Passkeys In Lieu Of Passwords?

Interesting thought. Most people who are active on the internet have several online accounts requiring multiple passwords, ideally unique. From a security perspective, experts recommend that website passwords should be changed every three months and good password protocol dictates the use of different passwords for different accounts, especially ones where financial transactions are undertaken. Add to that, the fact that a strong password requires a combination of mixed case alphabets, letters and special characters mean life is not only not easy but quite complicated and cumbersome.  

According to FIDO (Fast Identity Online) Alliance, a nonprofit organisation that seeks to standarise authentication, passwords are the root cause of over 80 per cent of data breaches.  

Enter passkeys, a mode of logging in to portals and apps without passwords; passkeys seem to be the way ahead in securing our online accounts and making them less vulnerable to attacks by hackers. Apple announced passkey support on MacOS Ventura, iOS 16 and iPad OS 16 at its conference in June 2022. Google rolled out passkeys in May 2023. 

*How passkeys work 

A passkey works in a manner similar to two-factor authentication (TFA). It uses Bluetooth authentication instead of Wi-Fi. Bluetooth requires close proximity of the user to the device and this helps verify the identity of the user. Passkeys work on public-key cryptography which essentially means there are a set of digital keys, public and private. The public key resides on the website or app that one is trying to log in to and the private key is on the personal device, most likely a smartphone. When one is trying to login, the website sends a push notification to the cellphone via Bluetooth. The user can then approve the login using a PIN, pattern or biometric like fingerprint or facial recognition, whichever is the preferred authentication method setup on the phone. If the public key on the website matches with the private key on the personal device of the user, the login goes through. The notable feature is that the keys are mathematically related, and while the signed data, when returned to the server, can be verified by it with the public key, it doesn’t actually need to know what the key is, to validate it. 

*Why is a passkey more secure 

Cybercrime happens due to passwords either being weak or shared via phishing attacks. Passkeys, by their very nature, are more secure since a potential hacker will not only require access to the device on which the notification is sent but also the need to be near the login device. Phishing attacks occur by impersonating websites that users believe are authentic and enter their login credentials. These are then used to breach the accounts of the user. This is not possible with passkeys since only the trusted domain can send the notification. Moreover, passkeys use end-to-end encryption technology and are stored in a vault on the device’s keychain or password manager. The hacker needs access to both the public key and the private key to breach the account. While the public key can be shared, without the private key it is of no use for the hacker. These days, professional hackers employ high speed cloud resources due to which cracking passwords is a piece of cake, but such brute force tactics cannot be used in case of passkeys. 

According to Kathleen Moriarty, CTO of the Center for Internet Security, “Passkeys are the way of the future in basic internet security as they’re intrinsically more secure and phishing resistant”. She further adds, “Passkeys are an example of what security should be: seamless and invisible to the end user”. 

*Are passkeys standard 

FIDO is a set of technology security specifications for strong authentication. It is developed by FIDO Alliance. Another organisation that is doing similar work is the World Wide Web Consortium (W3C). In March 2019, the two came together and announced the Web Authentication (WebAuthn) specification as the official standard for web security. WebAuthn is a web-based API that allows websites to update their login pages to add FIDO-based authentication on supported browsers and platforms. FIDO2 enables users to leverage common devices to easily authenticate online services in both mobile and desktop environments. It addresses the following challenges associated with traditional authentication: 

• User Experience: Users can log in with PIN, pattern or biometrics. 
• Security: FIDO2 login credentials are unique across every website and biometrics or other private credentials like passwords remain on the user’s device and are never stored on a server. 
• Privacy: FIDO keys are unique for each website and hence, cannot be used to track one across sites. 
• Scalability: Websites can enable FIDO2 via an API call across all supported browsers and platforms on any number of devices. 

That said, as of now, not all portals and apps support passkeys. Additionally, Google and Apple passkey platforms do not communicate directly with each other.  The figure below depicts the capability matrix of passkey platforms. 

The future of Passkeys 

The question is not whether passkeys will replace passwords; it is, when will it happen? The move is still a few years away, but the pace is increasing with more and more companies jumping on to the bandwagon. Once operating systems like Ubuntu and Linux start offering the functionality and cross-platform compatibility is in place, the pace of adoption will improve considerably.   

To conclude with the words of Google’s identity and security product manager Christiaan Brand, “Passwords are dead. May we never have to see them, remember them or type them”.