Passkeys vs. Passwords: The downfall of passwords.
What is a password?
A password is a combination of letters, numbers, and symbols used to keep a secret and to confirm someone’s identity. Passwords have been used since the Roman military times to protect access to specific areas. For computers, passwords have been there since the beginning, CTSS, an operating system introduced at MIT in 1961, was the first computer system to implement password login. Nowadays, passwords are used extensively to protect a wide range of devices and accounts
Will passwords become obsolete?
Day by day, technology keeps improving a providing more secure ways to store personal data for users. From the beginning of the internet, we have relied on passwords to authenticate our identity. Over time passwords have become from any possible input to a complex combination of characters, letters, and numbers. As the internet started to expand and grow, it started to attract the attention of malicious actors such as hackers, that use social engineering attacks to steal any useful user data. Nowadays, even with the complex combination used on passwords, the use of these is not enough, and to authenticate our identity we have learned to use more complex methods such as two-factor authentication, push notification, and key vaults among others. Recently, a simpler solution has become present, passkeys.
What is a passkey?
Passkeys like passwords are used to authenticate identities and login into accounts. To use a passkey a prompt or challenge is sent to the user’s device. Then the application’s server’s public key is compared to the user’s private key. Also, to use passkeys, some type of biometric will be used to authenticate the user’s identity.
When trying to set up a passkey on google chrome, a prompt will pop up on the computer, asking the user to select a device, where the passkey will be created. Then, a notification will be sent to the selected device providing this same information. After the device is connected to the computer, google play will ask for the email address linked to the passkey. Finally, after selecting the account, there will be a request to enter the user’s fingerprint, and then the passkey will get created and stored in the Google account. Now, every time the user wants to log in to the site, a prompt will be sent to the linked device, asking for the biometric information.
Other than Google, many market titans, such as Apple and Microsoft, are allowing the use of passkeys.
For Apple, any device with iOS 16, can use passkeys to authenticate users, passkeys use TouchID and FaceID for authentication. For Android, passkeys are stored using Google password manager. For Microsoft, Windows Hello is used to manage passkeys for both Windows 10 and Windows 11.
The difference between a password and using a passkey is security. For passkeys, challenges sent for authentication are different every time the user logins into an account; for passwords, nowadays people have so many accounts that they use the same password for every account, and with a data breach, passwords for one account could be stolen and used on all the other user’s accounts. Furthermore, for passkeys getting access to both the private key stored on the device and the public key on the server device provides a better security factor, even if the device containing the private keys is stolen, the public key is safe in the server. Also, if many public keys are stolen during a data breach, the private key is safe on the user’s device, and the biometric information is another security factor. Another point against passwords is that users, don’t like to remember difficult passwords, even if there are options like password vaults, that store any complex password, most people prefer to create a simple password, that is highly vulnerable and could easily be the subject of a dictionary attack.
Overall Passkeys have proven to be more secure than passwords. It is an alternative we should all start exploring as the number of cyberattacks increases every day. Using passkeys is also easier than using passwords because there is no memorizing required, just clicking notifications. At the moment there are just a few companies providing this alternative, but I believe we are leaning towards a future where it will become the most used option for authentication.
References
Collins, B. (2023, February 13). Why passkeys from Apple, Google, Microsoft may soon replace your passwords. CNBC. Retrieved April 21, 2023, from https://www.cnbc.com/2023/02/11/why-apple-google-microsoft-passkey-should-replace-your-own-password.html
Gill, N. S. (n.d.). The Roman Military System. Polybius on the Roman Military. Retrieved April 21, 2023, from https://web.archive.org/web/20080207011711/http://ancienthistory.about.com/library/bl/bl_text_polybius6.htm
Spadafora, A. (2023, March 19). What are passkeys? everything you need to know about the death of passwords. Tom's Guide. Retrieved April 21, 2023, from https://www.tomsguide.com/news/what-are-passkeys