Passkeys: The future of passwords? Understanding how they work
early everybody agrees that the way we use websites and services is broken.
The username-and-password combo universally used is both annoying for users and not great from a security perspective. Amid data breaches, that most people repeat the same, easily guessable passwords between websites and given the ease of constructing fake sites to steal logins, the internet is crying out for a better solution.
Well, one might finally be here: passkeys. These do away with passwords completely, allowing your phone to vouch for your identity.
How do passkeys work, and what are the drawbacks? Read on to find out.
What is a passkey?
Passkeys are a way of logging in to a website or service without a password to prove who you are. All you need is a device to vouch for your identity — most likely your smartphone*.
That sounds like a security nightmare, but it should prove a lot safer than the somewhat flawed password system we’ve used for the first few decades of the internet.
“A simple, yet secure sign-in procedure is exactly what people need,” Jake Moore, Global Security Advisor at ESET, a software company specialising in cybersecurity, tells The Standard. “Passkeys offer a simple, fast and secure sign-in solution. [They offer] a very positive impact on account security.”
For the user, the idea is to log in to a website the same way you open up your phone — with a PIN, a fingerprint or a face scan. When you register for a site or service, your login is linked to a single device and you just sign in via that: with no password to remember.
Behind the scenes, it’s a whole lot more technical, involving something called asymmetric cryptography. A public key is stored on the website you want to use, while an encrypted private key is attached to your device. When you try to log in, the site will grant you access only if the two match.
If you’re not working on the phone you registered with — if you want to log in to a site on your Windows laptop, say — then you’ll need to connect it to your phone via Bluetooth. Alternatively, you will have to prove it’s in range with the scan of a QR code. It’s a bit like two-factor authentication, without the password.
“Before now,…