Passkey to the (Passwordless) Future

Category

Cybersecurity Fundamentals, Guides

Risk Level

 

What would it be like to live in a world without having to memorize and type a million of passwords? Logging in without having to enter a password has been practically impossible - until now.

“What is a passkey?”

In recent years, tech giants such as Google, Apple, and Microsoft have been working together as part of the FIDO Alliance to resolve the complications attached to passwords and recently introduced "Passkey" technology as a joint effort to eliminate the password. “Passkey” is a new authentication method to log in to a web page or application securely and efficiently, replacing password and secondary authentication altogether. Instead, you’ll simply authenticate your log-in with a single approval, the same way you unlock your devices.

These days, passwords are not always strong enough to secure a system, which is why two-factor authentication, single sign-on, and biometrics were developed. However, implementing these consumes more resources including time and money. The goal of the Passkey is to solve the security problem inherent with passwords, recuperating wasted time, and allowing all of us to direct our attention to other aspects of our lives and jobs. In this article, we are going to explore how Passkey may transform the way we log into and interact with web-based services. 

“How does a passkey work?”

The initial setup is easy. If a service supports the use of a passkey, it will generally show a prompt to set up Passkey authentication. This allows you to initiate the setup using a username or an email address, and as an added authenticator, they can set it up with various device security functionalities such as facial recognition, a fingerprint sensor, or pin/pattern. When logging in to the same service next time, you can simply select the username and authenticate the login with the method that was set up initially. That’s it! No need to type a username again, and a password is never involved in the process. 

“What happens behind the scenes?”

Passkey has adopted public-key cryptographic technology, which involves a cryptographic key pair that consists of a public and a private key. In a nutshell, when you configure the passkey, a private key is generated which will be securely stored inside the respective device on which it was generated. At the same time, a matching public key will also be generated and stored on the server of the respective website or application. Your request will be granted access to the online services in the event that your private key cryptographically signs a message to the server and the service can authenticate with the available public key. Since the important messages are exchanged using a secure cryptographic operation (using both public and private keys), the design does not require a password.

“Can I log in using a passkey from a different device?”

Passkey allows synchronization across multiple devices, and it is ready for use on both Google and Apple services in their related ecosystems. The passkey will be stored in Google Password Manager for Android and Chrome, and kept in the Apple keychain for Apple services and products.

“Will my passkey still work if I get a new device?”

When you replace an old Apple or Android device with a new one, the passkey can be retrieved from its associated ecosystem. For Windows PC users, passkeys are available in Windows 10 and later. To save the passkeys, you must first enable the Windows “Hello” service. Passkeys are only saved to the Windows PC locally, and the Windows “Hello” service does not yet have the ability to synchronize or backup and restore the passkey if your device is lost. 

If you want to sign in from a different operating system than the one where you initially set up the passkey, you can use the QR code to help. The generated QR code will be provided by the application or website for you to scan on your new device, which contains the passkey. 

“What apps or websites support Passkey?”

As Passkey technology gains popularity, the list of supporting services will grow. Currently, these are some of the apps and websites that offer Passkey authentication technology.

  • 1Password

  • Adobe

  • Arpari

  • Best Buy

  • Binance (App)

  • CardPointers

  • CVS

  • Carnival

  • DocuSign

  • Docomo

  • Ebay

  • Github

  • Google

  • Home Depot

  • Microsoft

  • Nvidia

  • Okta

  • PayPal

  • Shopify

  • Hyatt

  • TikTok

You can see a full and up to date list online here!

“What are the benefits of passkeys?”

  1. Better user experience: Passkey's cross-platform and cross-ecosystem support enhances the overall user experience. Because of fewer taps and a more efficient workflow, the login time is reduced compared to legacy sign-in methods. 

  2. More secure than a password: It is considerably safer from social engineering attacks such as phishing, credential stuffing, shoulder surfing, and other attacks we see everyday which are mostly associated with passwords.

In a world where technology is continuously changing and evolving, our team of cybersecurity experts is dedicated to keeping up with the latest security technology trends. We are here to assist and provide expert guidance for passkey implementation. Contact our team today for a free consultation!

 

Follow us - stay ahead.


Read more of the ACT

Previous
Previous

Examining the LastPass Breach Through our Password Table

Next
Next

Brand New SEC Cybersecurity Requirements