What Are Passkeys? Are They the Ultimate Password Killer?
On October 10, 2023, Google made passkeys a default sign-in option for all personal Google Accounts, a move made only a year after passkeys were first adopted for general use in October 2022. With now up to 20 major online services supporting passkey, is the technology on course to finally put an end to passwords?
Passwords are one of the oldest security mechanisms, dating back long before the digital age. Today, it remains the most widely used authentication method for accessing online services. However, with almost every online service requiring a user account, passwords are becoming increasingly difficult to manage and vulnerable to cyberattacks.
For many years, the digital service industry has made numerous efforts to eliminate the usage of passwords when signing into online accounts. To make sign-in more easy and secure, a wide range of alternative sign-in methods have been introduced over the past decade. These include one-time passwords (OTP) sent via SMS and email, hardware security keys, digital certificates based on public key infrastructure (PKI), and biometric authentication methods such as fingerprint and facial recognition.
So far, none of these advanced sign-in methods have been able to completely replace passwords. More often, they are used along with passwords in multi-factor authentication (MFA). Nevertheless, many of these sign-in methods have gained popularity due to their convenience and enhanced security. Fingerprint scanners and facial recognition have become the most widely used option to unlock smartphones, replacing the need for passwords.
With the growing usage of smartphones and biometrics authentication, industry experts saw the potential in a new authentication technology. Termed “passkey”, the digital credential was promoted by the World Wide Web Consortium and the FIDO Alliance, and was first popularized in 2022 by Google and Apple. In October 2022, Google announced passkey support for Android and Google Chrome, and later enabled passkey for personal Google Accounts in October 2023. Apple’s iOS and macOS have also been supporting passkeys since early 2023. As of November 2023, passkey is supported by up to 20 online services including PayPal, Shopify, Adobe, GitHub, Amazon, TikTok, Nintendo, Microsoft, WhatsApp, Uber, KAYAK, and more. Many banks also enabled passkey for mobile banking and transactions.
How to use a passkey?
Once a passkey is set up, the user can sign into their online accounts using the same authentication method they use to unlock their smartphone, tablet, or computer. For instance, for someone to sign into their Google Account, all they need to do is to unlock their phone.
How does a passkey work?
Passkey authentication is based on PKI technology. The passkey itself is a unique private key issued by the service provider and stored exclusively on a single device, inside a trusted environment such as a Trusted Platform Module (TPM) or secure enclave (SE). To sign into their account, the user first unlocks their device to prove they are the owner of the private key, then uses the private key to sign off a digital certificate, the latter part of which is automated. The service provider then uses the public key to verify the authenticity of the digital certificate and grant the user access to their account.
The convenience of passkeys
Despite a sophisticated verification process, all the user needs to do is unlock their device. As of November 2023, passkeys can be stored and implemented on Android, iOS, macOS, and Windows 11 (with Windows Hello) devices.
This doesn’t mean that the user needs to set up a passkey on every device. When the user tries to sign into their account on a device without the passkey (or a public device), they will receive a prompt on the primary device where the passkey is stored to unlock their device and accept the login request.
Depending on the operating system and browser, the user may not receive an automatic prompt. In some cases, they will be asked to scan a QR code on the screen using their primary device and accept the login request.
The user can also choose to synchronize a passkey across multiple devices under the same ecosystem. By storing their passkey in their Google Password Manager, the passkey gets synchronized across all Android devices linked to that Google Password Manager.
In the case of a shared account between family and friends, each person can create their unique passkey for their own devices. This ensures that one passkey is exclusively assigned to one owner.
How secure are passkeys?
Besides providing a convenient and seamless user experience, passkeys are also one of the most secure authentication options available.
Unlike passwords, passkeys are “unphishable” because there is no way for the user to give out their passkey to others.
They are also “unhackable” as they are stored in an isolated trusted environment within the device.
Unlike a physical security key, a passkey is “unstealable” because it only works when the user is in possession of their device. Even if a phone with the passkey is lost or stolen, whoever that has the phone will not be able to use the passkey without the user’s fingerprint or face.
Even the service provider has no possible means of accessing the user’s account, since both the public key and private key are needed for authentication.
Are passwords going away?
As of now, service providers like Google allow users to choose either passkey or password as the default sign-in option. For users who switch to the passkey option, password remains as an alternative sign-in method.
As more and more users switch to passkeys, the usage of passwords is expected to drop gradually over time. But unless every user opts out of password as their default sign-in option, password will not go extinct.
Therefore, yes—passwords are going away, but they will stay around for quite some time.