Introduction
In the digital age, securing online accounts is of paramount importance. Traditionally, this has been achieved through the use of usernames and passwords. However, this method has been fraught with security issues such as breaches, phishing, and stolen identities. In response to these challenges, tech giants like Google and Apple have been promoting and supporting a new form of authentication known as “PassKeys“. This blog post will delve into the concept of PassKeys, how they work, and why they are considered more secure than the traditional username and password method.
Traditional Username and Password Authentication
A traditional username and password authentication system involves a user providing a unique string of characters (the password) along with a username for identification during sign-on. This method, while simple and widely used, has several vulnerabilities. Passwords can be guessed, stolen, or obtained through phishing attacks. They are also often stored on servers, albeit in a hashed and salted form, which can be a target for hackers. Furthermore, users often have to remember multiple passwords for different accounts, which can be inconvenient and lead to the use of weak or reused passwords.
What are PassKeys?
PassKeys are a new type of login credential that removes the need for passwords. The authentication process requires either biometric authentication, such as a fingerprint or facial recognition, or a PIN or swipe pattern used with Androids for access. PassKeys are generated using cryptographic techniques and are typically not transmitted or stored on servers, making them more resistant to phishing attacks and other social engineering techniques.
PassKeys work on a person’s device, so users can’t use PassKey functions on another device without a QR code. Users can scan the QR code from their phone and use their Face ID or Touch ID to sign in from another nearby device.
How Do PassKeys Work?
PassKeys use public key cryptography for security. This means that each PassKey is actually a pair of keys – a public key and a private key – that are mathematically linked to one another. Your public key is meant to be shared, and is stored by the app or website when you create a new account. But your private key never leaves your device — it’s a true secret.
When a user creates a PassKey with a site or application, this generates a public–private key pair on the user’s device. Only the public key is stored by the site, but this alone is useless to an attacker. An attacker can’t derive the user’s private key from the data stored on the server, which is required to authenticate the user.
PassKeys vs. Passwords: A Comparison
While both PassKeys and passwords serve as methods of authentication and identity verification, there are key differences between the two.
- Generation: PassKeys are generated using cryptographic techniques, while passwords are user-generated.
- Storage: PassKeys are typically not transmitted or stored on servers, whereas passwords are usually stored on servers in some form.
- Resistance to Attacks: PassKeys are more resistant to phishing attacks, while passwords are vulnerable to phishing and other social engineering techniques.
- Complexity and Security: The complexity and security of PassKeys are typically higher than those of passwords.
- Recovery and Backup: If a PassKey is lost or compromised, the recovery process may be more complex compared to passwords, which often have built-in recovery mechanisms.
The Future of PassKeys
PassKeys are still in their early stages, but experts predict that they are the future of online authentication. The login process will standardize over time, and PassKeys are expected to be implemented more seamlessly over the next year or so.
Google data shows that the percentage of users successfully authenticating through same device PassKeys is 4x higher than the success rate typically achieved with passwords. PassKeys are not just easier to use, but also significantly faster than passwords. On average, a user can successfully sign in within 14.9 seconds, while it typically takes twice as long to sign in with passwords.
In summary, PassKeys may represent a significant step forward in online security. By leveraging public key cryptography and biometric authentication(something you are), they offer a more secure and convenient alternative to traditional usernames and passwords that easier to hack and/or compromise. Multi-factor authentication (MFA) has been an evolutionary requirement of securing accounts more recently and it’s the electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. These factors can be categorized into three main types: something you know (like a password or PIN….the old way), something you have (like a cryptographic identification device or token.. that can be lost), and something you are (like a biometric feature.. with you always). While there are still challenges to be overcome, such as widespread adoption and recovery mechanisms, the future of PassKeys looks promising. As Google and Apple continue to promote and support this technology, we can expect to see a shift towards a passwordless future.
