Passkeys: What’s the big deal?
What’s your Netflix password? Now how about your Spotify password? Okay great.. What about Facebook? Now hopefully you aren’t reciting them aloud, but chances are you’ve either recalled similar or the same passwords, or didn’t bother to answer my question because they’re insanely complex and in your password manager (no offence taken, good job).
I don’t need to be the one to say that passwords are a part of our daily lives. We are constantly using them to login to our accounts, creating them to create new accounts, resetting them because we forgot what it was, being told that you can’t reset your password with a recently used password… The list goes on. This has obviously created problems related to reusing passwords and the security of where we store them.
So, password managers! A great way to manage the hundreds of accounts we may or may not realize we have, while maintaining the peace of mind and security of having our passwords unique and generated to be complex. The recent LastPass breach has been a major wake up call though, and proves that we need to be wary of how our passwords are stored and secured, even on widely popular password managers.
Passkeys are now becoming a way to sign-up and sign-in, they’re the latest FIDO implementation of a passwordless future. Using public key cryptography, each passkey is a cryptographic pair of keys, public and private, and generated when you sign up to a site that supports it. As the names suggest, the public key is shared with the service you sign up to, and stored on their servers. The private key stays on your device. When you try to log in, the server you’re signing into sends a challenge back to your device. Your designated private key will solve the challenge, signing it, and therefore authenticating you as.. you! The server can verify this with your public key, but does not need to know your private key. They also sync across your devices (like Apple’s iCloud implementation), so that if you lose or break a device, you can still access your accounts.
Why do we care?
Similar to the goal of password managers, passkeys eliminate the problems of phishing, social engineering, and passwords being guessed due to a lack of complexity. In the event of a company suffering a data breach, your public key may be compromised.. But your account stays safe! As long as your private key stays with you, the public key is of no value to an attacker, like a username without a password (But this time your password is not ‘qwerty123’ and subsequently brute forced)
If we take a look at a popular password manager, Dashlane, they promise ‘zero-knowledge encryption’. According to their Security Principles and Architecture:
“Access to the vault requires a User Master Password, which is only known to the account holder. This password is not stored on Dashlane’s servers and is not accessible to Dashlane employees. Dashlane uses a separate User Device Key to authenticate each person on its servers.”
This sounds a lot like what I described.. That’s because they both use public-key cryptography. The difference with Passkeys is that the ‘Master Password’ is not an traditional password, it is your biometrics that allow your private key to be used. So again, why should we care?
Currently, the secure way to sign into an account is by using a password, and a second factor of authentication. This can be an OTP (One Time Password, like an SMS code), a physical security key, or an Authenticator app. This ensures that in order to log in, the site requires you to have something you know (password), and something you have (security key).
A passkey meets these requirements in a single step, which simplifies the signing-in experience for the user, while maintaining a high degree of security. Instead of looking for your password, then checking your phone’s Authenticator app for a secondary code, you can simply use your handy fingerprint (no pun intended), or any other biometric factor your device supports, and like magic… You have a secure form of authentication set up and ready to go. This is not a secondary factor to your password, it is a replacement for your password.
Since each passkey is associated with a specific site, it is known as phishing-resistant, because your passkey will only work on the site that it was signed up on, reducing the worry of being tricked into logging into a replicated site made to steal your credentials.
So.. passkeys are awesome because they (say it with me)..
- Are phishing-resistant
- Keep your account secure, even in the event of a data breach
- Simplify the sign-up and sign-in process, while maintaining a high level of security
- Can’t be guessed
Passkeys are still very new, and limited in who offers them, but as of writing this, GitHub has announced support!
I’m very excited to see the adoption of passkeys, as it appears to be a much simpler and more secure way of signing in.
If you haven’t already, try it out yourself! I have provided a link below to test the process of generating and using a passkey:
All in all, passwords tend to be reused, phished, and vulnerable in the event of a data breach, and we know this. MFA (Multi Factor Authentication) works to prevent phishing and ensures sign-ins are validated by using a secondary factor alongside your password. Passkeys however, take this one step further by saving us a step, and generating a secure asymmetric key-pair for you. Thus, allowing you to log in with your biometrics, ensuring it’s really you, and keeping your account safe in the event of a server-side breach. It’s much simpler to use than it sounds, and I encourage you to try it out on a supported site or on the demo link I provided above.
What do you think of Passkeys? Let me know in the comments, I’d love to hear your thoughts!
