Tech giants like Apple and Google don’t always have the same mindset when it comes to innovation. For example, take the RCS vs. iMessage debate. But if there’s one thing they’ve agreed on over the years, it’s to do away with passwords and introduce the next step in online security: passkeys. As this report shows, many of us choose the weakest passwords that are easy to crack. So it makes sense that tech companies want an alternative to passwords. It has also been adopted by other companies such as Microsoft and PayPal.
But what exactly is a passkey and how does it work? More importantly, how is it different from the passwords we’ve been using for nearly half a century? Let’s take a quick look at the technology in InDepth.
Why are passwords no longer enough today?
Despite innovations such as facial recognition and fingerprint scanners, passwords still dominate personal identity on the Internet. Passwords can bypass other forms of identity verification, such as facial recognition and fingerprint recognition. Even portals where accounts are protected with a password/passkey combination are not completely secure. Sophisticated attack methods, including SIM cloning, may allow hackers to bypass it.
It also doesn’t help to create passwords that are very easy for most users to crack. A recent NordPass report shows that the most common passwords in India are “password”, “123456”, “pass@123” and “abcd1234”, and the situation is not much different in other countries. increase. Most of these passwords can be cracked in less than a second, even with modern tools and software.
The data breach at one of the biggest tech giants like Meta (formerly Facebook) also exposed usernames and passwords, causing confusion for both tech companies and consumers.
What is a passkey?
A passkey is a more secure login method. It’s also touted as a technology that will eventually replace passwords and eliminate the risk of security breaches, hacks, and identity theft. We aim to make our platform and accounts passwordless within a few years. The decision is expected to be endorsed by other members of his FIDO Alliance, including other companies such as Amazon, Intel, Lenovo and Visa. If passkeys were implemented, as they are today, users would be able to log into their accounts using the autofill services that browsers currently offer.
How does the passkey work?
The passkey can be a little difficult to figure out, especially if you’ve been familiar with your password for a long time. Before discussing passkeys in detail, let’s do a quick recap to help you understand the differences in implementation.
If you use a password, the website you visit has a copy of it, and so do you. When you enter a password such as “abcd1234”, the website compares what you typed against the exact copy of that password stored on the server. It then asks you to authenticate your login attempt or try again.
This comprises the actual password on three different levels. A copy of the password “abcd1234” exists with the user. The user may lose it, disclose it intentionally/accidentally, store it in an insecure location or write it down and extract it from there. Another copy of the same ‘abcd1234’ also exists on the website server and could be exposed in the event of a mass data breach.
Even if your password is safe for both you and his website server, an attacker can use methods such as phishing or logging his keyboard to intercept the interaction between the two and obtain your password. can. Enter a passkey based on what is known as public key cryptography.
Instead of having two vulnerable copies of passwords with the user and the server, the user will have a unique password on their device – a strongly encrypted piece of code that will never leave the device ( e.g. phone or laptop). This is the private key.
Then there is another key with the server, called the public key. The important thing here is that you cannot guess one key from another. However, a single match is generated. Therefore, anything encrypted with either key can only be decrypted by the other.
So when you try to connect, the server sends a puzzle encrypted with the public key and only your device, the device with the private key, can decrypt the puzzle and send it back, for the site knows it’s the authentication puzzle you’re trying to log in without your private key leaving your device.
Why is it better?
Password lock is much more secure and quite easily eliminates most password-related vulnerabilities. For example, because the private key never leaves the boundary of the device you’re using, it cannot be intercepted, viewed, or copied.
The server’s public key derived quiz will also only respond to your device’s private key, which means it can’t be altered, copied, or tampered with en route to your device either friend.
Additionally, a private-public key will only interact with each other, eliminating the possibility that another private key can decrypt information encrypted with your public key. When creating a password, the device will use existing security, such as fingerprint and Bluetooth proximity, which will be a one-time process.
A password-free future is closer than you think.
Apple has already started using passkeys with select websites and services, a list that is expected to grow soon since announcing passkeys at WWDC earlier this year. Meanwhile, Google is set to bring passkey support to Android and ChromeOS soon. The two tech giants along with Microsoft are set to go passwordless by next year. Other manufacturers and companies are expected to also follow up in the years to come.