What is a Passkey? Definition, How It Works and More
A passkey is a specific authentication method that can be used as commonly as a password but to provide additional security. Passkeys differ from passwords as they combine private and public cryptographic keys to authenticate users, whereas a password relies on a specific number of characters.
According to Google, the most immediate benefits of passkeys are that they’re phishing-resistant and spare people the headache of remembering numbers and special characters in passwords.
As passwordless authentication continues to evolve — in response to phishing-related risks — consider using passkeys to implement an added layer of security to protect your online accounts and data.
This article will define passkey technology, explore how it works and discuss the added security benefits of using a passkey.
What is a passkey?
A passkey refers to a code or a series of characters used to gain access to a secured system, device, network or service. Passkeys are often used in conjunction with usernames or user IDs to create two-factor authentication (2FA).
After you’ve established a passkey, all you need to do is log in to complete the authentication process, typically using biometric data such as a fingerprint or facial recognition. For those who utilize a passkey, logging in becomes a simple, nearly automatic process; for malicious actors, it becomes nearly impossible.
The implementation of passkeys is highly adaptable since they may be configured to be cloud-synced or hardware-bound, contingent on the user’s choices regarding the particular application, service or device.
How do passkeys work?
When logging in for the first time, a user who wants to access an app or website with passkey technology — such as NordPass — will be asked to generate an original passkey. This passkey, which will be required for authentication in the future, can be accessed using either biometrics or personal PINs based on the user’s selection and the capabilities of their preferred device.
Figure A
During this stage, two mathematically linked cryptographic keys are generated: a public key that stays with the website, service or application but is connected to the account, and a private key that stays on the user’s hardware or cloud account. The service or application will send a randomly generated “challenge” to the user’s device during successive logins, which the user must react to by signing in with the private key.
The app or website can confirm the legitimacy of the private key by utilizing the corresponding public key to confirm the response. Access is allowed, and authentication is validated if the user’s verified signature attached to the challenge’s response agrees with the original randomly generated challenge; if not, access is denied.
This authentication process is done in the background, making login on the user’s end seamless — with just the click of a button.
Figure B
Can passkeys be shared?
The implementation of passkey technology is still developing, but some companies have mentioned the potential for credential sharing amongst users — as long as the actual passkeys are kept safe in the cloud and out of the hands of potential hackers. Since sharing account access with family, friends and coworkers is a very simple and quick process, this feature may improve the overall user experience. However, it is still unclear how this function can be securely managed in a business setting.
Another crucial factor to consider is whether businesses should become even more dependent on cloud providers and give up even more ownership and control over credential management, given that a breach of those parties’ data would, without a doubt, have disastrous consequences.
Hardware-bound passkeys, as opposed to cloud-based passkeys, are stored on security keys, physical hardware authenticators or specialized hardware integrated into laptops and desktops. This means that the passkey is neither transferable nor duplicated. Hardware-bound passkeys can be an alternative for organizations wanting to prevent employees from copying or sharing keys across devices.
Are passkeys more secure than passwords?
In general, both passkeys and passwords can be secure if managed properly. However, security depends on various factors, including the complexity of authentication, implementation and how well users manage and protect their credentials. To be deemed secure by today’s standards, passkeys and passwords should have the following characteristics:
- Complexity: The longer and more complex the passkey or password, the harder it is for bad actors to compromise.
- 2FA: A second factor of authentication can enhance security for both passkeys and passwords, making it more challenging for unauthorized users to gain access.
- Encryption: Strong encryption methods are crucial for protecting stored credentials.
Ultimately, the security of passkeys and passwords isn’t inherently dependent upon the type of credential but instead how they are implemented and managed.