For the longest time, the technology industry has been developing a future with password-free (passwordless) authentication. That future is now, with passkeys. But what are passkeys?
The FIDO Alliance was established with the goal of lessening the dependence on passwords almost ten years ago. And right now, the prospect of doing away with passwords appears to be a promising possibility.
Passkeys could remove the need for users to create and remember passwords and maintain good password hygiene. There are some restrictions, and passkeys are still in their infancy. However, there is a good chance that this will change fast, and they will end up entirely replacing passwords. People will become passwordless.
The rise of the Passkey
Apple was the first company to roll out passkey support and make it accessible. The company caused a stir in September by releasing support in its most recent iOS version. Apple soon followed by providing support for macOS Ventura in October. Apple passkeys let you use Face ID or Touch ID to sign into websites and applications.
Midway through October, as part of its beta initiative, Google stepped off the sideline. It started releasing initial passkey support for developers as well. The company announced the support for other environments, such as Android apps and Google Chrome in December of last year. Support for passkeys in third party password managers on Android is still to come, Microsoft will also launch support this year for Windows 10 and Windows 11.
End-users will likely have the choice to use passkeys soon, but exactly when depends on the websites that support them. When they do have this option, users will be able to use passkeys synced through the cloud with Apple’s or Google’s Password Manager, by using biometrics or the security PIN on their second device.
How do Passkeys work?
Websites use an authenticator to give access to an account instead of the traditional way of entering a username and password. Usually, this authenticator is a different device that users own, like a smartphone. Users just fill in their e-mail address and their favorite password manager will start the authentication process and the second device will give a prompt.
The user then logs into their device with their regular pin or biometrics, rather than the account they are attempting to access. In a sense, the account is then accessible due to the possession of the authenticator device rather than a given password.
Many of the drawbacks associated with passwords are due to a human element. Poor password hygiene, weak letter-number-symbol combinations, forgetfulness and using the same password for multiple accounts are no longer relevant issues. Hackers can now only access these accounts if they are in possession of the authenticator device as well.
Advantages and disadvantages of Passkeys
Passkeys have a variety of benefits. In practice, they are very similar to using a password manager, creating a strong password and verifying identification using biometrics. As a result, once users realize the benefits, they will not find the process difficult or complicated and are likely to quickly embrace this technology.
Read Also: 1Password says goodbye to passwords and hello to passkeys
Passkeys ensure that users do not have to remember passwords by eliminating the need for password requirements. In doing so, users will only have to remember their login details for their Apple, Google or Microsoft accounts. Or an other third party password manager. Additionally, the details to sign in to their computers and the PIN for their smartphone are the only ones they will still need to remember.
Because passkeys can be synced and backed up, exported and imported, they are not restricted to use on a single device.
No more phishing
Security-wise, phishing ought to be technically impossible with passkeys. Even though fake websites might appear to be legitimate, they cannot take a passkey and transmit it to the real site because websites identify themselves through certificates.Passkeys are linked to the original domain or app, so fake phising websites simply won’t work.
There are some drawbacks, though. For the time being, websites will still give users the option to log in using either a passkey or a username/password combination. If users choose the latter, their accounts and information are still vulnerable to hacking or phishing.
Of course, users might lose access to their passkeys if they lose access to their Android, Windows or iCloud accounts. However, it seems crucial that passkeys be completely portable and not restricted to operating system providers. For this reason, a number of password managers such as 1Password, NordPass and Dashlane offer support for passkeys.
Tip: NordPass announces passkeys solution to tackle the password problem
Last but not least, since passkeys are private and so managing employee access to websites and services can be difficult for companies. Additional technology might be required before some businesses implement this type of credential management because corporate IT staff cannot access a user’s passkeys and cannot manage their use.