What are passkeys and how do they work?

A computer keyboard ready to accept a password (Dries Augustyns / Unsplash)

A computer keyboard ready to accept a password (Dries Augustyns / Unsplash)

Most everyone agrees that the way we use websites and services doesn’t work.

The universally used username and password combination is annoying for users and not great from a security point of view. Between data breaches, that most people repeat the same easily guessed passwords between websites, and given the ease of building fake sites to steal logins, the internet is clamoring for a better solution.

Well, one might finally be here: passkey. These do away with passwords entirely, allowing your phone to guarantee your identity.

How do passkeys work and what are the disadvantages? Read on to find out.

What is a passkey?

Passkeys are a way to log into a website or service without a password to prove who you are. All you need is a device that guarantees your identity, most likely your smartphone*.

It sounds like a security nightmare, but it should prove to be much more secure than the somewhat buggy password system we used for the first few decades of the Internet.

“A simple yet secure login process is exactly what people need,” Jake Moore, Global Security Advisor at ESET, a software company specializing in cybersecurity, tells The Standard. “Passkeys offer a simple, fast and secure access solution. [They offer] a very positive impact on account security.”

For the user, the idea is to log into a website the same way you open your phone: with a PIN, fingerprint, or face scan. When you register for a site or service, your login is linked to a single device and you simply log in through that: no password to remember.

Behind the scenes, it’s much more technical, involving something called asymmetric cryptography. A public key is stored on the website you want to use, while an encrypted private key is linked to your device. When you try to log in, the site will only grant you access if the two match.

If you’re not working on the phone you signed in with, such as if you want to access a site on your Windows laptop, you’ll need to connect it to your phone via Bluetooth. Alternatively, you’ll need to prove it’s within range by scanning a QR code. It’s kind of like two-factor authentication, without the password.

“Before now, systems were either highly secure and not easy to use, or easy to use but very hackable,” Moore explains. “Linking these two together has long been a problem and so online accounts have come under fire.”

Passkeys are the first serious answer to being in the sweet spot between easy and secure.

* You can use a laptop or tablet as an authentication device. However, since most people will be choosing their smartphone, we’ll be using a shorthand for the word “phone” in the rest of this piece.

What’s wrong with using a password?

In theory, very little. In practice, almost everything.

We all know that we should make our passwords long and secure, ideally with a random selection of characters, numbers and symbols to make them impossible to guess. Also, each site needs its own password, so that if/when a breach occurs, hackers cannot access all other sites.

But we are human and these rules are really hard to follow. Who has the brain capacity to remember dozens of unique, nonsensical passwords for different sites? Password managers are great and highly recommended. But switching to one can take hours, and many of us are just taking a chance.

Passkeys are essentially an attempt to wean ourselves off bad password practices with minimal effort.

Why is a passkey better?

For starters, you don’t have to remember that unique string of characters, numbers, and letters for every website and service. Your phone will do that for you, assuming you have it with you.

It should all be simple enough — just confirm it’s you via a fingerprint, PIN, or Face ID, and it should all happen in the background. This is much easier than remembering whether the ‘$’ was before or after the ‘&’ in your 12-character password.

Second, because your device needs to be very close to you to log in, a hacker on the other side of the world can’t try to log into your account.

There are other positive aspects to safety as well. Data breaches should be annoying rather than potentially devastating (although companies will still need to protect identification and payment data). A passkey should also crack fake phishing websites, because your device will recognize that the website isn’t the real deal and refuse to authenticate you.

Currently, “threat actors are able to manipulate people with clever tricks, often through authentic-sounding text messages and phone calls,” Moore explains.

“With increased adoption of passkeys on websites and more support for helping people switch to them, however, most users may soon find themselves signing in more easily and securely without realizing it.”

What are the weaknesses of passkeys?

There are a few, but they don’t tend to be about security, per se.

The first is that you need your phone with you. If it’s broken, out of battery, or left at home, then you’re out of luck or a painful transfer between devices awaits (more on that in a moment).

The second is that access sharing gets a lot more complicated, something Netflix would be quite happy with that, but inconvenient for many. This is likely to be a problem that will be fixed in the long run—indeed, iPhone users can share their passkeys with other iPhone users via AirDrop Already. However, it’s a lot more complicated than just telling someone your password, which again is good from a security standpoint.

What happens if I lose or change my phone?

For most people, losing your phone should only be a temporary annoyance. Passkeys sync to iCloud Keychain for Apple devices and via Google Password Manager for Android and ChromeOS, so restoring your passkeys should be straightforward once you’re back up and running. However, of course, you may have some painful days where you can’t access things if you only have an iPhone and no Mac, for example.

The difficulty comes if you decide you’ve had enough of an iPhone and want to try Android (or vice versa). Currently, there is no way to transfer passkeys between ecosystems. However, this is something that is actively being worked on and will likely be available well before passkeys are widely used.

Which sites support passkeys?

At the moment… not very many. The 1Password password management tool keeps a current match and, at the time of writing, there were only 28 including Microsoft, PayPal, eBay and Virgin Media.

But with Microsoft, Google and Apple support passkeysyou can expect that to change quite quickly, with some experts predicting 2023 as the year we will see a move away from passwords.

“This adoption is likely to increase now that the big names in tech have taken over the technology, and we should see a tipping point soon,” Moore says.

But that move won’t be completed for some time. “I don’t think we’re going to see the end of the password for a long time, maybe generations yet,” Moore says. “There is still a need for the trusted password as some systems will need to be built from the design stage all the way to incorporating such secure technology.”

In the meantime, make sure your passwords are as secure as possible. “People need to make sure their passwords are all unique and that multi-factor authentication is enabled on all accounts,” Moore says.

But perhaps we can look forward to a day when this oft-repeated advice will be a thing of the past.

Leave a Reply

Your email address will not be published. Required fields are marked *