Come up with a new password. Don’t tell me ‘ABC123’ is your best guess. Or, the birthday of your ex. The first seven digits of pi? The word that describes the empty feeling inside you at the moment? Whatever you come up with, traditional letter-and-number passwords are as secure as the First Little Pig’s house of straw. All this is changing with passkey.
Keeping passwords organised (and secure) even with a password manager is a pain. That is why the FIDO Alliance has come up with a technology that appears far more secure and it will be everywhere in the coming days. No, we are not taking of next year or the year after. It’s happening now. FIDO or Fast Identity Online is a collaborative effort between Apple, Google, Microsoft and other tech companies that has come up with a standard, which is replacing passwords.
What are passkey?
It’s an alternative to passwords and texted confirmation codes. With passwords, there are some digits that you need to remember and — with some effort — it can be discovered by anyone. Passkeys allow you to directly communicate with a trusted device, like your phone or laptop, to log in. What you need to do is verify your identity on the device using a PIN unlock code, biometrics such as your fingerprint or a face scan or a more sophisticated physical security dongle. Basically, it eliminates passwords altogether.
In the password-less system, there is no human-readable information that gets transmitted between a device and the Internet. Your identity is verified when your device—say, a smartphone or a laptop—sends a one-use code that only that device could have generated. So, in a way, your device becomes the password.
Apple and Google are talking about it
Last week, Google announced that passkeys are rolling out to Google Account users globally while last year, Apple introduced it with iOS 16.
It’s important to note how passkeys work. While introducing the technology at WWDC, Darin Adler, VP, Internet Technologies, Apple said: “Hackers can use social engineering techniques like phishing to trick users into giving up their passwords. They can also breach a website directly to get access to all the passwords stored on its server…. Passkeys can’t be phished. Since the passkey never leaves your devices, hackers can’t trick you into sharing it on a fake website. And passkeys can’t be leaked because nothing secret is kept on a web server.”
Say you are an Apple user. If you visit a website that has implemented passkey, you will see a new option for logging in, one that uses devices or uses credentials stored in your iCloud Keychain. In case you don’t have an account on the site, it will ask you for some basic information and save the passkey to iCloud Keychain — no password needed. Once you register an account, the iCloud-based passkey is shared across Apple devices with the same Apple ID.
Apple introduced Passkeys at WWDC last year
Diving deeper, passkeys work by generating a pair of keys. There is a public key and there is a private key stored on the device. The public key is stored in the Cloud and shared between devices that have their own private keys. In case a server is compromised, the attacker will not have bot keys to gain access to an account.
For those using Google accounts, there is something similar. “Unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes,” said Christiaan Brand, group product manager, Google, and Sriram Karra, senior product manager, Google.
Google is talking about Passkeys and it can have a wide impact on how we use devices
Why is it necessary?
The reason is as simple as our pattern when it comes to choosing passwords. We end up using easy-to-remember passwords and several studies have found that one of the most common password in use is “password123”. A more recent study by the password manager NordPass found that it’s now just “password”. And if we use too many complicated characters, we are certain to goof up.
There is the option of using a password manager, a software programme that can create and store complex passwords. It’s an added layer of protection but these managers need a master password, which needs to be protected. Take the case of LastPass, a well-known password management service; a few months ago it disclosed that hackers stole copies of usernames and passwords.
Stealing a phone doesn’t mean a hacker can log into your accounts because it’s secured with some kind of biometric—like your face or fingerprint. It’s one of the reasons why biometric readers are making their way into laptops, desktops and other devices.
What happens if you lose your phone?
Passkeys are synced to whatever Cloud storage method your device uses, which can be iCloud Keychain on Mac and iPhone or Google Password Manager on Android and ChromeOS. Even if you lose a device, the passkeys will be stored there, and you should be able to restore your passkeys to a new device. Being end-to-end encrypted, companies like Apple or Google cannot access passkeys. In case you need more security, you can use a physical security key, which doesn’t sync online.
Further, you can use it cross-platform. Say your passkey is on an iPhone and you want to use that passkey on a Windows laptop, you will see a prompt on the second device’s screen, asking you to scan a QR code, which you can do with your iPhone. Once you approve the login, you are good to go.
What happens to password managers?
Passkeys are not replacing password managers. It will take some time before every website supports passkeys. But both 1Password and Dashlane have announced passkey support.
But remember….
Hackers are highly motivated people and account recovery systems may become their next target. Second, in a password-less future, we will be more dependent on the phone. What happens if we leave it at home? What happens if the biometric software falters after encountering a bug? What happens if the phone battery dies and you need to log into an account immediately?