Coming up with a strong password is easy. Numbers, symbols, a combination of lower and upper case letters, and a good length — this not-so-secret recipe for a strong password is pretty much baked into our brains by the constant reminders we get every time we create an account online. But a password like that would look something like R&uf4#g⌀N3 or 5u9)hG^0OK — not something a person would easily remember.
Strong passwords are hard to remember, and easily remembered passwords are not strong. This problem of password memorisation birthed the need for password managers like Google Password Manager, 1Password, or iCloud Keychain.
These password managers save the username and password, allowing users to later use them on websites or apps with just one click. With a password manager, users can let it pick a strong password for use or pick their own string of letters, numbers, and symbols. In either case, the password manager eliminates the need to memorise or jot down the password.
However, this is not a secure method of storing sensitive data because passwords saved in password managers can be retrieved in plain text format from the device. Also, when trying to access an online account from a device that does not belong to the user, these password managers are of no use.
Realising the insufficiency of passwords alone, the industry gravitated toward two-factor authentication or 2FA to add an extra layer of security.
With 2FA, users need to type in the username and password as they are supposed to, which later prompts them to a second screen where they are asked to submit their One-Time Password or OTP, often sent as a text to the user’s registered phone number or retrieved from an App-based authenticator like Google Authenticator or Microsoft Authenticator.
Despite its security merits, this method has its flaws, too; it adds extra login steps for users and increases operational costs for the apps and websites by incurring expenses for OTPs sent via text messages or software tokens.
To eliminate the need for a second step and the hassle of storing or memorising passwords came Passkeys.
Passkeys, a combined effort from the Fido Alliance and W3C – Word Wide Web Consortium, is a passwordless, secure, and fast cross-device authentication system that leverages in-device biometrics and authentication to verify the user or owner of an account and allows them access to online accounts. It works like the PIN-Pattern screen lock on Android, Apple’s Face ID and Touch ID, or Windows Hello, but with a subtle distinction.
While these screen locks on devices offer limited functionalities that are local to the device, Passkeys are used to access online accounts from any device, anywhere, anytime, without the need to memorise anything. That’s why Passkeys are backed up by all the members of the Fido Alliance, which includes tech giants like Google, Microsoft, Apple, Intel, and Meta.
With Passkeys, users don’t need to set up a password. They are prompted to use the phone’s screen lock, e.g. pin, pattern, Touch ID, Face ID, to create an encrypted biometric signature that is stored on the device and works exclusively on the website for which it was created.
So, if a user, let’s say, creates a new Google Account with Passkeys or enables Passkeys from his Google Account settings on their iPhone, the generated Passkey will be stored on the iPhone and not in a remote server. Next time the user wants to log in to that Google Account, their iPhone will bring up the prompt to log in using the Passkeys. Once clicked, it will trigger the phone’s Face ID to biometrically authenticate the user and allow a passwordless login to their Google Account.
This process of logging in without a password is much faster than typing in the password and more secure than storing the passwords in a password manager. Since the Passkeys are stored locally on the device, there is no risk of it falling into a bad actor’s hands through a remote server whose security is beyond the user’s reach.
Also, the actual sensitive data does not go to the app or website. Just the public key that is used to identify the exact Passkey that was created for the website on the user’s phone is shared. Since no sensitive data is stored on the app or business’s server, there is no risk of data breach as well. Even if the public keys are harvested and readily available, they are of no use without the user’s phone and biometrics.
Since the Passkeys only work for the website it was created for, it protects users from Phishing attacks, too. The Passkey that was created for www.google.com will not work for something like www.g00gle.com, adding another layer of protection against bad actors on the internet.
Besides making signing in on websites or apps secure and easy, Passkeys also helps businesses reduce costs by eliminating the need for an elaborate 2FA setup.
For even better and seamless access to the user’s account online, these Passkeys, like passwords, are also synced on password managers like Google Password Manager or iCloud Keychain. That means if the user wishes to log into that Google account from their PC, iCloud Keychain or Google, the Password Manager will import it automatically to their other device, considering both devices are set up with the same Google Account or Apple ID.
Passkeys also work on devices that the user doesn’t own. This comes especially handy for people who use public office computers or want to check their emails on a friend’s computer.
If the user wants to access the Google account that they created on their iPhone and tries to log in using an office or public computer, they can use the browser to sign in using Passkeys. Since Passkeys are supported by all major Operating Systems like Windows, Mac, Android, iOS, and browsers like Chrome and Safari, users can choose the log-in using the Passkeys option.
On the Google Chrome browser, for instance, it will bring up a QR code-like image that the user can scan on their iPhone. This establishes a connection between the iPhone and the public PC and prompts the user to unlock the screen on their phone. A successful screen unlock using Touch ID Face ID or Android’s PIN/Pattern will give the user access to their Google account on the public computer without leaving their password on the device.
That is how Passkeys also protect users from keylogging malware. Since no password is being typed on the keyboard, there is nothing for the keylogger to log in.
For users, Passkeys offer a secure, hassle-free, passwordless login to their favourite apps and websites from any device. For developers, website admins, and businesses, Passkeys reduces costs by eliminating the need to send 2FA tokens or OTPs on users’ phones while ensuring their user data is protected and out of hacker’s reach.
That’s why companies like Google, Apple, Microsoft, Facebook, TikTok, Amazon, eBay, PayPal, and Yahoo have already invested in this secure passwordless future. These companies and hundreds of others in the Fido Alliance are joining the fight against online threats and are offering Passkeys as a login option or as a 2-step security add-on to their accounts. When creating new accounts, Google even prompts users to create Passkeys now instead of passwords.
Online authentication is slowly but surely moving towards a passwordless future where memorising passwords will soon seem like a bad dream that we are thankful to wake up from.
Author- Rifat Ahmed