Passkey
What is a passkey?
A passkey is a unique secret code that gives you secure access to a system or online service. Each passkey is specific to the user and the service; passkeys can’t be reused for multiple logins. Once a passkey is set up, the user or service can optionally add a second factor of authentication—like a fingerprint, face scan, or PIN—to enhance the security of the login experience.
Logging in with a passkey is a similar experience to unlocking a mobile phone. Once set up, passkeys are easier to use and more secure than passwords alone, or even passwords paired with secondary authentication or multi-factor authentication. Proponents of passkeys believe passkeys may eventually replace passwords.
How do passkeys work?
Just like the familiar process of setting up an account with a user ID and password, using a passkey involves an initial setup process, and then a simpler login process after that. A key difference between passkeys and passwords is that—by default—passkeys rely primarily on a “what you have” authentication factor (such as an app on your mobile phone) instead of a “what you know” factor (such as a password).
The setup process links your device with the particular online service (like your bank website). A service can also require a unique element for a second authentication factor during the passkey setup (often something “local” or provided directly on your device). Examples of these unique elements are a fingerprint, face scan, or PIN which are stored on your device before generating a random key. These keys are permanent and secret. They’re also specific to your device, the particular service you’re accessing, and your account on that service. The “public” passkey is given to the service; the “private” passkey stays on your device(s) and no one else ever sees it, not even the paired service.
Once the passkeys are set up, login is simple—all you need to do is select the “Sign in with a passkey” option (provided your service offers it). If the service has required it, you will also need to provide your previously chosen second factor (fingerprint, face scan, or PIN). You don’t need to enter a username. The browser (or app) contacts the service and requests access to your account. The service replies to the browser with a message to be signed (called a challenge), accompanied by the public passkey associated with your account (which the browser will use when responding to the challenge). Your device verifies who you are locally using your unique element (if required), and uses the private passkey to sign the challenge. The signed message is then sent back to the service, proving you’re the valid account owner.
Passkeys and multiple devices
Although passkeys may be specific to each device, a single passkey can be synced across multiple devices if the devices run in the same environment (like Google/Android or Apple/iOS). There are also other interoperability syncing methods in development, such as using a password manager or browser to securely sync passkeys. A passkey on a phone can also be used to unlock a website you’re visiting on a computer. If the phone and computer are near one another, they can use bluetooth to communicate—you complete the passkey login on your phone and the phone then reports validation to the computer via bluetooth.
Passkeys and multiple users
With passkeys, you can also set up multiple accounts for a given service on the same device. This can be useful if, for example, two people use the same computer to log into different bank accounts on the same banking website. The bank’s login screen will allow you to use the passkey for a specific user with options like “Sign in with passkey for Anna” or “Sign in with passkey for Kevin.” When you select the user, the browser will take care of finding and applying the appropriate passkey when interacting with the bank’s service.
Are passkeys the same as MFA?
Traditionally, multi-factor authentication (MFA) has meant a way to enhance the traditional user ID and password approach to user verification. MFA strengthens the traditional password by requiring additional proof (factors) of identity, such as a fingerprint scan or a code sent to your phone. MFA still relies on passwords by default, whereas passkeys rely on possession of digital signing keys.
While passkeys work differently than traditional MFA schemes, they meet the same criteria of using at least two different kinds of identification from the know/have/are categories of factors. Using a PIN on your phone that has the passkey satisfies the “know” (PIN) and “have” (phone) combination. Matching a face scan on a laptop with the passkey meets the “are” (fingerprint) and “have” (laptop) combination. Requiring two categories of factors protects your accounts against getting hacked—someone can possess your phone but they can’t fake your fingerprint. Without the fingerprint, the phone can’t use the stored private passkey to sign the challenge from the service.
Do I need special software to use passkeys?
Programming for passkeys is incorporated into the browser (or app) and the operating system. All major browsers support passkey creation and use. If an organization wants to offer passkeys as a login option, they’ll integrate it with their website or app. You don’t need to do anything extra.
Why are passkeys better than passwords?
When you log into a site or a network, you need to provide proof that you are who you claim to be. Today, passwords are the most common proof we use to verify ourselves. Sometimes a password is supplemented with a second layer of authentication—a fingerprint, a one-time passcode texted to our phone, or a code from an authenticator app. While passwords were a sufficient method of secure access for many years, increasingly sophisticated hacking and social engineering threats have weakened the traditional user ID and password setup. Passkeys are designed to combat the threats that undermine passwords by automating the security for users.
More secure
Passwords need to be secret in order to be effective, but they’re often exposed in a data breach. Good security habits like using strong, unique passwords for every service are an excellent defense, but with so many passwords needed, an individual will often fall back to reusing a password, or using weak passwords that are easily cracked or guessed.
With passkeys, these security defenses no longer require users to be as involved to keep their accounts secure. Additionally, since cryptographic keys are only stored on your device, passkeys reduce the viability of so-called “password spraying” attacks that can occur after a large-scale password breach. Passkeys are also strong by default, which helps avoid the scenario of an attacker guessing a password.
With passkeys, nothing private is ever transmitted to the service. The only thing stored outside your devices is the public key, and the only thing transmitted to the services are the check message and the reply. Threats that would attempt to intercept your login credentials can’t collect any data of value.
An added benefit to your online security is that passkeys can protect against fake websites used in phishing attacks. Passkey verification happens in both directions. If you accidentally end up on a phishing website, the fake site won’t have the public passkey that complements your private passkey. That means the steps of verifying the challenge won’t work because your browser can detect that the site is incorrect.
Easier to use
Passwords can be a hassle to keep track of, and logging in with a password can be frustrating and time consuming when supplemented with a secondary factor like a texted one-time passcode.
A passkey just uses the chosen biometric or a PIN to verify your identity. After you provide that single factor, the browser or app does the rest, interacting with the website on your behalf to complete the passkey secret handshake. The most you may have to remember is a PIN, and this PIN can be the same one that unlocks your device since an attacker also needs your device for it to be useful to them.
Who uses passkeys?
Passkey technology is still in the early stages of adoption. According to the FIDO Alliance, the group leading the development of passkey technology, over 100 major Web services support passkeys, ranging from social media to major banks to popular commerce and gaming. While these numbers may not be considered widespread, passkeys are expected to continue expanding their availability now that many of the usability issues have been addressed. It’s likely you’ll soon encounter the option to use passkeys on a login, if you haven’t already.