Passwords: Time to Go
Good Things Come to Those Who Wait
It’s taken half a century, but the password is finally about to become a thing of the past.
Say hello to Passkeys
Passkeys, the new username/password alternative, are finally set to launch in a standardized system created by Microsoft, Apple, Google and other companies. Passkeys offer users an easy and secure experience.
While passkey technology is nothing new, big tech working together toward a common standard certainly is rare. It is this new standard that finally allows for passwords to start to become a not-so-fond memory. Passkeys eliminate the hazards of traditional passwords because users don’t need to remember anything, plus, they are fully resistant to account take over attacks including credential stuffing, harvesting, phishing and other remote attacks.
Wide acceptance is already happening
Many online services and tools are lined up to soon offer Passkeys as a login alternative. A few that have already announced plans for early adoption include: Microsoft, PayPal, eBay, Best Buy, Kayak and WordPress. Google, Apple and Microsoft have already enabled full support for Passkeys with their latest OS updates. There are still a few kinks to work out, such as iOS Passkeys being able to unlock Windows, but not the other way around – yet.
So, just what are Passkeys?
They are essentially the same technology we now use daily to unlock or mobile phones, laptops and tablets – Multi-Factor-Authentication (MFA) – the face scan, fingerprint scan or PIN. Passkeys are invisible and interact with these same MFA security features of the host device including FaceID or Windows Hello. It also works with FIDO-compliant hardware keys like Yubico.
A big change from historic public key cryptography is that Passkeys are discoverable and can now be synced across any operating system cloud (like iCloud, GoogleDrive or OneDrive). This means that once a single device for a user account is enrolled with Passkey, all devices can be synced so they also can retrieve that accounts FIDO sign-in credentials, including that new phone you just bought! No longer will a password be needed for account recovery either.
How does a Passkey log into a website?
When a user is asked to login to a website or app, the Passkey can be transmitted seamlessly once the authentication is provided by the same means used to unlock the device. This process replaces the need for the far-less secure username and password.
Gone as well will be the need “for a human to tell a password manager to generate, store, and recall a secret – that will all happen automatically with way better secrets than what the old text box supported, and with uniqueness enforced.” [Reference]
Passkeys will make logging into websites and apps a much better experience as it simply replicates the same process we all do multiple times a day with a face or fingerprint scan or entering a PIN. Additionally, the Passkey is available wherever a consumer or user needs them and there will no longer be a need to create new credentials for every service.
In summary, Passkeys are more secure than the current password + phone approval process (2FA/MFA) and are clearly the route to a smoother user experience for credentialing. As Passkeys start to rollout, simply look for the Passkey icon as a visual cue to use this awesome new technology instead of the traditional username and password.