Passkey – The end of passwords as we know it

Security is more important than ever. Our exposure to the Internet and use of social media and online services makes it vital to properly protect things. Ever since the use of passwords, they have proven to be one of the weakest links in most security setups. And the simple reason is human behavior. Thinking of a good password is one thing, but thinking of many good passwords AND remembering them all is something else. Over the years, password generators, password managers, two-factor authentication, and multi-factor authentication have come to help us. But even that has not proven sufficient. The next thing? Passkey!

If you are interested in reading more about the threats of cybercrime and how digital threats exist in today’s online environment, I suggest reading the Microsoft Digital Defense report. It includes details about trends in phishing attacks, where hackers try to get access to login information (Office 365, OneDrive, and other Microsoft services). Download the full report for details (pg 21).

What is a passkey?

Passkeys are not something recent or new. They have been in development for years and probably will develop a lot more in the coming years. In essence, passkeys are authentication devices that allow you to log into services. They replace passwords. Authentication happens on one of your devices using biometric data (voice, fingerprint, face recognition), or even a PIN. Once authenticated, the device can now act as a security token to generate access to other services that support passkey. No need to type a password anymore or use two-factor authentication.

The benefits of passkeys

No sharing of data – the passkey device identifies you. After that, a security token is generated that is shared with the service that you try to access. No need to share any personal information that you have not indicated of willing to share.

Very secure – hardware-based identification and protection. Your passkey is encrypted and stored on your device(s). The device only generates unique access signatures to access services and logins. The passkey itself is not used. Additionally, during passkey validation and login, the host is verified. Fake sites getting your access credentials should also be a thing of the past.

Ease-of-use – no need to generate, remember and enter multiple passwords. Login is quick and easy. Directly login with your passkey, or scan a QR code on a nearby device with a passkey. A note here, nearby means that the proximity of the device is checked over Bluetooth. Easy-of-use also means no need to put your login credentials for the same service on different devices. Signed up to Netflix on your phone and need to log in on your laptop? No need to type the credentials again.

Who is behind passkey?

This is one of the great strengths of passkey. The initiative is not owned by a single company but is an open industry association. It is called the Fast IDentity Online Alliance, or FIDO Alliance. All the big names are members of the association and support the implementation of the standard. Google, Microsoft, Apple, Intel, and Amazon are just a few member names, but all major tech companies as well as anyone wanting to offer secure access to their services will be a member.

The organization has been in existence for quite some years. But only now, with the increased adoption of biometric security and an increasing need for better security is it getting momentum.

Drawbacks and limitations

One of the main limitations till now is the support for the standard. If not all devices and not all services are supporting passkey, the implementation by developers and adoption by users will take time. Luckily, that is changing fast, the latest versions of Apple, Windows, and Android devices have support for passkeys. It is important to also use the latest software versions of the operating system and web browsers.

Maybe a bigger concern from a user perspective is the loss or theft of a device. The main difference with passwords is that in the case of a passkey device, you would know that it is not with you anymore. A password can be used without your knowledge, but in the case of a passkey device, you would be able to take action right away. What action? Reset the passkey, so the stolen or lost device cannot be used anymore.

How this is implemented will depend on the provider of the passkey device. Passkeys can be synchronized, so other devices can be used to reset your passkey. If no other device is registered and synched, you may need to fall back on doing it online, through older identification methods like email, text, or a phone call.

A concern that some people may have with biometric identification is sharing that data in the first place. Concerns about where things are stored, and how personal information is encrypted, protected, and gets shared have been a problem for a long time. The only way to deal with that is to use a PIN instead of a biometric property to secure your passkey device. Actually, something you would already opt for if you have such concerns.

The legal concerns regarding sensitive personal data are an aspect that needs to be continuously addressed. On a government level, privacy acts are defined and regulated by state, country, and other levels (think of the EU GDPR). Adherence to that by companies and organisations require a lot of effort.

For scenarios where you need to use a QR code to verify a nearby device and use the passkey from that device, the concept of QR code scanning and relying on a Bluetooth connection is definitely a compromise. The need for these cases should however dwindle over time with the increased support of passkeys and synchronization across devices.

What is next?

Broadscale adoption and implementation of passkeys. With people using newer phones, laptops, tablets, and other devices, support for passkey will increase. Implementation will gradually progress by vendors and service providers adopting passkey authentication.

As usual, technology is not the main bottleneck. It is the process of everybody implementing the standard to allow passkey synchronization across devices to take place. If you Identify with your Apple device, you want to be able to use it on Windows and Android too. And vice versa. Most people have multiple different devices, so synchronizing passkeys is necessary to make the experience as user-friendly as possible. Apple already syncrhonizes passkeys with the iCloud KeyChain, but they are not syched with other vendors.

In the long run, passkey will help us be more secure online. No more fishing attacks that get credentials to be abused. No more brute-force password hacking. But it will take a while before all devices, websites and online servies support passkey. And with an increased importance on the passkey device, device protection will become more important.

If you are using a password manager to keep track of your passwords, it is good to know that even password managers will start supporting passkey as a security measure. Read more on the password manager review.