Password fatigue. Phishing. Credential stuffing. These are just some of the risks passwords pose and why passkeys are finally gaining support across major platforms such as financial institutions, Amazon, Apple, and Google. A Passkey is a unique, randomly generated code used for authentication purposes. It works by providing an additional layer of security beyond traditional passwords. Passkeys are typically used with usernames or email addresses to access accounts securely. While passkeys aren’t perfect – and come in several forms – they significantly strengthen account security and are easier to use.
Why do we need Passkeys?
One of the most frustrating aspects of cybersecurity is creating and maintaining unique, strong passwords across all your accounts. Over the years, companies have launched password managers, offered two-factor (2FA) or multi-factor authentication (MFA), and adopted industry best practices for account security. Yet, compromising account credentials and data breaches are a daily occurrence. Passwords are inherently vulnerable to theft, re-use, or change without your knowledge.
If you haven’t noticed, many platforms are starting to support and encourage users adopt a passkey for greater account authentication and security. Imagine logging in to your favorite website without typing a single password. That’s the magic of a passkey. It’s a secure digital credential that replaces traditional passwords on your device (phone, computer, or smart TV device). Instead of remembering complex combinations, you simply use your fingerprint, face scan, or a secure PIN to verify your identity.
Types of Passkeys
- Randomly Generated Code: A Passkey might look like “5D8f#2g!pX” – a combination of letters, numbers, and special characters.
- Time-Based Passcodes: Passkeys can also be generated using a time-based algorithm, changing every few seconds. For example, “123456” might be valid briefly before expiring and being replaced with a new code. A popular example is RSA tokens, Duo, and authentication apps (essentially a digital RSA token).
- One-Time Passcodes (OTPs): These are Passkeys that are valid for a single use only. Once used, they become invalid. An example might be “7890ABCD,” which is frequently used by financial banking institutions for online account access.
- Biometric Passkeys: Some systems use biometric data, such as fingerprints or facial recognition, as Passkeys. These are unique to each individual and provide a high level of security. Apple FaceID can be used with supporting apps as a biometric passkey to override the requirement of inputting a username and password.
- QR Code Passkeys: Passkeys can also be represented as QR codes, which can be scanned by a device or app to authenticate access. If you own an Apple TV or Fire TV stick, you’ve probably used QR codes that you can scan to quickly sync your account to supporting apps like Spotify, Disney+, or YouTube to log in to the TV app without manually entering a password. The scanned QR code links to your authenticated login on your smartphone and access is granted on the TV app.
How Passkeys Work
- Enrollment: You create a passkey for a website or app using your device’s biometric authentication.
- Login: When you revisit, the website requests your passkey.
- Verification: Your device prompts you to confirm with your fingerprint, face scan, or PIN.
- Access Granted: Boom! You’re in, securely and effortlessly.
If you’re looking for a thorough technical walkthrough of how passkeys authenticate users and sessions, watch each YouTube video by Shannon Morse and Andy Malone.
Benefits of Passkeys
- Resistant to common password hacking vulnerabilities: No passwords to steal, so phishing and credential stuffing become irrelevant.
- Convenient: No more password fatigue or resets because you can’t remember your password.
- Universal: Works across different devices and platforms.
- Future-proof: Backed by major tech companies and security standards, such as Google, Microsoft, Apple, Amazon, and the FIDO Alliance.
How Passkeys are different than Multi-factor Authentication (MFA)
If you think passkeys are just MFA, you’re mistaken. While the concept is similar, with passkeys, password dependence is removed entirely, with a passkey serving as the primary means of authenticating and accessing an online account. If you don’t have access to your passkey, and a passkey is enforced for the account access, then you can’t login.
Contrarily, MFA is an additional prompt for a token, biometric touch, or some other factor in addition to inputting your username and password to login to an account. Let’s assume your MFA is an SMS text of a randomly generated number. If a hacker were to “SIM-hijack” or “SIM swap” your number used for MFA, now the hacker can gain access to your account. If you reused credentials on the app or platform the hacker is targeting – the same credentials that were part of a prior data breach, for example – the hacker now has defeated your security mechanisms in place for account access.
A passkey aims to eliminate the above scenario. The hacker would need to gain access to a physical token, if enrolled as a passkey, or steal your smartphone. Luckily, Apple has just released new iPhone stolen device protection in iOS 17.3 to eliminate a previous vulnerability of bypassing FaceID if the device PIN was known to the person who stole the iPhone.
To summarize, key differences between passkeys and multi-factor authentication are:
- Password Dependence: Passkeys eliminate passwords entirely, while MFA requires a password as the first step.
- Convenience: Passkeys are generally more convenient, requiring only a biometric check, or a physical touch of a token, such as a Yubikey.
- Universality: Passkeys are still in their early stages of adoption, while MFA is more widely available. Always opt to protect your account with a passkey instead of MFA, if possible.
How to protect against lost Passkeys: Have a Backup!
The benefits of passkeys are probably making you say, “Great! Let’s convert everything to a passkey!” and you dump passwords for good. But then, some of you may start to wonder, “Hey, what if I lose my passkey?”, assuming you use something like a physical token, or change smartphones.
Passkeys are like data: it’s good to have backups just in case. Also, never have a single point of failure. For these reasons, we recommend the following:
- Check for Recovery Options: Some services that utilize passkeys may offer alternative methods for account recovery. This could involve answering security questions, providing backup email addresses or phone numbers, or using other authentication factors you previously set up.
- Consider Preventive Measures: Consider setting up additional security measures such as multi-factor authentication (MFA) with backup methods like authenticator apps, backup codes, or backup hardware tokens like YubiKeys. Some platforms even require backup passkeys, such as Apple for Apple ID.
- Backup or Export your Authenticator App Tokens: If you do use authenticator apps from providers such as Google or Microsoft, ensure that before you switch smartphones, you export or sync your authentication tokens stored for account access. Otherwise, if you wipe your smartphone and don’t import the stored authentication tokens to your new device, you will essentially be locked out of the accounts you enabled that MFA or passkey token for. Google optionally allows you to synchronize your authenticator app tokens to your Google profile. However, be aware of inherent risks if your Google account is compromised (end-to-end encryption has at least been resolved). Consider temporarily syncing the tokens for device upgrades and then disable the token synchronization.
