Passkeys: a Solution to Our Password Problem?
Imagine a time when you can easily and securely access your online accounts the same way you unlock your smartphone or computer, using a PIN or biometric data like your face or a fingerprint instead of a username and password. You can access your accounts on any device, and your credentials won’t work for an identity thief if they are hacked, phished, or stolen in a data breach.
That might sound like technology from the distant future, but it exists today in many browsers and mobile devices and will soon be available this year for many apps, websites, and online services. Passkeys will change how we log in to our online accounts.
Passkeys use a well-established technology called public-private key encryption, developed by an industry partnership known as the FIDO Alliance. Its mission is to design and promote alternatives to passwords. Let’s examine some of the issues with passwords, how passkeys work, and whether they’re a better, more secure option than passwords.
The Problem with Passwords
We need passwords for almost everything we do online with computers and mobile devices like smartphones, tablets, and smart displays. As an IT consultant, I often see my clients struggle with passwords.
Most people’s passwords are weak and can be hacked instantaneously or within seconds by someone with the right tools and know-how. People also frequently use the same simple passwords for multiple online accounts. If your login information is stolen in a data breach, your online accounts are compromised.
Strong passwords – 12-14 characters containing at least one capital letter, number, and a symbol like an exclamation point – can’t be easily hacked, if at all. However, strong passwords require a password manager for quick generation, storage, and retrieval. Accessing passwords with a password manager becomes challenging in a hybrid environment with multiple devices.
For example, I have a MacBook, an iPad, and an Android phone. My wife has a PC, an iPad, and an Android phone. Both are hybrid environments and require a third-party password manager to access our passwords across different operating systems and devices. We can access passwords on all our devices, but it takes additional setup and management many people don’t have the time or desire to do.
Also, password managers aren’t a magical solution. You still need a password to access your saved passwords – the master password. If you forget your master password and don’t have a written copy safely stored somewhere, you can lose access to your saved passwords. Password managers often use biometrics like facial recognition or fingerprint readers as a substitute or in addition to your master password.
How do passkeys work?
Passkeys replace traditional login credentials like a username and password with cryptographic keys managed on a smartphone, tablet, or computer. Passkeys are accessible across your devices using cloud services like iCloud or Google Drive, which also store an encrypted copy of your FIDO credentials (cryptographic keys).
After you create (or convert) a user account for an app, website, or online service to use passkeys, going forward you will use your mobile device or computer to log in. You only need to provide your PIN, biometrics, or computer login password to access passkey-enabled accounts.
You will no longer need to remember or store a lot of different passwords. Simply enter your device’s PIN, scan your face or fingerprint, or computer password to log in and access apps, online accounts, and services.
Are passkeys more secure than passwords?
Passkeys are a highly secure alternative to traditional username and password login credentials because they’re encrypted and unusable without your PIN, biometrics, or computer password. If a hacker or identity thief steals your account information in a data breach, it would be useless without the corresponding information you provide.
Your biometric data (facial scan or fingerprint) remains secure on your device and is not stored in the cloud. Any syncing between devices and the cloud is end-to-end encrypted, so your data is undecipherable even if intercepted.
When can I start using passkeys?
Apple, Google, and Microsoft will all support passkeys starting in 2023. Passkey support is already available on iOS, Android, and ChromeOS. Support for passkey use with nearby devices (like a phone or security key) is available in browsers for macOS and Windows: Safari, Chrome, and Edge.
However, most of us won’t see widespread adoption of passkeys until apps and online services convert their existing password-based login systems. We’ll have to muddle through with passwords and two-factor authentication until we have passkeys – a faster, more secure way of logging into apps and online services.
A version of this post appears in the March 2023 edition of Prime Time News.