Passwords are a problem. Not only are they hard to remember, but they can be cracked, phished, and stolen, leaving our accounts open to cyber criminals. So, there’s been a movement to replace passwords with passkeys, a new type of authentication technology.
Passkeys promise to enhance security while simplifying the experience of logging in to sites and services. They rely on authenticating ourselves to our devices rather than remembering strings of characters. So, what exactly are passkeys, and how do they differ from the passwords we've relied on for years?
What are passkeys
Passkeys are digital credentials – cryptographic keys – that are used to send information between your device and a site or app. The public key is stored with the site or app. The private key, which is essential for authentication, never leaves your device, so it can't be stolen in a data breach at the site or app.
Here’s how it works: When you need to use a passkey to log in to a website or app, your device will first authenticate you by asking for your biometric data – a Face ID or fingerprint – or a PIN code. Then, your device uses the private key to create a cryptographic proof of your identity. This proof, and not the private key itself, is sent over the internet to unlock your access.
In addition to saving passkeys locally on a device, you can save them to your password manager, which makes them accessible to multiple devices. For instance, you can save passkeys to your iCloud keychain using your Apple device or save them to Google Password Manager with your Android device or Chrome browser. There are also password managers, like Dashlane and 1Password, that will save your passkeys securely for use on all devices that access your password manager.
Today, hundreds of companies support passkeys, including Google, Apple, Amazon, and PayPal (you can see a list at https://passkeys.directory/). Some companies proactively prompt you to create a passkey for your account; others offer it as an option hidden in your account's security settings. In all cases, you’ll be prompted through the process.
The benefits of passkeys
The fundamental difference between passkeys and passwords lies in their approach to security and user experience. Passwords are knowledge-based – they depend on something you know, i.e. your username and password. In contrast, passkeys are possession-based – they depend on something you have, your device, plus your biometric ID or PIN as a secondary form of authentication.
Since the passkey is tied to your device, hackers would need physical access to your device to use it even if they know your PIN. This significantly reduces the risk of remote attacks.
Every passkey is unique to each website or service – this happens automatically. So, even in the unlikely event that one company's database is compromised, all your other accounts remain secure. Similarly, since passkeys work on the pairing of a public key you previously generated for a site and your private key, phishing attacks become much more difficult to execute. And, as a regular user, you never even see your private key, so it's very difficult to trick you into giving it away.
The drawbacks of passkeys
If you're not using a password manager, it's harder to regain access to your account if you lose your device or to share access to your accounts with others if you use a passkey instead of a password.
If you lose your device, you will need to go through whatever process the site or app requires to re-authenticate yourself. However, for those with password managers, you can re-authenticate a new device through your stored credentials.
Passkeys are inherently designed for individual use. So, if you like the flexibility of granting account access to others (like I do with my husband for my Amazon account), sharing a passkey isn't as easy as sharing a password in most cases. You need to go through a convoluted process to generate additional keys for your account. The exception is password managers that let you share passkeys, like Apple's iCloud Keychain and 1Password. In those cases, it's as simple as sharing a password.
While it's more difficult for hackers to gain access to your passkeys, it is possible if they're being stored in the cloud. To combat this potential threat, make sure you have two-factor authentication turned on for any of your cloud-based authentication services (like Apple and Google) – which you should already have turned on, anyhow.
Given the very slow historical consumer adoption rate of security technology, I don't expect traditional usernames and passwords to go away anytime soon. However, passkeys are a promising new technology that has the potential to revolutionize online authentication. They are more secure and convenient than passwords, and you can expect to see them become the standard way to sign into websites and apps.
If you want to get started with passkeys now, there's no reason to wait for the rest of the world to catch up.
[Image credit: Digital Lock concept via Adobe Firefly]