- IAM Glossary
- What is a Passkey?
A passkey is a modern passwordless authentication technology that allows users to log into accounts and apps using a cryptographic key instead of a password. A passkey leverages biometrics (fingerprint, face recognition, etc.) to confirm the user's identity.
What’s the Difference Between Passkey and Password?
Despite having similar names, passkeys are very different from passwords.
What is a Password?
A password is a string of characters that users must provide when logging into a website or app, usually in conjunction with a username. To prevent data breaches and account takeovers, NIST recommends that passwords consist of the following:
- A minimum of eight characters
- The ability to use all special characters, but no special requirements to use them
- Restrict sequential and repetitive characters (e.g., 12345 or aaaaaa)
- Restrict context specific passwords (e.g. the name of the site)
- Restrict commonly used passwords (e.g. qwerty, password123) and dictionary words
What is a Passkey?
A passkey is a new authentication technology that uses public key cryptography to enable users to log into websites and apps without having to enter a password. Instead, users authenticate the same way they unlock their phones and tablets: with their fingerprint, face or other biometrics; by using a swipe pattern; or by entering a PIN. For purposes of convenience, most people will opt for biometric authentication.
Instead of creating a password to log into an account, users generate a passkey – which is actually a pair consisting of one private and one public key – using an “authenticator.” This “authenticator” can be a device, like a smartphone or a tablet, a web browser, or a password manager that supports passkey technology.
Before generating a passkey, the authenticator will require that the user identify themselves using a PIN, swipe pattern or biometrics. The authenticator then sends the public key (which is roughly equivalent to a username) to the account web server for storage, and the authenticator securely stores the private key locally. If the authenticator is a smartphone or other device, the private key will be stored in the device keychain. If the authenticator is a password manager, the private key will be stored in the password manager’s encrypted vault.
How Does a Passkey Work?
To create a new passkey, the user signs into their account normally and then enables the passkey option from the security settings screen of the website or app. The website or app then prompts the user to save a passkey associated with their device. The web browser or operating system will then request biometric authentication to approve the request, and the passkey is stored locally.
Subsequent logins to the website will then prompt the user to use a passkey from their device to login, instead of a password. If the web browser supports synchronization of passkeys between devices, the passkey will be available across those devices.
If the user is using a device that doesn't have a passkey for the website or app, they may have the opportunity to use another device. If the browser supports cross-device authentication, the browser may prompt the user with a QR code that can be scanned by a mobile device to complete the sign-in. Cross-device authentication also involves the use of Bluetooth to ensure proximity.
This is what the end user sees. Let’s take a look at what’s going on behind the scenes, at the server level. When an end user attempts to log into their account with a passkey, the account server sends a “challenge” to the authenticator, consisting of a string of data. The authenticator uses the private key to solve the challenge and sends a response back, a process known as “signing” the data and verifying the user’s identity.
Notice that at no time during this process does the account server need to access the user’s private key, which also means that no sensitive information is ever transmitted. This is possible because the public key – which the server stores – is mathematically related to the private key. The server needs only the public key and the signed data to verify that the private key belongs to the user.
Are Passkeys More Secure?
Passkeys are more secure than passwords, for numerous reasons:
- For passwords to work, account servers must store them – or at least their hashes – so they can compare the stored data with the password the user enters. As mentioned in the previous section, passkey technology doesn’t require account servers to store users’ private keys, only their public keys. If the account server is breached, threat actors will access only public keys, which are useless without the accompanying private keys.
- Most people have poor password hygiene. They use passwords that are too short, or contain dictionary words, or biographical information that’s easy to guess. They reuse passwords across multiple sites. And instead of using a password manager, they store their passwords on sticky notes or in unencrypted text files. Passkeys, on the other hand, are generated by the user’s authenticator, so they’re always highly complex and unique to every user and every account, every time.
- Many people also don’t secure their accounts with two-factor authentication (2FA). Passkeys depend on 2FA by design; to use a passkey, an end user must have their authenticator close by, satisfying the criteria of something you are (the biometric) and something you have (the authenticator).
- Unlike passwords, passkeys can’t be compromised in phishing schemes, because it’s impossible to trick a user into entering a passkey on a phony lookalike site.
Will Passkeys Replace Passwords and Password Managers?
While passkeys may eventually replace passwords, they won’t replace password managers. Instead, password managers will become even more important. This is because passkeys are tied to an authenticator. Users have a choice as to whether to use a device – usually a smartphone, but a tablet, laptop or desktop could work – or a password manager that supports passkeys.
At first, using a smartphone as an authenticator may seem like the logical option, as most people have their phones with them all the time. However, since most people use multiple devices, this quickly becomes inconvenient. If a user wants to access an account or app on a different device, like their laptop or tablet, they would have to generate a QR code on that device, then scan it with their authenticator, then use their biometrics to finally sign in.
A password manager like Keeper, which will be rolling out support for passkeys in early 2023, will greatly simplify this process by tying the passkey to an application instead of a physical device.
What Companies Support Passkeys?
As of this writing, the number of websites and apps that support this technology is still small. Apple, Microsoft, Best Buy, GoDaddy, PayPal, Kayak and eBay are among the major names that support passkeys right now.
However, because of their convenience and security, passkeys are rapidly growing in popularity. Google rolled out passkey support to Chrome stable M108 for Windows, Android and macOS in December 2022, with support for iOS and Chrome OS in the works, as well as a new API set that will bring passkeys support to Android apps.
