For many of us, memorizing passwords has been a significant part of our digital lives. However, in the wake of rampant data breaches and phishing attempts, this convention has transformed from a primary line of defense into a security vulnerability. In response, tech giants like Google, Apple, and Microsoft announced their support for a passwordless future, a new sign-in standard developed by the Fast IDentity Online (FIDO) Alliance. This innovative measure is rooted in passkeys, a feature that enhances online security.
“The cryptography means passkeys — however many you have, and wherever they are stored — are only useful to the user.”
Understanding the Concept of Passkeys
Passkeys are FIDO credentials stored on your device used to unlock your online accounts, making signing in more secure. They function using public key cryptography, and proof of credential ownership is only demonstrated to your online account when you unlock your device. With passkeys, you can sign into websites or applications on your phone without a password. If you’re signing into a website on your computer, you merely need your phone nearby, and you’ll be prompted to unlock your device, granting you access.
Interestingly, the vision for passkeys extends beyond merely replacing passwords. It aims to eliminate all the makeshift solutions the industry has designed to compensate for the vulnerabilities of passwords. This includes challenge questions and more sophisticated fixes like multi-factor authentication, SMS messages, or authenticator apps. Passkeys are poised to replace all these methods.
The Power of Public Key Cryptography
Public key cryptography, the underlying technology of passkeys, has been around since the 1970s. It forms the backbone of the web as we know it. Secure Sockets Layer (SSL), an encryption based on public keys, was developed in the 1990s to authenticate websites and ensure user privacy. However, passkeys take this technology a step further. Instead of systems establishing each other, the user’s device, confirmed by biometrics, has the corresponding private key. This means the server can ensure that the user’s device has the passkey without actually learning the passkey, thereby validating the user’s identity.
Why Passkeys Now?
Public key cryptography needs computing power, which was readily available in the advent of smartphones. Once perceived as vulnerabilities, these pocket computers can be transformed into the most significant shift for online security in decades, thanks to passkeys.
Safeguarding Your Passkey
With passkeys, if you lose your device, no one else can use your passkey. This is because passkeys require both the physical possession of your device and the ability to unlock it, something only you can do. If you lose your device containing your passkey, you can easily create a new passkey on your new device. Moreover, you can have multiple passkeys on various devices, even on devices shared with your family. The cryptography ensures that passkeys are only helpful to the user, no matter how many you have and wherever they are stored.
Benefits of Passkeys
Passkeys resolve several everyday security concerns. They put an end to passwords getting stolen, a common occurrence with regular data breaches. They also mitigate the imperfect and time-consuming authentication process, which individual users often shouldered. Lastly, passkeys can effectively curb phishing attempts to trick users into providing their credentials and personal details.
As technology evolves, earning trust and achieving widespread adoption takes time. However, by investing a little time in setting up passkeys, users can save a lot of time and mental energy while significantly enhancing their online security.