread adoption in the short term.

Are passkeys going to replace passwords?

Indications suggest that passkeys are likely to replace passwords in the near future. Passkeys provide greater convenience and enhanced security, making them a superior authentication option. However, for this transition to occur, significant platforms, services, and applications must adopt passkeys as the primary authentication method. 

The FIDO Alliance has been actively developing standards for passwordless authentication, and a significant advancement came with the proposal of a method to synchronise cryptographic keys across devices. This development, known as multi-device FIDO credentials by FIDO, lays the groundwork for broader adoption of passkeys, a trend already underway.

Frequently Asked Questions
How does a passkey work?

A passkey generates two cryptographic keys - a public key stored on the server and a private key stored locally on the user's device. During login, the server sends a challenge to the device, which uses the private key to authenticate the user without entering a password. This process ensures secure and convenient authentication.


What is the difference between a password and a passkey?

The main difference between passwords and passkeys lies in their authentication methods. Passwords involve users creating and remembering alphanumeric combinations, whereas passkeys are generated for users and often rely on biometric authentication or PINs stored on the user's device. Passkeys offer enhanced security and resistance to phishing attacks compared to traditional passwords.


Can passkey be hacked?

Passkeys are designed to be highly secure, with the private key stored locally on the user's device and not shared with the server. This makes passkeys resistant to many hacking techniques, including phishing attacks. However, like any security measure, passkeys may still be vulnerable to sophisticated hacking attempts, so following the best device and account security practices is essential.


What is the FIDO?

FIDO is an alliance of technology companies working to develop open standards for secure authentication. FIDO standards aim to reduce password reliance by promoting secure authentication methods such as biometrics, hardware tokens, and passkeys. FIDO specifications help improve online security and user authentication experiences across various platforms and devices.


Articles you might enjoy

Piqued your interest?

We'd love to tell you more.

Contact us