Passkeys work; they are safe and quick

Passkeys are the tech industry’s coordinated effort to kill the password. They are a more secure, faster way to sign in to apps and websites, built on Web and FIDO2 standards.

Here is a clear explanation of how passkeys work and whether they serve as an effective replacement for passwords.

How Passkeys Work

Passkeys use public key cryptography. Instead of one shared password, there’s a key pair:

  1. Public Key: The website gets this “padlock.” It isn’t a secret, so stealing it is useless.
  2. The Private Key: This stays hidden in your device’s Secure Enclave. It alone can open the public padlock. It never leaves your device or gets shared with the website.

The Login Process:

  • Registration: Your device generates the key pair, sends the public key to the server, and protects the private key with your device’s security (e.g., Face ID or PIN).
  • Authentication: The website sends a random challenge. You verify locally (like with a fingerprint), then your device signs the challenge using your private key. The website uses your public key to verify you.

With the basics understood, let’s evaluate how well passkeys replace passwords.

Yes, they are significantly safer. However, transitioning to passkeys is still ongoing. Here is how they compare:

The Advantages (Why they win)

  • Phishing-Resistant: Because a passkey is intrinsically linked to the specific website or app it was created for, you cannot be tricked into using it on a fake, look-alike website. The private key simply won’t interact with a fraudulent domain.
  • Immune to Data Breaches: If a company’s servers are hacked, there are no passwords to steal. Hackers only get public keys, which cannot be used to log into your account.
  • No Password Fatigue: You don’t have to invent, remember, or rotate complex strings of characters. You log in exactly the same way you unlock your phone.
  • Stops Credential Stuffing: Since there are no passwords, hackers can’t use a leaked password from one website to try to break into your other accounts.

The Challenges (The growing pains)

  • Ecosystem Syncing: Passkeys are often tied to your digital ecosystem. Moving them used to be clunky, but standards and password managers are smoothing this out.
  • Account Recovery: If you lose your device and passkeys aren’t synced to a cloud account or password manager, recovering your accounts can be a headache. You then rely on the website’s fallback methods (such as email or SMS), which are less secure.
  • Adoption Rates: While major companies such as Google, Apple, Amazon, and Microsoft support passkeys, many smaller websites and older systems have not yet adopted them.

The Verdict

Passkeys are a massive leap forward in digital security and are a highly effective replacement for passwords. We are currently in a transitional “hybrid” phase where both exist, but the end goal is a completely password-less internet.

And, here is another look at Passkeys and implementation issues from Bruce Schneier. https://www.schneier.com/blog/archives/2024/02/on-passkey-usability.html

Author: jimcaruso

Guy from Earth. Global technology evangelist. Bleeding-edge, early adopter. Writer, marketer, deal-inventor, engineer, manager, executive, and team enabler. Interested in the confluence of publicity and social media, blogging and blog/CMS engines, and everything tech. A proponent of government transparency, liberty, and the Open Web. Dangerously technical. Advocate for good.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Blog of Jim Caruso

Subscribe now to keep reading and get access to the full archive.

Continue reading