Yesterday's coverage of World Password Day sparked some discussion among the BetaNews team about passkeys and how they work. We figured that if we're confused about them then some of you probably are too, so here's an FAQ look at passkeys, how they work, and why you should consider using them.
Let’s dive into the basics first. Passkeys are based on public key cryptography. For each account you have, there are two cryptographic keys. One is public and stored on the system you're logging into, and the other is private and stored on your authenticator device -- more on those later. When these two are combined, much like fitting a key into a lock, you gain access.
Passkeys are generated using the WebAuthn API, which is part of all modern operating systems and browsers. This technology ensures that your login process is secure and efficient.
One immediate benefit is the elimination of the need to think up and remember complex passwords. This makes logging in significantly easier. Another major advantage is phishing resistance. Because a passkey is linked to the specific site it’s used for, it won't work on a malicious copy, no matter how convincing it may look to the human eye.
Passkeys are typically managed by your device, either through the operating system or a separate password manager like Dashlane or LastPass. They can be synced between devices so that they're available in different locations. Essentially, the password manager acts as the authenticator device.
You can also store keys on an iPhone or Android phone, which will then act as the authenticator device. Additionally, passkeys can work via a dedicated hardware key like a YubiKey or Google's Titan Key. These use a secure chip to set up the passkey. If you're on a trusted device, you don't need the key connected all the time. However, you will need it to set up a new account.
At this point, you might be wondering what happens if you lose your device. Don't worry. Your password manager will be protected by another form of authentication, either an old-school password or biometrics like a fingerprint, so your passkey won't be easily accessible. If you upgrade to a new device, your passkey data can be transferred across. If you're using a password manager, your keys will be stored in your cloud vault.
If you lose a hardware key, it's pretty useless to anyone else as they don't know what it's been used to access. Using a trusted device where you've already set up a passkey, you can remove a lost hardware key from your account and set up a new one.
Let's use Google as an example here, although other websites will have similar processes. Visit g.co/passkeys and sign in to your account to confirm your identity. Once logged in, select 'Create a passkey.' You will then be prompted to choose your preferred authentication method, and if you have a hardware key, you can select 'Use another device.'
If you opt to use a smartphone, a QR code will appear on your screen, which you must scan to enable Google to link with your phone. For future logins using a passkey, a notification will be sent to your phone, allowing you to confirm your identity using either biometrics or a PIN.
Increasingly, websites are beginning to support passkeys. You can find a searchable list of sites that use passkeys on Passkeys.directory. This expanding support reflects a move towards more secure and user-friendly authentication methods, simplifying the protection of your online accounts.
Passkeys represent a significant advancement in online security, offering a more secure and user-friendly alternative to traditional passwords. By leveraging public key cryptography and the WebAuthn API, passkeys eliminate the need to remember complex passwords and provide robust phishing resistance. With the ability to manage passkeys through various devices and password managers, users can enjoy seamless access to their accounts while maintaining a high level of security.
As more websites and services begin to use passkeys, users will discover that this authentication method is becoming more convenient. By learning how passkeys function and the advantages they provide, you can make better choices about protecting your online accounts. So, dive in and explore the realm of passkeys – your digital security will be grateful.