If you are always logging into multiple websites or services online or using apps to login, you should have seen your phone or computer prompting you to create a “passkey”. Most people in an effort not to be delayed or bothered, will just accept yes and move on and everything seems to be work. But hang on, what’s going on and what is this passkey? Should I be worried and what is the fuss all about? Well, you have come to the right place to get some answers. Yes, what you did accepting the creation of the passkey is a very good thing even if you might not have known it at that time 😁. I’ll try to keep it short and sweet in this article.

What are passkeys?

Passkeys are a password-less technology that allow you to login into websites and online services by using public key cryptography at its core. They are a very secure and convenient mechanism to prove your identity without having to remember a password with your mobile devices,  laptops, phones and security keys taking care of the inner details. No more remembering passwords like “password123” or “123456789” or “qwerty” which in this case are poor examples of passwords.

With the now old mechanism of using passwords, a user usually needs two bits of information, a username and a password. All apps or systems then have a username and password form where you type in these details with the website/service confirming if they match and then give you access. The user must remember the password for the different systems they use. These login details need to be stored at the website you are logging into, and this is a problem when systems are hacked and compromised. But this is what we have known for a very long time and despite its hiccups every now and then, it has worked ok for users. 

How do passkeys works?

Public key cryptography, also known as asymmetric cryptography, is the foundation of passkeys. It uses a pair of mathematically linked keys: a public key and a private key. When you create a passkey, a private key is securely stored on your device (e.g., your phone or laptop), and the corresponding public key is sent to the website or service you’re logging into. The public key can be shared widely without compromising security. When you authenticate, the website uses your public key to present a challenge, which your device’s private key then signs. The website verifies this signature with the public key it holds. Since only your device has the private key, this process proves your identity without ever sending your private key or a  over the network, making it highly secure and resistant to phishing attacks.

Key concepts of how this works:

• Passkey is stored securely on your device (like your phone, laptop, or security key) on creation.
• Protected by biometrics (Face ID, Touch ID, fingerprint, etc.) or your device’s PIN.
• When you sign up or log in, the website asks your device to prove your identity.
• Your device signs a challenge with a private key (kept secret on your device).
• The website checks it with the matching public key.
• If the website can decipher the challenge, then it can confirm that it’s you who is logging in
• The websites then logs you in and life goes on

Why are passkeys preferred to passwords?

Glad you asked. Having used passkeys for some time now, there are benefits to switching to passkeys if they are available.

No need to remember any passwords – just this alone is good enough for me to switch to passkeys immediately. I know I authored an article talking about Password Managers and how useful they are in helping you remember passwords. But this goes beyond that, as its simpler and cleaner and more secure and provides a better user experience.

They are very convenient – logging into websites is reduced to just looking into your phone with something like FaceID or putting in a pin or like myself, just use fingerprint reader on my phone. Simple and straightforward.

It is very secure – Someone once asked me how using a 4-digit code which enables the passkey is more secure than using a stronger 24 character password. But the truth is that passkeys are significantly more secure because of how they work in the background. The cryptographic private key that’s stored on your device and public key pair is a long, random string of characters that is too complex for brute-force attacks, and this key pair is stored securely on your device and is not meant to be typed by you. Even if the public key is compromised at the service provider by hackers, to a hacker, the key is meaningless and cannot be used to login and impersonate you. They are only meaningful on that specific website and even if someone tries to trick you with a phishing website, the website simply cannot prompt your device to initiate a challenge. And even if the challenge is initiated, on the phishing website, this information is simply unusable and meaningless to the hackers. This is unlike passwords, where if someone types their username into a phishing website (a website designed to look like an original website, with the intention of stealing your login details), with a password system, your login details can be stolen.

In short, without going into more technical details, passkeys are very secure. No passwords to steal, can’t be guessed, and cannot be forgotten as your device keeps them for you.

How can I start using passkeys?

Passkeys are something that are enabled by the service or website that you are using. If the service or website uses passkeys, you should receive the request to save passkeys on your device. For example, my Google Account uses passkeys to allow to login into my Google account without me typing in my password. Because I don’t use my Google account password at all, I have since forgotten it. Every time I need to login, I always choose the option try another method and use passkeys. This then automatically sends a prompt to my phone, where I use my fingerprint, and Google logs me in. When you experience this convenience, you will never want to deal with passwords again. So, if the service that you use supports passkeys and prompts you to use passkeys, please accept the request and you will notice you will never have to remember your passwords at all.

In conclusion

Passkeys are here to stay and will eventually replace password systems. Most of the larger players in the IT industry have already enabled passkeys in their websites and services. Some of the following already support passkeys include eBay, Apple, Google, Microsoft, Amazon, TikTok, Twitter, WhatsApp, GitHub, Uber, LinkedIn, PayPal and thousands other services and websites. This means this is happening, and the better we know about this, the better.