passkey

What is a passkey?

A passkey is an alternative method of user authentication that eliminates the need for usernames and passwords. Rather than relying on old login methods that are susceptible to phishing attacks, hacking attempts, keyloggers, data breaches and other security flaws, websites and apps can use passkeys to verify a user's login credentials. Passkeys are only stored on the user's device, so there is no password to be intercepted by would-be scammers.

Cybersecurity professionals have long stressed the importance of strong passwords to prevent security vulnerabilities. But because web users often create weak passwords or reuse passwords, two-factor authentication was developed, in which registered accounts are confirmed with phone calls, text messages or emails. While that practice adds a second layer of security, it still does not address the underlying problem: Passwords are inherently vulnerable to phishing and other attacks designed to steal or bypass credentials. Two-factor authentication only made things somewhat more difficult for fraudsters.

The origin of passkeys

The passkey idea first took hold in 2009, when Validity Sensors -- acquired by Synaptics in 2013 -- and PayPal jointly developed the concept of using biometrics in place of passwords for online identification. Along with several other tech leaders, they founded the FIDO Alliance, a web security collective, in July 2012. FIDO publicly announced its initiatives in February 2013. Google joined in April 2013. In February 2014, PayPal and Samsung launched the first public deployment of Fast Identity Online (FIDO) authentication with Samsung's Galaxy S5 smartphone. Users of the device could, for the first time, authenticate PayPal with a swipe of a finger and shop online without having to enter a password to complete the transaction payment.

Passkey use is growing

Much of passkey's underlying technology has already been integrated into everyday tech life, such as two-factor authentication and biometric systems that rely on a user's face or fingerprint to unlock a device or otherwise provide authentication. However, passwords remain the standard method of access to websites and software programs -- and therefore remain a potential security vulnerability.

According to FIDO, traditional passwords create both security risks and friction in the user experience. The alliance claims that more than 80% of data breaches are the result of compromised passwords, a problem exacerbated by the fact that passwords are frequently reused -- up to 51%. FIDO also claims that one-third of all online purchases are lost due to customers forgetting an account password, which prevents them from completing the checkout process.

Apple promotes passkeys

Awareness of passkey technology has been accelerated by Apple. At its June 2022 Worldwide Developers Conference, Apple publicly announced its passkey feature, which is included in iOS 16 and macOS Ventura. Passkeys are also integrated into the iPhone 14.

Apple's passkey feature uses existing iOS technology powering its Touch ID and Face ID features. Websites that support passkeys allow users to create accounts and log in using their fingerprint or facial image instead of a password to authenticate their credentials.

Apple passkeys use the iCloud Keychain password management system to back up passkeys and sync them across all of a user's Apple devices. This means users will be able to create a passkey for a website while on their phone, and then use that same passkey to log in to that website later while using an iPad, for example.

How does a passkey work?

When you attempt to log in to a site that uses passkey technology, the site will send a push notification to the smartphone you used when you registered the account. When you use your face, fingerprint or personal identification number (PIN) to unlock the device, it will create a unique passkey and communicate it to the website you are attempting to access. At that point, you will be logged in, all without your login information or biometric data being transmitted via a potentially insecure Wi-Fi connection or needing to be typed out.

Passkeys are similar to two-factor authentication, in which users enter a password as usual on a website or app, and are then sent a push notification to their phone or email to give the site or app permission to grant the login request. Besides requiring a traditional password, two-factor authentication also differs from passkeys in that it uses Wi-Fi. Passkeys, on the other hand, use Bluetooth because the physical limitations of the technology mean that a user will need to have the authenticating device nearby. This further limits the chances of a scammer or hacker accessing a user's account.

Passkeys, which are based on the Web Authentication API, only work for the website on which they are created. The passkeys are then stored on the user's device instead of on a physical or cloud-based server.

To date, Apple has the most thorough explanation of how passkeys work within its tech ecosystem. Apple's iCloud Keychain service stores its cryptographic keys in a rate-limited way to prevent brute-force attacks. The keys are recoverable even if all of a user's devices are lost or compromised. If you are new to the Apple world and setting up your first iOS device, you will need to set up two-factor authentication first. If you want to add a new device, you will need your Apple ID password and the six-digit code sent to another trusted device or phone number via a push notification.

For example, suppose you begin with an iPhone. You would set up two-factor authentication the first time you use it and establish your Apple ID. When you want to make a purchase or complete some other secured transaction, you will need to enter your Apple ID password and check your iPhone -- or whatever device you used to set up your two-factor authentication initially -- for the six-digit code that has been sent to you. When you enter the code, the new device will be added to what Apple calls the "circle of trust" formed by the iCloud Keychain. Think of this "circle" as a chain, and your devices represent links that get added to the chain as you set them up.

When you need to log in to a website on a computer you don't normally use -- regardless of whether you are using an Apple, Microsoft or Google product -- with passkey technology enabled, the login screen on the website will have a quick response code for you to scan with your phone. With Bluetooth enabled on your phone and the phone within Bluetooth frequency range of the device you're trying to log in on, you will receive a push notification to use biometric identification or a PIN on your phone. Once you do that, your phone will give the website the all-clear and allow you to log in.

Companies that use passkeys

Apple isn't the only company in the passwordless login game. Google supports passkeys on the Google Chrome browser, on Android devices and across all Google accounts, including Gmail and Drive.

Similarly, Microsoft has included passkeys on its Windows operating system through the Windows Hello program that allows users to log in with a pin and biometric authentication. Passwordless logins will undoubtedly be the way forward, but as with any new technology, the pace of implementation will vary.

FIDO keeps an up-to-date list of companies using its technology. Here are some of the major players that have adopted passkey tech so far:

• Aetna
• Amazon Web Services
• Apple
• Bank of America
• Best Buy
• CVS Health
• Dropbox
• eBay
• Facebook
• GitHub
• GoDaddy
• Google
• IBM
• ING Bank
• Intuit
• Kayak
• Microsoft
• Netflix
• PayPal
• PNC Bank
• Salesforce
• T-Mobile
• Target
• Twitter
• Vanguard
• Verizon
• WordPress

Given how fiercely competitive the big three of Apple, Google and Microsoft are, there might be concerns about what will happen with existing passkeys if a user switches from one vendor's product to another. If a user's passkeys are all stored on an Apple device, for example, the user could run into trouble if they replace the device with a Google product.

In the short term, Apple has methods to work around this problem. For example, an existing passkey for an iPhone could be used on another device with Google Chrome running on either iOS 16 or later or on a Windows machine.

In the long term, security professionals are advocating for standards to be implemented that will prevent or at least discourage vendor lock-in. Whether those efforts will be successful remains to be seen, but even if they are not, the process for creating new passkeys is so simple and almost entirely automated that users should have no trouble establishing credentials on a new device from a different vendor. The FIDO Alliance Design System and other methodologies published by the alliance should help encourage standardization.

Is a passkey more secure than a password?

Because every passkey is unique, passkeys tend to be more secure than passwords. That means passwords will no longer be reused across multiple sites and platforms. And because passkeys are generated automatically, users won't need to rely on passwords that are either easy to remember -- and unfortunately, easy for others to guess -- or so complicated that they're easily forgotten.

Because passkeys use end-to-end encryption, not even the companies creating them can see or change them. Apple says its passkeys use public key cryptography and actually create two keys. One key is public and stored on the website's server, and the other is private and stored on a user's device, so it is only accessible to that user.

What this means in practice is that the private keys generated in each passkey pair are only stored on your device, not on any website's server, making it impossible for your login information to be discovered through a data breach or hacking attempt. A hacker would only be able to access the public key, which would be useless to them because it would not grant access to your account information. Even if someone were to fall prey to a phishing link in an email or text message, the effort would fail because the passkey on the user's device would only work with the website that created it.