CONTACT US

@2024 IdentityXP. All Rights Reserved.

Are passkeys the password killer we’ve all been waiting for? The future of authentication. 

Identity and Access Management, Passwordless / Nov 8, 2023

Authored by Funda Morkos.

In the digital landscape, traditional passwords have been the go-to option for protecting our online identities, but they bring along a multitude of problems. From the difficulty of remembering to their vulnerability to theft and easy guessing, the shortcomings of passwords are evident. In fact, according to the Fast Identity Online (FIDO) Alliance, over 80% of data breaches can be traced back to passwords. The challenges of memorisation, coupled with the risks associated with weak choices, susceptibility to phishing, brute-force attacks, and the ever-present threat of data breaches, have collectively diminished the appeal of traditional passwords emphasising the need for an alternative solution.  

Enter passkeys, a new form of passwordless authentication. Driven by the Fast Identity Online (FIDO) Alliance and backed by industry giants like Apple, Google, Samsung, Microsoft, Yubico and 1Password. Passkeys offer an approach to authentication that does away with the need for entering usernames and passwords. Instead, passkeys leverage a device you already own, whether it’s a smartphone, tablet, or computer, alongside public key cryptography, delivering a faster, simpler, and more secure authentication method. 

So, what exactly are passkeys, and how do they work? Passkeys combine biometrics on your local device, such as Face ID, Touch ID, Windows Hello, or a PIN or swipe pattern, with asymmetric cryptography to provide single-action, multifactor authentication. Your experience as an end user is straightforward and user-friendly, involving the same actions you perform daily to unlock your device. Behind the scenes, the authentication process is more complex than traditional password authentication. It uses a pair of cryptographic keys: a public key, stored by the website or application you’re trying to access, and a private key, securely located on your local device and never transmitted over the network. When you attempt to access your account, the website or application server sends a challenge to your device. Your device signs the challenge with the private key, and the signed response is sent back for verification. Even in the event of a breach, malicious actors can’t obtain your passkey, as the private key remains securely on your device. Each passkey is unique to each application or website, enhancing security further. 

Your existing device serves as the foundation for passkey security, making it challenging for remote hackers to compromise as they don’t have access to your physical device. To compromise your account, a malicious actor would need to accomplish two things: steal your physical device and then acquire your passkey. This two-step process creates a significant barrier for potential attackers, as they must not only physically possess your device but also secure the additional elements required for access. 

The benefits of passkeys are clear: user-friendliness, no memorisation demands, exclusive keys for each account, and resistance to breaches. However, despite encouraging support and implementation by tech industry leaders, passkeys have not yet reached their full potential. Their adoption has been slow, and they are currently accessible only on a limited number of websites, applications, and services. The process of syncing passkeys across various devices via the cloud is still not seamless and is a work in progress. To ensure a high level of security, users still need to consider reinforcing their cloud account with biometrics or implementing reauthentication measures. Additionally, as passkeys are still in their infancy, they have not achieved universal availability across all operating systems and devices. 

So, the question remains: are passkeys the password killer we’ve all been waiting for? While they’re not there just yet, they certainly have the potential to transform the way we authenticate our online identities, making them strong contenders for the title of the “password killer.” As the story of passkeys unfolds, we can explore them where available and continue relying on multifactor authentication (MFA) and trusted password managers for a secure digital experience on platforms where passkeys have yet to make their mark. 

Image Credit Storyset by Freepix