Moving Towards a Passwordless Future with Passkeys
Have you ever been hacked? If not, do you know someone else whose account has been compromised? Wouldn’t it be nice to have peace of mind knowing that your online accounts are safe and secure in your sleep? Well, you’d be pleased to know that top companies are collaborating to improve this auth problem.
The Foreshadowing
I recently joined a hackathon where I first encountered passkeys. The overarching theme of the hackathon was to build something for social good but the underlying mission was to implement passwordless authentication using passkeys.
I had not thought about authentication for a long while. I used a password manager in order to automatically generate passwords for myself and as a plus, I didn’t need to remember those passwords which allowed me to avoid mental overhead in the future.
I assumed this was the case for most people in this time and age but I was shocked to find out that most people still resorted to creating their own passwords. What’s worse is that these passwords are reused 64% of the time. That number will be more shocking once you find out that around 80% of data breaches are cause by such weak, reused passwords.
It’s clear now why organizations are working to fix this problem. In an era where information is power, no one wants any confidential information compromised because they used their birthday plus nickname combo as their password.
The Definition
Passwordless authentication comes in many forms, including magic links or SMS OTP messages, but what makes passkeys different?
I have mentioned that a group of companies, government agencies and other industries are collaborating to resolve the password problem. They are called the FIDO (Fast Identity Online) Alliance, and they have developed FIDO Authentication, most recently, FIDO2, in a joint effort with W3C (World Wide Web Consortium).
FIDO Authentication is an open standard of authentication protocols based on public key cryptography and it is implemented using passkeys. Now, I’ve just thrown a bunch of words at you but what does it all actually mean?
The idea behind it, in simple terms, is that you have two keys: the private key and the public key. You also have two main components: the client and the server. When registering at a FIDO authentication-enabled service, your device (or password manager) will generate a public-private key unique to that service and this pair of keys are called a passkey.
The public key is sent to the server and the private key is stored in the device (client) it was created in, be it your phone or your personal computer. When you need to login to the same service, the server will send a challenge to verify that the device (client) is in possession of the private key. The device (client) will then digitally sign the challenge and send it back to the server where it will verify its validity using the public key it has stored. And voila, you have been granted access without using passwords!
It sounds complicated on paper, but this entire process happens quickly under the hood, so as a user, you will definitely benefit from its convenience and ease of use.
The Caveats
FIDO Authentication sounds great, doesn’t it? The “key” to unlocking your online account is securely saved in your personal device. This minimizes the risk from regular passwords where hackers can brute-force guess a password or steal your credentials from a phishing website.
But does that mean that passwordless is safe? This will depend on what you mean by “safe”. Compared to existing password-based systems, it is definitely safer since the process is more involved. The hacker would need access to your device, and even then, they would need access to your biometric or your device PIN.
Can it be hacked? With enough passion, anyone can hack anything. But perhaps that is a problem for the future.
With all this, I’d like to ask you, have you tried passkeys before? What do you think about entering a passwordless future?
This article is based on the talk presented by Krizza Bullecer for the 114th Monthly Technical Session.
