Passkeys Explained: The New Password Killer

What is your favorite pet's name? What is your mother's maiden name? Sounds familiar? These are some security questions for password recovery that you may have encountered when trying to recover an account after forgetting your password.

Features like Google Password Manager save and autofill passwords for any website or application on your device, so you don't have to recall them from memory, saving you mental effort.

Even better, the introduction of Passkeys replaces the use of passwords entirely, eliminating the need to remember long, complex passwords with different characters for multiple websites or applications.

In this article, we'll discuss what a passkey is and how it impacts online security.

A Passkey is a digital credential stored online. It is an implementation of FIDO (Fast Identity Online) and WebAuthn standards, which are a set of Open, Standard Protocols intended to eliminate the use of passwords for authentication. In other words, FIDO promotes passwordless authentication for online applications or services.

One of the key solutions of FIDO is phishing-resistant. Passwordless authentication is phishing-resistant because it depends on public key cryptography (public-private key pairs). There are no passwords stored in a server; even if a system were breached, there’s no password for the attacker to retrieve.

A Passkey, defined in more technical terms, is a discoverable web authentication credential.

• Discoverable: This means that a passkey contains the user's information, like the user ID, which it can use to authenticate a system without requiring credentials like username or password.

• WebAuth API: This is a web standard that enables websites and applications to use public key cryptography for passwordless authentication.

• Credentials: These are cryptographic key pairs. The private key is stored on the user's device, and the matching public key resides on the server and is used to verify signatures or authenticity.

Passkeys also combine Cryptography and Biometric Verification, whereby a person can be identified by their unique biological traits, e.g., finger, face, voice, etc. to create a secure authentication.

Why was passkey introduced?

Many websites use methods to protect clients' credentials through password authentication; for example, users are prompted to create strong passwords that are hard to guess and resilient against phishing, brute force, or dictionary attacks.

Users are also advised to follow certain rules to protect themselves, like having unique passwords for every platform they register on, enabling multi-factor authentication, avoiding using public WI-FI to log in to sensitive accounts, etc.

The introduction of passkey is to replace passwords, which has many weaknesses. For example, people tend to use the same passwords across different sites; sometimes, they are easy to guess, which makes it easier to gain access via attacks like brute-force or phishing.

How secure is it to use a Passkey?

Passkeys are not stored on servers like passwords, so credentials can’t be stolen or hacked. Here are some security benefits of passkeys including:

• Phishing Resistance: Since the private key is stored on the users’ devices, access cannot be gained via phishing.

• Public/Private Key Pair: Each passkey is uniquely generated, and isn’t reusable across sites or applications, which makes them strong.

• MFA: Passkey supports MFA by combining cryptography and biometric verification using biological traits like face id, fingerprint, etc.

There are two types of passkeys, including:

• Synced passkeys: A passkey is stored in a device's credential manager (e.g., Google Password Manager) and can be used across multiple systems or devices.

• Device-bound passkeys: This is bound (assigned) to a single device; in other words, they cannot sync on a separate device.

Here are some benefits of passkeys:

Enhanced Security: Passkeys use cryptography for authentication, which consists of public and private keys. The private key is stored securely on the user's device, while the public key resides on the vendor's server.

When a user attempts to sign in to a website, for example, the system checks if the keys match. If they do not, the user is denied access. This makes it more secure compared to passwords, which are prone to brute force attacks and phishing, etc.

Ease of Use: Passkeys are convenient for users because you do not have to memorize multiple words, including special characters, for various platforms. Users would also be able to use biometric features like face, fingers or a pin for authenticating the device.

Synchronization: Passkeys are tied to a user's device, and you can allow the passkeys to sync across many devices. For example, if you create a passkey on your phone, you can sync it to your tablet or computer seamlessly without concern of security issues.

There are some limitations to using passkeys

Recovery: If you lose access to a device where the passkey is saved, it can be difficult to restore access if it's not backed up or synced with other devices or a cloud account. Many providers offer synchronisation to help users recover their accounts; however, if such a feature isn't enabled, the user may lose access to that account.

Support: Not all websites support passkeys, as their usage is still growing. Few websites have the option to sign up with a passkey; some website gives existing users the option to switch from using the password login method to using a passkey. You can find a list of websites that support passkeys on passkeys.io.

The idea behind the creation of the passkey is to enable a password-free future, and the setup involves creating a unique public/private key pair. In this quick tutorial, we’ll create a passkey using a Google account. After creating a passkey, our device would use it to log into our Google account with ease.

Step One: Go to your Gmail account, and click on “manage accounts”, by the side bar you’ll find the option “security”, click on it, and it’ll display a security page where you find options to set up 2FA and other security settings. If you scroll down a bit, you’ll find the option “Passkeys and Security Keys”

Step Two: Click on the option, and it may ask you to enter a password, and then direct you to a page that looks like so;

Step Three: After clicking on the passkey, it would reveal a modal to go to Windows settings. If you’re using a Windows device, you can click on “Enrol Windows Hello”. If you are using a Mac, you can simply click on “Create a passkey”.

After clicking on Enroll Windows Hello, it displays a modal with the option to “open settings”. After clicking on “open settings”, it redirects to a settings page on the device, which reveals sign-in options.

Note: In the image above, you can see options like fingerprint, facial registration, and pin, etc., for these to be available, it means you have a password for your device.

Step Four: We’ll use the pin option to create a passkey. After you click on Sign in with Pin, it’ll display a Windows Security prompt to verify your account password.

After verifying your account, go back to Google and then click “Done”.

After you select Done, it’ll show another modal for you to create a passkey for your device, like the image below.

After you enter your PIN, you have successfully created a passkey

And when you click “Ok”, you’ll see another modal that shows the passkey has been created successfully.

To test if this worked, log out of your Gmail account and try to log back in.

In the image above, you see that it gives the option to use your passkey. If you click “continue”, it opens a modal for you to sign in with your passkey.

After you enter the PIN you created, it’ll log you into your Google account.

This example shows a basic setup of using a passkey on a single device, there are other ways you can use a passkey like cross-device sign in where you can use a passkey from one device to log into another device or multi-platform login where passkeys are synced across various devices using a cloud account.

A passkey is the evolution of passwords; it replaces the user’s name and password combination to authenticate or identify user authenticity. Passkeys are easy to set up and are great for various reasons, apart from the relief of not storing random strings and characters in one's brain; they are more secure compared to using passwords.

Passkeys are still not fully adopted by some platforms but over time they'll likely be the preferred choice because they are more convenient and secure.