Goodbye Passwords, Hello Passkeys
Passwords are more than 60 years old, which is great if you're looking for a senior discount but not so great for online security. Passkeys, developed by the FIDO Alliance, are a modern replacement for passwords. They offer improved security and are resistant to almost all forms of attack. Let's explore how they work and why they're better.
The Password Problem
Passwords have served us well, but they're being compromised at an ever-increasing rate. As Norton noted in their blog post "139 password statistics to help you stay safe", billions of passwords have been exposed. The reason is simple: passwords are text.
Regardless of how long or complex a password is, its text format makes it easy to capture and copy. A password created for one site doesn't check if it's being used somewhere else. This is why people often reuse the same passwords across multiple sites, making them even more vulnerable.
When you think about everything you protect with a password—from social media to financial accounts—using a password that can be easily stolen and isn't unique to each site is a huge risk.
The Solution: Passkeys
Passkeys significantly reduce account takeovers (ATOs) by solving the problems inherent in traditional passwords. While exact figures vary, studies show that passkeys can reduce ATOs by 80–90% or more when they replace passwords and weak multi-factor authentication (MFA) methods like SMS one-time passwords (OTPs).
Why Passkeys Reduce ATOs
Phishing Resistance: Passkeys use public-key cryptography. The private key is stored securely in your password manager and is never shared. Passkeys are also tied to a specific domain (like Facebook.com or Apple.com), making them useless on fake websites. This feature eliminates phishing attacks, which are involved in over 50% of account compromises.
Elimination of Credential Stuffing: Since a passkey is unique to each account, it prevents credential reuse. Credential stuffing relies on reused passwords from data breaches, so passkeys make these attacks obsolete.
No Shared Secrets: Unlike passwords or SMS OTPs, which can be intercepted, passkeys don't rely on a shared secret that an attacker can steal. Even if a server is breached, the private key remains in your password manager, making the stolen data useless for authentication.
Resistance to Social Engineering: Passkeys often use biometrics or device-based authentication (like Face ID, a fingerprint, or a PIN), which are much harder to trick than SMS OTPs that can be extracted via social engineering or SIM swapping.
In short, a user's actions cannot be captured by a keylogger, a malicious website, or even a scammer on the phone. Best of all, you don't have to create, remember, or enter a long and complex password—you simply unlock your password manager, and the rest happens seamlessly.
How Do Passkeys Work?
Think of a passkey as a pair of keys: one is public and the other is private. This key pair is unique to each website you use.
- The public key is given to the website or app you want to log into. This key isn't a secret; it's like a unique lock you provide to the website.
- The private key is the secret part that never leaves your password manager. It's the only key that can open the lock created by the public key.
The concept is simple: every website has a unique public key to encrypt information that only your password manager can decrypt with the private key. Let's look at how the process works in a few steps.
How It Works
Creating a Passkey: When you create a passkey for the first time on a website, your password manager generates both a public and a private key. It sends the public key to the website, which stores it, but the private key stays in your password manager. Since this key pair is unique to that specific website, it won't work anywhere else.
Signing In: When you want to sign in again, the website sends a challenge to your password manager. This challenge is like a puzzle that can only be solved with your private key.
Authentication: Your password manager uses your private key to solve the challenge. It then sends the correct solution back to the website. The website uses its public key to verify that the solution is correct, and if it is, you're logged in.
Because your private key never leaves your password manager and is unique to the website, it's much harder for hackers to steal. Your phone, computer, or tablet uses a biometric check (like Face ID or a fingerprint) or a PIN to confirm it's really you before it uses the private key.
Why Use a Password Manager?
A good password manager, like 1Password, BitWarden, and Proton Pass, allows your passkeys to be easily synchronized between platforms and devices. For example, if you have an iPhone and a Windows desktop, the password manager will securely keep the devices in sync for you. If you create a passkey on your desktop, it will be available on your mobile device.
Passkey Adoption
More and more websites are adopting passkeys every day because ATOs impact them as well. Even large banks like Wells Fargo in the US are moving to passkeys to help secure accounts. If you have an existing account with a website, you may be prompted to create a passkey on your next login for additional security.
Resources like the 1Password Passkeys.directory and the Dashlane Passkey Directory can help you see if a website or service you use supports passkeys. Even the US Federal Government and several state and county agencies have moved to passkeys. As slow as governments can be to adopt modern solutions, this is a clear sign of how important passkeys are.
Switch to Passkeys
While not every website or service has adopted passkeys yet, make the important decision to protect your accounts with them whenever they're available. Choose an end-to-end encrypted password manager for all your devices and join the modern security movement.
Remember, we may not have anything to hide, but everything to protect.
