Google reports that 78% of people routinely change their passwords, 61% of people reuse passwords across several online accounts, and 76% of people save passwords in their browsers, which puts them at risk of a security breach. Password security is a problem. According to research, using passwords makes them vulnerable to theft, leakage during data breaches, and simple guessing. Strong passwords are difficult to remember, whereas memorable passwords are simple to guess. Finding a balance between security and usability may be difficult. This blog will discuss solutions to these problems. It will provide users with the best, simplest, and safest method of logging into applications and websites. It represents a significant step towards a “passwordless future.” Fortunately, passkeys are a new form of authentication providing a more secure way to access your online accounts.
What is FIDO?
To address the password problem, FIDO (Fast Identity Online) is an open standard and industry initiative that aims to provide secure and convenient authentication methods, particularly for online services. It introduces stronger security measures while reducing the reliance on legacy authentication methods like SMS OTP and KBA (Knowledge Based Answers), which are difficult to remember and susceptible to various forms of attacks. FIDO enables passwordless or password-replacement authentication, leveraging biometrics (such as fingerprints or facial recognition) and/or secure hardware tokens (like USB keys) to verify a user’s identity. These advanced authentication methods enhance security, simplify the user experience, and reduce the risks associated with traditional password-based approaches.
In 2022, The FIDO Alliance whitepaper introduces the concept of “multi-device FIDO credentials,” which allows for the availability of secure login information across multiple devices. These credentials can also be termed “synchronised WebAuthn credentials.” However, when presented to end users, they are referred to as “passkeys.”
What are passkeys?
Passkeys are the further endorsement of the adoption of the FIDO passwordless standard, which is already supported by all the involved parties. FIDO required that cryptographic keys never leave the device until a few months ago, due to this major restriction using FIDO Authentication was a hard sell. However, Apple, Google and Microsoft announced their support for implementing passkey authentication as part of their respective authentication frameworks. Passkeys can be used across devices and operating systems, allowing users to securely authenticate themselves on Apple devices, Microsoft systems, and Google platforms.
Cloud-based storage and synchronisation of passkeys across multiple devices are convenient features provided by these authentication platforms. This functionality allows users to securely store their passkeys in the cloud and access them from various devices.
By leveraging cloud storage, users can easily synchronise their passkeys across devices such as smartphones, tablets, laptops, and desktop computers. This ensures that their passkeys are readily available whenever they need to authenticate themselves on different devices or platforms. To log in to their online account on a different device, users can scan a QR code through their smartphone where the passkey is registered provided the user accepts the sign-in on the phone when the phone is close to the laptop.
How are passkeys simple and secure?
An easier and safer alternative for passwords is passkeys. Instead of remembering or managing passwords, users can now log in to their online services through biometric sensors like fingerprint or facial recognition, PIN or pattern. In one single step, passkeys can act as a password and MFA, eliminating the hassle of entering OTP. A single implementation of passkeys allows a passwordless experience for a user on all of the devices that the user owns. Traditional biometric authentication requires being set up on each device. In contrast, passkeys can be created and registered at once, without the need for re-enrollment, allowing users to immediately use the registered passkeys.
A user cannot be tricked by a phishing attack, as the passkeys are secure and only the browser or the OS handles verification. With passkeys, instead of storing passwords, only the public key is saved on the server. This significantly reduces the value of the information in case an attacker gains access to it. Passkeys also act as a cost-saving factor since the need for generating an OTP is eliminated.
How do Passkeys work?
A passkey is essentially a passwordless authentication method. Instead of using a typical password, it uses a digital key to authenticate users. Passkeys make use of the public key cryptography-based WebAuthentication (also known as “WebAuthN”) standard. The operating system of the device creates a special pair of cryptographic keys that are associated with the account for the particular app or website when an account is created. The device generates secure sets of keys for each account that are unique to that account only.
Passkeys use a private key that is stored on the user’s device and a public key that is stored on the service provider’s server. When the user signs in, the service provider sends a challenge to the user’s device. The device then uses its private key to sign the challenge and sends the signed challenge back to the service provider. The service provider verifies the signature using the public key and grants access if the signature is valid.
As passkeys are synced across devices via the cloud, passkeys created on Android are stored in the Google Password Manager. Passkeys created on iOS or in Safari on macOS are stored in iCloud Keychain. Once a passkey is created and registered, the user can seamlessly switch to a new device and immediately use it without needing to re-enrol (unlike traditional biometric auth, which requires setup on each device)
Passwordless Future of Passkeys
Passkeys’ future will likely evolve alongside advancements in technology and security. Passkeys are the future of password technology. All major browsers and tech giants like Apple, Google and Microsoft have introduced full support for passkeys. In the upcoming years, passkey authentication is expected to spread more widely. It has many benefits over conventional password-based authentication, such as removing two-factor authentication and improved user experience along with phishing-resistant security than conventional authentication methods. Passkeys have established themselves as a significant and enduring authentication method, holding the potential to transform the landscape of authentication in the future. You can try it out yourself using this link: https://passkeys-demo.appspot.com/