Passkeys offer a safer and more convenient way of authenticating users than traditional passwords.
What is a Passkey?
There is no password that has to be remembered (or possibly written down). There is no password that can be disclosed, either intentionally or accidentally. There is no password that has to be stored on the remote server, from where it can be stolen. To login using a passkey all you have to do is the same action that you use to unlock the device. This can be a biometric such as a fingerprint or face Id, or it can be a PIN.
So what actually is a passkey, and how does it work? It is simply 2 very large numbers that are stored in a secure location in the hardware of your PC, mobile or tablet. Access to the passkey is only granted if you successfully perform the same action that you use to unlock your device.
How do Passkeys Work?
If the you want to logon to a remote server (e.g. Gmail) then the server sends a ‘challenge’ to your device. This is another very large number. Your device does some clever maths with all 3 numbers, then sends the result back to the server. If the server receives the ‘correct’ answer then it grants you access You have proved you have access to the passkey.
But how does the server know what the ‘correct’ answer is? It does not know the 2 numbers that make up the passkey. However it does know the ‘public key’ which is derived from the passkey; it is simply the result of multiplying the two numbers together. So it’s very easy to derive the public key from the passkey, However if you only know the public key you would have to painstakingly go through all possible pairs of numbers to work out what the passkey is. Therefore you can safely share the public key with the server (or anyone else). They can use it to verify that your device sent the right answer, because of the way the maths work.
You can normally only use this method to login on a device that has a valid passkey stored on it (different devices will have different passkeys for the same server). However in some cases you can use a passkey on another device and establish a link between the devices using a QR code and Bluetooth. So you may be able to login on a public computer at an Internet cafĂ© using a passkey on your ‘phone.
Also even if you switch to using passkeys as your default login method, normally you can still use a password as an alternative. However it is strongly recommended that you enable 2FA to avoid any vulnerability to theft of a password.
Setting up Passkeys
Setting up passkeys is generally very easy. For most services that offer passkey login, if you go to your account settings you will probably find a “Create Passkey’ button. This is often in a section called Security. When you click the button you will be prompted to perform the device unlock operation. Then that’s it! The passkey will be generated and stored securely on your device, the public key will be shared with the server and you will now be able to use the passkey to login.
Also to be clear each time you use a passkey you still need to go through the unlock procedure even if the device is already unlocked.
Downsides of Passkeys
Although passkeys are more secure they still have some vulnerabilities. The main threat is a crook tricking an administrator into allowing them to set up a new passkey. Once the public key associated with the ‘fake’ passkey has been registered on the account the crook can then use the passkey to access the account.
So you need to have robust procedures for verifying the identity of anyone setting up a passkey, remembering that voice or video calls can now be easily faked with the help of AI. This could be sending a one time passcode to a device you know only the user can access (e.g. a ‘phone registered to the user). Or the user could verify themselves with an existing passkey on a different device.