Creating, managing, and using complex passwords for the many sites and services we all access is a daunting task. While password managers can assist with the memorization and management challenges, traditional passwords do not leverage modern security capabilities. A rapidly evolving technology involves passkeys in place of passwords. At a basic level passkeys leverage your personal computer, mobile device, or even a password manager to provide a validated (through finger print for example) encrypted response to login challenges from a website you have an account on. This process effectively replaces the matching of a password you submit to one stored on the site. In the passkey scenario you are providing an encrypted answer to a unique challenge and all of the communications are encrypted. Through the use of public key and private key technology and in underlying technology, your identity is verified and access granted without your private key being transferred. There is a more technical explanation of the passkey process here: Passkey (Passkey Authentication) Technopedia June 2023.
Basic passkey process steps:
- You establish a passkey on a website that supports it using a device that supports the technology.
- Once established, when you access a site instead of entering a password, your device will ask you to verify your identity
- You use device-based authentication (PIN number, fingerprint, or facial recognition) on your personal device to authorize website access.
- Your device responds to the site through an encrypted message confirming your identity.
- The website then grants you access.
If you utilize a password manager, most offer support for managing and using passkeys. Cloud services can enable passkey use across multiple devices. While there are many options to explore a simple way to get started would be using solutions from vendors deeply connected to devices and the device operating systems software like Google, Apple, and/or Microsoft. Ars Technica published an article in May of 2023 with frequently asked questions about passkeys Passkeys may not be for you, but they are safe and easy—here’s why The article covers common questions about privacy, personal account security, and trust. The following excerpt from the site recaps how the passkey process works while enhancing your personal cybersecurity. (emphasis added)Services with passkey support
There is no official directory of all providers with passwordless login. Lists are provided by Passkeys.io, Passkeys Directory, and Keeper, among others.
Q: Passkeys give control of your credentials to Apple/Google/Microsoft, to a third-party syncing service, or to the site you’re logging in to. Why would I ever do that? A: Assuming you’re using a password to sign in to a service such as Gmail, Azure, or Github, you’re already trusting these companies to implement their authentication systems in a way that doesn’t expose the shared secrets that allow you to log in. Logging in to one of these sites with a passkey instead of a password gives the sites the same control—no more and no less—over your credentials that they had before. The reason is that the private key portion of a passkey never leaves a user’s encrypted devices. The authentication occurs on the user device. The user device then sends the site being logged in to a cryptographic proof that the private key resides on the device logging in. The cryptography involved in this process ensures that the proof can’t be spoofed.Key takeaways:
- Passwords will still be present for many sites for some time.
- Passkeys provide more secure authentication for sites and device that support them.
- Explore passkeys on a couple of sites and expand your use as you gain experience.
- It is a good idea to try the technology, as it will become more prevalent and in some cases required to access web applications.
