Passwords have been our first line of defense against hackers since the 1960s. But, now they’re showing their age and limitations in the 21st-century data wars. Not even password managers are safe. Passkeys are now here to help. Here’s why you should switch and enjoy a more secure digital future.
What Is a Passkey?
A passkey is an authentication method that allows you to sign in to a website, service, or app without a password. Typically, passkeys use biometric data such as a face scan or fingerprint to verify the user’s identity before logging in.
How Do Passkeys Work?
Passkeys utilize what’s known as “public key cryptography.” When you make a passkey for a website or service, two digital keys are generated: one for you and one for the site. Your key is stored on your chosen device, such as a smartphone, computer, or even a USB drive, and the site’s key is stored on its servers. Both keys are required for you to log into the service.
The keys are similar to passwords in that they’re both involve inputting text into to a site or service to log in. However, passkeys are essentially unbreakable in comparison to passwords. Plus, you don’t need to remember them. The added benefit of storing your passkey on a dedicated device like a smartphone or laptop means they can utilize biometric data to verify your identity before handing your key over to the site to log you in.
Once you have a passkey for a site or service set up, your phone basically becomes your authentication device. And since nobody else has your face or fingerprints, it’s nigh unto impossible for bad actors to hack or phish your passkey since it requires both physical control of the device and biometric data that’s extremely difficult to fake.
How Is a Passkey Different Than a Password?
At this point, you might think that Passkeys are simply longer passwords that computers make up for you. However, some key distinctions separate the two authentication methods.
Passkeys Are Mathematical Formulas
Rather than having a single password stored on a company’s server and in your memory (or password manager), passkeys have two components: public and private. The public key is kept by the service the passkey is generated for, and the private one is stored on your device. The two keys are mathematical compliments to each other and are unbreakable by conventional hacking techniques.
Passkeys Are More Complex Than Passwords
Passwords rely on human brainpower to make them both strong and memorable. Unfortunately, that’s a difficult task for people to pull off, often leading to tradeoffs in one or the other aspect of a good password. Because passkeys are computer-generated, they can be far more random and un-hackable than their human-made counterparts.
Passkeys Use Hardware as Part of the Authentication Process
Passwords rely only on human memory to be effective, and anyone, anywhere, can try to hack a password to a website. But, because private passkeys are stored locally on your device, only people with access to that device can attempt to log in to a service with a passkey. Think of your smartphone as the physical embodiment of your passkey.
Only You Have Access to Your Private Passkey
Once a passkey is stored on a device, it doesn’t ever actually leave it (unless you transfer it to another device). Instead, attempting to log into a site, app, or service sends a mathematical challenge to your authentication device based on your public key. Your authentication device then solves that challenge using your private passkey and logs you in. So, your passkey never actually gets inputted anywhere, making it much harder (nearly impossible) to steal, guess, or fake.
Why Are Passkeys Better Than Passwords?
You may be thinking, “This is all well and good, but I like my password strategy as it is.” Here are some key reasons why you should consider making the switch now.
Passkeys Are More Secure Than Passwords
Passkeys are far more secure than passwords for several reasons. Chief among them is that each passkey is unique. One of the biggest problems with human-generated passwords is that users often reuse or modify them for multiple sites and services, potentially putting all of someone’s accounts across the internet at risk if one password is hacked, phished, or guessed.
In most cases, users don’t even see an unencrypted passkey on the device it’s stored on. In preparation for this article, I created a passkey for Kayak.com and stored it on my Apple Keychain. When I looked at it in my keychain, it showed me that a passkey exists for this service, with no option to view it the way you can see an unhashed password. So, even if a scammer managed to pressure me to give up my unencrypted passkey vocally, it simply isn’t possible.
The other thing that makes passkeys far more secure than passwords is that they use biometric verification before transmitting the passkey on request. If I were to log into Kayak.com right now on my iPhone would use FaceID to confirm that it was, in fact, me logging into the service and not somebody else who happened to be holding my phone.
Passkeys Are More Convenient Than Passwords
One of the best things about passkeys is that you no longer need to type anything in when you log into a website with your authenticator device. Because your keys are stored locally on your device, that’s all you need. Sure, many programs will autofill your passwords when they’re stored in a browser or a password manager, but you still need to type in a password if you’re logging in from a new machine. If you attempt to log into a service with a passkey on a machine that’s not your authenticator, the service will display a QR code that you can scan. Your authenticator performs a biometric can and sends the passkey to the service.
You Don’t Have to Remember Them
Most people know that having a unique, strong password for every internet service they use is vital to keeping their digital identity safe. But the limits of human creativity, memory, and ingenuity often hamper this endeavor. Many people use a pneumonic system to remember passwords or employ a password manager. Passkeys solve this issue by storing the keys on your device so that you don’t have to rely on your memory or outside service to keep your accounts as secure as possible. And don’t worry about losing your device. The companies that support passkeys have developed recovery options to restore you to your accounts if you ever lose access to your chosen authenticator.
Where Can You Use Passkeys Today?
Although the FIDO Alliance has been cooking up passkeys for a while, companies only started implementing them in 2022. So, they’re not ubiquitous yet. But they will be. Password manager, 1Password, has published a list of services that support the new technology. Major names include:
- BestBuy
- DocuSign
- eBay
- KAYAK
- Microsoft
- Nvidia
- Okta
- PayPal
- Robinhood
- Shopify
- Zoho
Plus, if you’re already using a password manager, they can likely store your passkeys for you. 1Password, Dashlane, LastPass, and more have all announced their support for passkeys.
Final Thoughts: Passkeys Are The Future of Digital Security
As we move further and further into the 21st century, it’s going to be necessary to leave many legacy aspects of the 20th behind. Passwords fall into that category. They’re simply too antiquated and vulnerable to rely on going forward. Passkeys solve nearly all the problems passwords create. And while they’re not perfect, they’re the best security innovation to come along in decades. So, it’s worth jumping on board now and securing your digital life.
