What are Passkeys and Why is their Popularity Growing?
Passkeys offer a future devoid of passwords, enabling us to effortlessly access our accounts just like unlocking our phones, but with enhanced security measures. Whether you prefer Apple, Google, or Microsoft, chances are you have come across their announcements regarding the implementation of passkeys. Although a complete passkey revolution may still be some time away, you might soon be prompted to establish one for your accounts.
The username and password approach to logging in dates back to the 1960s. Since then it has been hackable. Passwords can be guessed or fished, especially if you don’t meet industry standards for a complex and strong password. For a while, the solution seemed to be multi-factor authentication, or a way to verify your identity at sign-in via text message, app, hardware key, or other means. But password advocates say solving login security problems means reinventing the first step, not adding additional processes.
“It’s the closest thing to something that can scale to getting rid of passwords that we’ve ever seen,” said Megan Shamas, director of marketing for the FIDO Alliance, an industry association. A password is a digital authentication stored securely on your device. Instead of what Shamas called a “shared secret” method of passwords, passwords are a unique pair of keys for each online service tied to the domain name you use. So if you create one for your online banking account and the scam site prompts you to log in, the password won’t work.
It also prevents phishing attacks because you can’t enter your password the same way you would with a password or MFA phrase. We can’t call it “phishing-free,” said Derek Hanson, director of solutions architecture and alliances at security authentication firm Yubico, but it certainly blocks common attack vectors used today. At the very least, it makes it much more expensive and difficult for a hacker to gain entry, making hackers likely to move to weaker targets.
They are also supposed to be easier for the user. Instead of trying to keep track of nearly 100 or more passwords, the password is saved on your device and automatically connected to the service. As with unlocking your phone, you’ll need to enter a PIN, fingerprint, face scan, or other simple authentication to log in. It seems too good to be true, and it kind of is, because it’s still a fragmented space. While big names have been driving the trend of access keys recently, they can also prevent widespread use.
Currently, using a password locks you into a specific provider, says Sayonnha Mandal, Ph.D., a professor at the University of Nebraska Omaha. For example, you can’t log in to websites on an Android phone with a password saved on your MacBook. These companies prefer it because it keeps customers loyal to their brand. So it requires cooperation and “if there isn’t a government industrial standard that everyone has to follow, I don’t think the companies themselves will”.
But Shamas says cross-platform accessibility is coming as companies sign on to FIDO’s industry standards for password development. “The deep investment in the industry (including Apple, Google and Microsoft) to develop and evangelize password technology speaks to the widespread belief in its promise,” said a Google spokesperson. At the time of release, Google Chrome on Mac and Windows stores passwords only on the local device.
For now, if a website gives you a password login option, you should probably sign up. At least for your most sensitive accounts, such as online banking, switch to passwords as soon as it’s offered for added protection for those accounts, Mandal said. But if passwords take over, the transition will be slow. Services will probably still offer password options because consumers are used to it, and private keys still don’t have widespread enough support.
In the meantime, it’s a good reminder to stick to your security settings. If access keys are not available, make sure MFA is set up and your password is strong rather than avoiding security reminder pop-ups when logging in.