Apple and Google are updating their phone software and web browsers toward the end of 2022 to use passkey technology. Passwords have security issues -- such as breaches, phishing and stolen identities -- and can be an inconvenience to users as they have to remember several passwords. Passkeys are an alternative that reduces data breaches and other security vulnerabilities.
Moving to a passwordless future is underway. However, there are some key differences between passkeys vs. passwords to help prepare for this change.
What is a passkey?
Passkeys are a new type of login credential that removes the need for passwords. The authentication requires either biometric authentication -- such as a fingerprint or facial recognition -- or a PIN or swipe pattern used with Androids for access.
The passkey works on a person's device, so users can't use passkey functions on another device without a QR code. Users can scan the QR code from their phone and use their Face ID or Touch ID to sign in from another nearby device.
Passkeys were created with the Web Authentication API security standard that uses public key cryptography for access. Each key is unique and created with encrypted data for added security -- think of a digital version of a keycard.
What is a password?
A password uses a string of characters used for identification during sign-on. They are typically used together with a username. Passwords should be unique and only known to the user.
Passwords can vary in length and can also contain special characters, letters and numbers. To protect data, businesses should implement password policies, including guidelines for strong passwords and a timeframe for updating regularly.
One of the main problems with passwords is remembering multiple passwords and not reusing them. Reusing passwords can present security issues because once bad actors get one password, they can access various accounts using the same credentials.
To help remember multiple passwords, users turn to password managers, which use one master password or key to pull the correct password from a database to authenticate the login for the website or application. After entering the main login, the password manager will fill in the form to log the user in, so they don't have to remember multiple passwords. Having a password manager may help remember passwords, but they are not completely secure if the master password is stolen.
Learn more about password hygiene practices.
How does a passkey work?
Passkeys use Bluetooth technology. Bluetooth requires physical proximity, which helps verify the user.
After signing in and linking accounts, a push notification is sent to the device through Bluetooth. Then, the user needs to unlock their device with their private key, which is either a biometric authentication or PIN to create a unique public key that relates to the login. At the next login, the user will only have to use the chosen credential when prompted, which is their private identification -- with no password to remember. The passkey option will appear by the username field.
Google's Chrome password and Apple's iCloud Keychain synchronize passkeys across multiple devices through the cloud. When adding a new device, the user will have to sync it up to use passkey technology.
How are passkeys more secure than passwords?
Passwords are the current standard for sign on, but they aren't the perfect standard. First, people must remember their passwords, which can be a hassle to remember multiple passwords. Users also must create a complex password to avoid password cracking.
Passwords are also vulnerable to cyber attacks and data breaches. Bad actors can use phishing scams to trick people into sharing passwords on fraudulent websites. Passkeys cannot be stolen as easily because data is stored on a device and not a web server.
Passkeys should be more secure than passwords because the bad actors need access to the device and the fingerprint, facial ID or PIN to unlock it. Or, they would have to be near a person's device to use the Bluetooth. If someone loses a device, the thief will be unable to access information without the biometric authentication.
Each passkey is also unique and created using a strong encryption algorithm. The user doesn't have to worry about weak passwords that can be guessed.
People typically choose the same password for multiple sign-on and sites, so if a bad actor learns the password, they could get access to multiple accounts. Weak passwords create vulnerabilities to both the user and business.
Why are companies moving to passwordless authentication?
Passkeys may be easier to use than passwords and safer for companies to help avoid breaches. Apple, Google and Microsoft are working with the FIDO Alliance and the World Wide Web Consortium (W3C) to ensure passkeys are implemented in ways that work across multiple platforms. Passkeys are the newest technology developed by the FIDO Alliance.
Password-only authentication is a big security problem and can be inconvenient for consumers, according to the FIDO Alliance. When consumers reuse passwords, there is a bigger risk for data breaches and stolen identities. Even with password managers and two-factor authentication, passwords can still be stolen because they are stored online. The initiatives from the FIDO Alliance and W3C are an industrywide collaboration to make sign-on technology more user-friendly and safer.
Users won't be forced to use passkey technology, but more websites and apps will start offering passkeys as an option.