The death of the internet password has been predicted several times, but this time it may come sooner than you think. What will take its place? The passcode.
According to Kathleen Moriarty, chief technology officer of the Center for Internet Security, passkeys are the way of the future in fundamental internet security since they are innately more secure and phishing-resistant. The list of organisations offering passkeys as an alternative to passwords is growing as major companies such as Apple, Google, and Microsoft work with the standards developed by the FIDO Alliance and World Wide Web Consortium—two organisations that create password authentication standards—to provide support for passkeys on their platforms.
“Passkeys are an example of what security should be: seamless and invisible to the end user,” said Moriarty.
How passkeys work
A passkey enables an individual to obtain access to an account by accepting the login on an external device without the need for a password.
When a person connects to an account using a passkey, a prompt, also known as a challenge, is sent to another device owned by the user, such as their phone, allowing them to validate their login by entering a PIN or using biometrics such as their fingerprint or a facial scan. A mathematical link between the public key on the system the user is connecting to and the private key on the user’s personal device allows the system to verify that the user is the only one logging into the account.
Avoiding human error, and hackers
Passkeys are far more secure than passwords in terms of security, for a variety of reasons.
They give distinct authentication for each user to each application—each challenge supplied by the server is a fresh challenge, resulting in unique encryption each time. Mutual authentication happens when the server authenticates the user, making them less vulnerable to cybersecurity assaults. Gaining access to the key is far more difficult, because hackers must have access to both the public key on the application and the private key on the user’s device in order to gain access to their account.
A significant issue with passwords is that people prefer to use the same or very similar phrases for their passwords across various platforms to make them simpler to remember, and they frequently contain personal information. Worse, using basic passwords (such as “abc123” or “password”) makes it easy for hackers to get access to people’s accounts. This means that a hacker might gain access to several accounts owned by a person simply by determining their password for a single website or platform.
Passkeys address this problem since they reduce the possibility of human mistakes that might lead to security difficulties. Passwords are never reused since they are unique to each individual user as well as the programme.
“You’ve been warned in the past, don’t use passwords between different applications,” Moriarty said. “Passkeys by design prevent any reuse, so that you’re not going to get exposure if your key for one application is exposed for another because they’re completely separate.”
Other efforts have been made to improve password security even when not utilising a passkey, such as using a password manager that securely stores passwords and other sensitive information in a browser or a separate app. However, those programmes are not completely secure, as demonstrated by the August 2022 theft of LastPass, one of the world’s largest password managers.
Regardless, users should take certain steps to improve the security of their passwords. According to the current Microsoft Digital Defense Report, the volume of password assaults has increased to an estimated 921 attacks per second, a 74% increase in one year.
Phishing-resistant authentication will soon be the norm
Most major operating systems currently support passkey use. Passkeys are now supported in Apple’s latest updates, iOS 16 for iPhones and macOS Ventura for Macs. In December 2022, Google began rolling out passkey support for Chrome on Android, Windows, and macOS.
The federal government plans to fully convert to phishing-resistant types of authentication by the end of 2024.
“Major operating systems now have full support where there was only partial support (previously),” Moriarty said. “So this turnaround and push for the support of passkeys is pretty fast now.”
Internet service and device risks
Because passkeys are a relatively new method of logging into personal accounts, not all services now allow them, though they are becoming more prevalent.
The sole downside of employing passkeys is if a user loses the secondary device that they use to access their accounts. If this occurs, the passkey must be reset, but it is also advised that a backup device be kept on hand to avoid this problem.
