There is a good chance that you and nearly everyone else will be using passkeys in the near future.
Passkeys are the FIDO Alliance’s latest attempt to move the world from passwords to something else more secure. The “Big 3” (e.g., Apple, Google and Microsoft) have strongly committed to supporting passkeys natively in their operating systems and applications. After years of any passwordless solution failing to gain critical momentum, this passwordless alternative initiative is likely to pay off. And in the process, it promises to push FIDO authentication as one of THE major player in the world of passwordless authentication, something FIDO has been pushing for since 2013.
Learn more about FIDO authentication in general and the inherent protections it provides.
Passkeys are FIDO-enabled authentication credentials, which use public key cryptography (i.e., asymmetric private/public key pairs) tied to particular users and their devices and websites/services/applications (aka “Relying Parties”). When the user tries to log into a participating, already registered Relying Party (RP), the user will be prompted to perform an action (known as a “gesture”) to approve the login. The approval action can be requested on any passkey-enabled device the user has, such as their cell phone or laptop. The gesture can be a number of different actions, including clicking on the login acknowledgement message, a touch to a USB key or a biometric fingerprint swipe. What gesture is required depends on the FIDO solution involved.
One of the most crucial aspects of this new passkey technology is that the user’s involved passkeys will be synchronized between a user’s various devices. This is very important for usability and user adoption. One of the key problems with most passwordless alternatives is that the more protected login credentials cannot be easily shared among a user’s different devices, like a password can. One of the few benefits of passwords is that a user can use them anywhere they can access the RP that accepts them. Users can use passwords to log into their websites even if they are using a new device, using a friend’s computer or even a computer at a hotel or conference. There are some concerns about reusing passwords across just any device from a computer security perspective, but users love the ability to use their password wherever they want.
Most passwordless options only work where they are installed and registered. If you registered and use them on your laptop and then want to use them on your cell phone, you have to start a brand-new instance of the same passwordless option. Users do not like re-work.
Passkeys solves this problem by allowing all passkeys to be synchronized across all the devices the user uses, although, at least now, the synchronization is handled by each Big 3 vendor’s operating system or application and will likely be tied to just one platform at a time. For example, Apple will synchronize passkeys used on Apple products only. If the user also uses a Google Chromebook, it will likely take another set of passkey credentials. With the exception of Apple, passkeys can also be prevented from syncing if that is what the user wants. Synchronization is tied to the user’s main platform credential (i.e., iCloud, Microsoft Account, Gmail account, etc.). A user’s passkeys will be automatically synced on any device connected to the same platform using the same common platform credential.
It would be great if we had cross-platform support already, but how nice would it be to get a new phone or laptop and have all the passkeys automatically follow the user once they login using their same OS credentials, much like how your browser settings follow you when you log into a new computer.
Each time the user attempts to log into a passkey-RP, the user will be prompted to “register”. The user fills out the requested information and will be prompted to provide their “gesture”, whatever that is to initiate the registration process. The registration process generates a new key pair for the user tied to a particular RP. Key pairs are unique for the user and RP. Each RP and passkey client uses an open protocol called WebAuthN and FIDO APIs to handle the authentication actions.
Passkey Support Options
Apple Safari, Google Chrome and Microsoft Edge browsers already have support. The most popular operating systems, browsers and mobile devices will have passkey support. Apple has support in macOS Venture, iPadOS 16, and Safari 16.1 Monterey and Big Sur. Google announced passkey support for Androids by October 2022 and Chrome OS by 2023. Microsoft is expected to have support in Windows in 2023. Various Linux distributions, browsers and applications are also adding support.
When a user attempts to log into a passkey-RP, the RP sends a “challenge” to the user/user’s passkey-enabled device. The user performs the required gesture, and then the passkey technology “unlocks” the passkey private key related to the specific RP, which is then used to sign a “response” back to the RP. The RP uses the related public key to verify the response, and if it verifies, the RP successfully authenticates the user’s login.
Passkeys are intended to replace passwords. Many RPs will just request the user’s passkey for the user to successfully log in. If an RP uses multifactor authentication (MFA), the user can be prompted for a passkey and something else (e.g., PIN, USB device, biometrics, etc.).
Caveats to Using Passkeys
As great as FIDO passkeys are, passwords are not going completely away anytime soon. They are likely to be with us for a decade or more. Also, storing more of your authentication credentials in one place, as passkeys do, means that a single hack of your devices could lead a hacker to have more access to your logins all in one place. However, that risk is always there, even with passwords and password managers, and it is expected that the major vendors will use always improving intelligent detection to make sure it is you using your passkeys. Any risk of using passkeys is smaller than the risk they offset.
FIDO passkeys are a big push in the fight to eradicate passwords. The support of the Big 3 vendors means that widespread adoption is likely. You probably do not have a passkey today, but by this time next year, you likely will. It may not be the death of the password, but it will move us forward quite a bit.