Passkeys and the Future of no Passwords

Tech giants such as Apple and Google are not always on the same page when it comes to innovation. Take the RCS vs iMessage debate, for instance. However, if there’s one thing they have agreed on over the years, it’s the death of passwords and the adoption of the next step in online security – passkeys. As this report shows, many of us pick the weakest passwords, which are easy to crack. So it is understandable that tech companies want an alternative to passwords. This is also something other companies such as Microsoft and PayPal have been adopting.

But exactly what are passkeys and how do they work? More importantly, exactly how are they any different from the passwords we’ve been using for about half a century now? Let’s have a quick look at the tech in today’s edition of Tech InDepth

Why are passwords not enough today?

Despite innovations such as facial recognition and fingerprint scanners, individual identity credentials on the web continue to be ruled by passwords. Passwords can bypass other forms of identity confirmation such as facial or fingerprint recognition.  Even portals where your account is protected by a combination of a password and a passkey are not completely safe, as advanced attacking methods that involve SIM duplication can still enable hackers to get around this.

It also doesn’t help that most users create very easy-to-crack passwords. A recent NordPass report showed that India’s most common passwords included ‘password’, ‘123456’, ‘pass@123’ and ‘abcd1234’ and that matters are not very different in other countries either. Most of these passwords are also reportedly crackable in under a second with modern tools and software.

What are passkeys?

Passkeys are a more secure way of logging in. They are also being touted as a technology that will eventually replace passwords, eliminating the risks of breaches, hacks and identity theft with them. AppleMicrosoft and Google are all working on passkeys and aiming to make their platforms and accounts password-free in the next few years. The decision is also expected to be taken up by other members of the FIDO Alliance which includes other companies including Amazon, IntelLenovo, Visa, and many more. When passkeys are implemented, users will be able to log into their accounts similar to how they do now using auto-fill services like the ones browsers already feature today.

How exactly do passkeys work?

Understanding passkeys can be a little tricky, mostly since we’ve become so used to passwords for so long. So let’s have a quick recap of that before we get into passkeys so we can understand the difference in implementation.

When you use a password, the website you are accessing has a copy of the password as do you. When you enter your password, say ‘abcd1234’, the website will compare what you’ve entered with an exact copy of that password stored on its server. It will then either authenticate your login attempt or ask you to try again.

This compromises the actual password on three separate levels. A copy of the ‘abcd1234’ password exists with the user, who may lose it, give it up intentionally/accidentally or store it or write it down in an unsecured location from where it may be extracted. Another copy of the same ‘abcd1234’ also exists with the website server, which can be thrown out in the open in the event of a mass data breach.

Even if the password is safe for both the user and the website server, an attacker can intercept the interaction between the two to obtain the password using methods like phishing or keyboard logging.  Enter passkeys, based on something called public-key cryptography. 

Instead of having two vulnerable copies of the password with both the user and the server, the user will have a unique passkey on their device – a strongly encrypted piece of code that will never leave the device (a phone or laptop for instance). This is the private key.

Then there is another key with the server, called the public key. What’s important here is that you cannot guess one key from the other. However, a unique match is created. Thus anything encrypted with one of the two keys can only be decrypted by the other.

So, when you try to actually log in, the server will send a puzzle that is encrypted with its public key and only your device, the one with the private key, will be able to decrypt the puzzle and send it back, letting the website know that it is the authentic you trying to log in, without your private key ever making it out of your device.

Here’s a brilliant video by YouTube channel Computerphile that will help you visually understand public key cryptography in under seven minutes.

Why is this better?

Passkeys are much more secure and eliminate most vulnerabilities associated with passwords quite easily. For instance, since the private key never actually leaves the confines of the device you’re using, these cannot be intercepted, viewed or copied.

The puzzle that comes from the server’s public key will also only respond to the private key on your device, meaning it can also, not be modified, duplicated or tampered with while en route to your device.

Moreover, a unique private-key-public-key will only interact with each other, eliminating the possibility of some other private key being able to decrypt information encrypted with your public key. While creating a passkey the device will use its existing security like fingerprints and Bluetooth proximity, which will be a one-time process.

A password-free future is closer than you think

Apple has already started using passkeys with select websites and services, a list that is expected to grow soon since announcing passkeys at WWDC earlier this year. Meanwhile,  Google is set to bring passkey support to Android and ChromeOS soon. The two tech giants along with Microsoft are set to go passwordless by next year. Other manufacturers and companies are expected to also follow up in the years to come.

Leave a Reply

Your email address will not be published. Required fields are marked *