Passkeys: Can this be the end of passwords?

Passwords are a real pain.  They have been for a long time, since the beginning of computers and perhaps the first days of the Internet.  As a security practitioner, however, I've noticed that the ability to prescribe any other form of access control to sensitive or valuable computer-based resources was challenging to imagine.  This is due partly to today's available tools in the field, such as cryptography.  The password - or passphrase - has persisted for two main reasons: Simplicity and cost.  Most people know what a secret is and have the mental capacity to remember one.  And it's free.

Today, in our hyper-connected modern world, we find ourselves at a true crossroads when it comes to using passwords to protect our digital selves.  This crossroads comes in part because three huge players in the industry - Google, Microsoft, and Apple - decided to join forces and promote a new way to save ourselves from password oblivion: Passkeys.

What are Passkeys?

The FIDO Alliance - which creates and maintains standards that support passkey - defines what a passkey is as follows:

Passkey

/ˈpasˌkē/
noun
Passkeys are a password replacement that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices.

This is a fairly clean definition for passkeys, straight from its creators.  However, there is much more to this topic that has the potential to dramatically change our digital lives.

Why is this a big deal?

There is enough closed and open-source literature published about password use.  Some of the literature delves into the history of "watchwords" and their use in military applications of the ancient Roman world.  The use of passwords dates back to ancient times and has been used in some form or another ever since. Ancient Egyptians used passwords to protect tombs, while ancient Greeks used passwords to identify people and grant access to certain areas. The use of passwords continued in the Middle Ages, and by the 17th century, they were being used to protect documents and financial records. In the 18th century, passwords were used to protect the newly invented telegraph. During World War II, passwords were used to protect military secrets.

Fast forward to the 21st century, and passwords have become ubiquitous with modern web services that help us find a restaurant, pay our taxes, and sell our goods and services.  They are so prolific that they've become a target for ransomware gangs, defacers, and politically motivated cyber actors.  People with questionable motives know the weak spots in our e-commerce society.  Some might suggest that passwords have reached the end of their usefulness.

However, to replace such a prolific method of protection - or authentication - would require a seemingly monumental effort, given all that has been shared about passwords so far.  How do we move from passwords to "passwordless"?  The first step is to consider why we would replace them.

We might look to move away from passwords because of the number of cyberattacks that target passwords.  One can also argue that passwords are less secure than other forms of authentication because they can be stolen, guessed, or cracked.  As such, a well-designed passwordless solution may improve security by increasing the difficulty of compromising them. 

One significant reason a smart passwordless solution can be a big deal is the reduced burden of memorization and managing multiple passwords.  Password re-use is a well-documented, critical vulnerability how the average person manages multiple passwords.   A passwordless solution would eliminate the need to memorize or manage passwords.  However, the solution must also make it easier and faster for people to log in to their accounts securely.

From an industry perspective, well-designed passwordless solutions should reduce the risk of data breaches. This could lead to reduced liability exposure for companies and help mitigate compliance risks associated with data breaches.  Perhaps very large organizations would be motivated to get rid of passwords altogether.

The significance of Passkey

Passwordless solutions for information technology have been around since the late 1990s when the first two-factor authentication systems were introduced. These solutions used a one-time code sent to a users registered email address or mobile phone to verify the users identity. Over the years, two-factor authentication systems have become increasingly popular.

In the early 2010s, companies began to explore new solutions that would eliminate the need for passwords. These solutions often relied on biometric data, such as fingerprints or facial recognition, to verify a users identity. This allowed users to access their accounts with a single tap or glance.

Today, passkeys represent the latest attempt to bring an easy-to-use, yet strong form of passwordless authentication for all.  The solution replaces passwords with biometric authentication data to identify and authenticate its users.  Perhaps in part, to reach a larger audience of potential users more easily, passkeys rely upon common devices - such as smartphones, laptops, and desktops - to provide a familiar way for millions of people to perform biometric or passcode-based authentication.  In this way, familiarity may breed comfort and can help drive broad adoption of the solution.

The passkey is designed to solve these problems by eliminating the need for passwords. Instead of entering a password, users can use their device or biometric data, such as a fingerprint or face recognition, to authenticate themselves. This eliminates the need to remember multiple passwords and reduces the risk of data breaches and phishing scams.

The passkey works by using public key cryptography to secure the user's credentials. When a user logs into an online account, their device generates a unique public key that is sent to the server. The server then verifies the public key and sends a message to the device to initiate a secure authentication process. The user's device uses its private key to sign the message, which is then sent back to the server. The server then verifies the signature and grants access to the user's account.

The passkey is designed to be easy to use and secure. The seamless authentication process does not require the user to remember any passwords. The user's private key is stored securely on their device, making it difficult for hackers to access. Additionally, the passkey uses strong encryption to secure the user's data and prevent unauthorized access.

How do I take advantage of Passkey today?

If you are adventurous or curious enough, you can start to use passkey today.  You can follow the steps below:

  1. Familiarize oneself with the technology: To take advantage of passkey, it is important to understand how the technology works and its benefits. This article should help you take this first step.

  2. Choose a device that supports passkey: Passkey is supported on a wide range of devices, including smartphones, laptops, and smartwatches. Choose a device that supports passkey and has the required biometric sensors, such as a fingerprint or face recognition, to use it.

  3. Use passkey with trusted online services: Start using passkey with trusted online services that offer it as a means of authentication. This will help you get used to the technology and its benefits.

  4. Enable two-factor authentication: To enhance security, enable two-factor authentication when using passkey. This will add an extra layer of protection to your online accounts.

  5. Educate others: Share your experience with others (share this article) and educate them about the benefits of passkey. Encourage others to adopt the technology and help create a more secure and convenient online environment.

Is Passkey the passwordless future?

It may not be the future of passwordless, but it may be one good way to get us there.  It can be argued that passkey is a step towards the elimination of passwords. Passkey offers a passwordless solution that eliminates the need for traditional passwords and provides a more secure and convenient way to authenticate online. This can reduce data breaches and phishing scams and make it easier for users to access their online accounts. However, it is important to note that passwordless solutions are still relatively new and may not be suitable for all types of online transactions. Widespread adoption of passkey and other passwordless solutions will require significant investments in infrastructure and technology by businesses and consumers.

It is likely too soon to say that passkey will replace passwords. It is one of several solutions aimed at solving the security and usability issues with traditional passwords. It will likely evolve and change as the technology and needs of consumers and businesses change. The goal should be to provide a secure and convenient authentication solution that works for everyone, and passkey may play a significant role in that solution.

Comments powered by CComment