Passwords pose a serious problem. They are often weak, they are reused, and they get stolen or leaked. You've read that before. You may have also read about various attempts to augment or replace passwords - multi-factor authentication or MFA, security keys, passwordless links and more recently, WebAuthn. Today though, we'll cover passkeys - a new(ish) type of login credential proposed by Apple, Google, Microsoft and others.
Based on the FIDO2 WebAuthn standard, passkeys are meant to be a phishing-resistant alternative to passwords. They are easy to use, work across most operating systems and devices, and offer strong protection against phishing and account hijacking attempts. WebAuthn sounds meh to most users - think of passkeys as the layman-friendly version. 'Passkey' is trademarked though, so we'll see how the industry navigates that small hiccup.
Apple first announced the ambitious plan to get rid of passwords at WWDC21, their annual developer conference. WebAuthn (ergo passkeys) uses public-key cryptography instead of shared secrets. A unique public-private key pair is generated, the private key is stored securely on your device, and the public key is shared with a website during first registration. For subsequent logins, the website sends a single-use challenge to your device, which signs the challenge using the stored private key and allows the website to validate it using the stored public key. Apple modified this flow to include Touch ID or Face ID for biometric verification, and to sync the Apple Passkeys across devices using the iCloud keychain. Passkeys are tied to the device they were generated on (say, an iPhone) so, to use them on another device (say, a Macbook), users need to generate a QR code on the Macbook and scan it with biometric verification on their iPhone to sign in.
After testing it with developers for a while, Apple announced at WWDC22 that passkeys will be generally available later this year. Just a month earlier at I/O 22, Google had also announced support for passkeys. On Android devices and Chrome, passkeys get backed up to your Google account similar to passwords in a password manager, and sync'd across devices where the user has logged in. The third part of this video offers a brief demo on the usage of passkeys.
Here's another video from the FIDO Alliance, the consortium behind the WebAuthn standard, demonstrating "multi-device FIDO credentials" aka passkeys in action.
So, why should you care? If widely adopted (and there's a good chance given the push of the OS titans aka Apple, Google and Microsoft), passkeys could significantly raise the bar for end user security. Logging in with something you have and something you are is more intuitive and secure with than doing it with something you know and something you have/are. Kinks around user awareness, co-existence with passwords, passkey sharing and account recovery are still being ironed out, but support for passkeys is vigorously trending forward. And, while security is guaranteed, interoperability is another beast that the industry will have to slay to ensure passkeys work seamlessly across operating systems and devices.