Passkeys are a form of passwordless authentication. They consist of two keys, a public key and a private key. Cryptographic keys are large numerical values used in tandem with an encryption algorithm to encrypt or decrypt data. Public keys are sent to apps or websites accessed, while the private key is stored only on the user’s device or secure cloud account.
For instance, an Android phone may store private keys in it’s Google Password Manager, and Apple iPhones store passkeys in the user’s iCloud Keychain. With a private key stored locally, the user’s device can securely authenticate with third parties using public-key cryptography. Using a biometric challenge on a device as an ‘authenticator’ signals the keystore to enable the use of its private key. As a result, the user can have secure accounts without having to deal with usernames, passwords, or two-factor authentication.
Public-Key Cryptography in action.
Ref: Okta Developer Blog
Many places including: devices, browsers, clouds, and SaaS/web apps.
Microsoft recently announced, “support for the expansion of a common passwordless standard created by the FIDO Alliance and the World Wide Web consortium”. Windows and Azure Active Directory have supported the ability to remove passwords from your account. In the first half of 2022, approximately 330,000 people removed the password from their Microsoft Account.
Mobile devices such as iPhone and Android use biometric means (finger scans or facial recognition) to verify the user and enable passkey authentication. With the recent release of iOS 16, iPhone’s can store passkeys on iCloud keychain. Android devices are also supporting passkeys via Google Password Manager.
For browsers, passkey support rolled out to Chrome Stable version M108. Safari also added browser support for passkey authentication in version 16.1. Browser support enables web apps to make use of passkeys via WebAuthn API. Many early-adopter apps already offer passkey authentication. SaaS/Web support will follow device and cloud support as the user requires a secure local store as a prerequisite.
While passkeys will take some time to roll out, it is clear that they improve security and user experience. The largest attack vector is the password, with roughly 90% of data breaches caused from phishing attacks that compromised account security. Password attacks will be ineffective against passkey authentication. The social engineering risk of accidentally giving away credentials will similarly be mitigated.
The use of passwords creates significant security risks, which has led to phishing attacks increasing year over year. With passwords being worse for security and user experience, it’s no wonder password based authentication is being phased out. It’s likely that significant monetary losses due to password attacks will further accelerate the rollout of passkeys and passwordless forms of authentication.
For more info: