You might well be thinking everything’s all sorted since you’ve got a password manager. All you have to do is remember one single password because all the others are saved in the manager. You could also say if you know or steal one password, you know them all. After all, there’s still a risk of data leaks and phishing attacks, so it really doesn’t matter if we’re talking about one or multiple passwords, it’s the same level of vulnerability. This is where passkeys come in, replacing traditional passwords.
In the past, if you wanted to log in to an online service, you’d need to enter a combination of a username and password, but these days, you can access your account using a passkey simply by changing your security settings. Doing so will save a secret private key on your device and a public key will be set up that’s connected to the service you are accessing. You’ll only be able to access your account with a combination of the two. To activate the passkey, an authentication process between the relying party, or the online service, and the end device has to be initiated. This is achieved through an established web authentication protocol, which sees the service transmitting a cryptographic challenge to the client, e.g. the smartphone, to generate a cryptographic signature.
Once this has happened, users are requested to authenticate their own device using biometric data (fingerprints or face recognition) or to set up a device-specific PIN. This is the final step in configuring the passkey and allows users to log in in this way every time. A hardware token such as a USB stick or chip card can serve as an authenticator. “The access code is saved on the hardware meaning we don’t have to scratch our heads trying to remember them or write them down on a bit of paper, which I’m sure we can all agree is much better,” says Karl Schulz, Security Consultant at Bechtle.
Secure and user-friendly to boot.
Everyone benefits from passkeys. From users like us, who don’t have to worry about remembering passwords, to providers, who no longer have to keep passwords under lock and key. What does that mean for hackers? There’s nothing left for them to steal. Making attacks pointless. By the way, biometric data are never transmitted to the service provider, remaining on your own devices instead.
For all the benefits, it may feel like you are losing control. Instead of having a password tattooed on our minds, you have to trust that the public key is saved securely. As already mentioned, passkeys are based on proven security protocol such as FIDO2, which was developed by the FIDO Alliance and World Wide Web Consortium and has since become the standard. The Alliance counts numerous international tech companies among its members and the number is growing.
Passkeys can also be saved with major cloud providers such as Apple, Google and Microsoft and synchronised with other devices and if the original authenticator is lost, the key can be recovered on another tablet, laptop or smartphone.
Theoretically, saving passkeys in the cloud could be risky because there is the chance that the server could be compromised, which is why using a hardware token is the most secure option, particularly when it comes to sensitive applications. Whatever the case, passkeys will probably be the standard for network authentication in the future as they aren’t only secure, but very convenient, leaving us to think about how we can change the world instead of worrying about passwords.