Passkeys: the promise of a simpler and safer alternative to passwords

The struggles of creating, remembering, and entering passwords are well known. The primary issues that arise regarding cyberattacks on online accounts include:

• Passwords can be guessed: The pressure to remember numerous passwords leads many to create weak and easily guessable ones, increasing the chances of a cyber criminal successfully guessing a password.
• Passwords can be stolen: Frequent password entry across various platforms makes users less cautious, leading to potential phishing attacks where criminals trick individuals into entering credentials on counterfeit sites.
• Passwords can be reused: Poorly secured services may expose users’ passwords, allowing criminals to not only access accounts on that service but also any other services where the same password is utilized.

Efforts are underway to address these challenges, primarily in two ways.

Firstly, there is a focus on improving password usage for scenarios where we can’t entirely eliminate them, which includes advocating for password manager usage and implementing two-step verification.

Secondly, the movement towards eliminating the need for passwords altogether is gaining traction with the development of ‘passwordless’ sign-in methods. You may have noticed some passwordless sign-in options like social logins, magic links, and email or text-based one-time passwords (OTPs). A particularly promising option that has gained popularity worldwide, thanks to its user-friendliness, privacy, and robust security, is passkeys.

Passkeys are generated, stored, and managed on your trusted devices such as smartphones, tablets, or computers, facilitated by your selected credential manager. This is often the built-in solution on your device, such as Apple Passwords, Google Password Manager, Samsung Pass, or Windows Hello, unless you opt for a different manager.

This credential manager secures your passkeys and requires verification of your identity before allowing access. When using a passkey, it often feels as if you’re simply using a PIN, fingerprint, or facial recognition to unlock your account. Behind the scenes, the security mechanics are complex, yet the experience remains straightforward.

Leading credential managers will also:

• Provide secure backups of new passkeys to prevent loss if all devices are misplaced.
• Synchronize passkeys across your devices, eliminating the need to set them up from scratch on each one.

With supported services, you can establish a passkey for an existing account (found in security or privacy settings) or create one during the registration of a new account.

The technology behind passkeys is founded on a unique pair of virtual keys generated by your device. These keys are related but distinct — akin to ‘siblings’. The pair consists of:

1. Your passkey— this remains confidential, stored securely by your credential manager across your devices.

2. Its verifier— this component is deliberately shared with the online service, to authenticate your access to your account.

The key difference from passwords lies in the fact that both unique elements of this pair are necessary for account access, unlike a password where the identical element is shared between the two sides.

For a deeper exploration of how passkeys provide heightened security over traditional passwords, consider reviewing additional resources in the extended section below.

While the underlying technology of passkeys may be intricate, the user experience is designed to be effortless.

Establishing an account with a passkey is simplified as your credential manager takes on the bulk of the process, meaning you are relieved from:

• Having to devise or worry about yet another username and password.
• Re-entering your password for confirmation.
• Navigating cumbersome password complexity requirements.

Once your account is set, signing in using a passkey is straightforward as the credential manager supports you throughout. This allows you to avoid:

• Recalling the username registered with the online service.
• Entering or pasting your username and password, as the credential manager provides corresponding account choices automatically.

Investing in passkeys for securing your online accounts proves worthwhile due to several advantages:

• The keys generated by your credential manager can be significantly more complex and random than those devised by a human, thwarting potential guesses.
• These keys are only functional with the specific service for which they were created, preventing extraction through phishing and fraudulent websites.
• If a criminal compromises an online service and obtains your verifier key, they lack the complete details needed to access your account, alongside a lack of transferable credentials for use in your other accounts.

We hope you now have a better understanding of what passkeys are and their significance for your cybersecurity. However, while passkeys show promise for delivering a seamless universal experience, there are still some challenges that require resolution before they can entirely replace passwords for users in the UK. For more insights into the current state of passkeys and areas in need of enhancement, please refer to our other blog post Passkeys: they’re not perfect but they’re getting better.

James L
Senior Security Researcher