Demystifying Passkeys: The User-Friendly Future of Secure Multi-Factor Authentication
If you’re tired of juggling dozens of complex passwords and waiting for one-time codes to arrive via insecure SMS, a new authentication technology called passkeys is poised to make your digital life much easier and more secure. Introduced in 2022 by the FIDO alliance, nearly 92% of devices are now passkey-ready as of April 2024. But how is it possible for a single fingerprint or PIN to act as two-factor authentication and be more secure than a password? Let’s demystify the magic of passkeys.
The Power of Asymmetric Cryptography
Under the hood, passkeys leverage proven asymmetric cryptography using public/private key pairs. When you register a passkey, the private key is securely stored on your device. Only a public key is shared with the online service. During login, the service sends a challenge that your device signs with the private key. The service then verifies the response using the public key. Importantly, the private key never leaves your device.
Your Biometric or PIN Unlocks the Passkey
The private key is useless on its own. Whenever a passkey is used, you must unlock it locally on your device with your biometric or PIN. This acts as a “second factor” – something you are (biometric) or know (PIN). But unlike easily phishable one-time passwords sent via SMS, your “second factor” for passkeys never leaves your device unless encrypted in syncing. A remote attacker cannot steal it.
Syncing Passkeys Across Devices
To be practical, passkeys must be available across your devices. But is it secure to sync private keys via the cloud? Yes, when done properly. Passkey data is end-to-end encrypted by the operating system or password manager before being synced, using keys only available on your local devices. The cloud provider only sees encrypted blobs and cannot access the passkey material itself. This is conceptually similar to how end-to-end encrypted messaging apps like Signal work.
Cross-OS Support for Passkeys
One of the most compelling features of passkeys for many people is their ability to work seamlessly across different operating systems. Major OS providers like Apple, Google, and Microsoft have committed to supporting passkeys, ensuring that users can access their credentials on various devices. This cross-OS support is made possible through the use of standard protocols like WebAuthn and FIDO2.
To take advantage of cross-OS support, users simply need to ensure they are using passkey-compatible devices and platforms. When setting up a new device, users can often restore their passkeys from an encrypted cloud backup tied to their OS account (e.g., iCloud for Apple devices or Google Account for Android). Additionally, users can leverage password managers that support passkeys to sync credentials across different operating systems.
Enabling Zero-Trust Security
With passkeys, we no longer have to assume a user is trusted just because they have the right username and password – which could have been stolen or guessed. Instead, we can continuously evaluate risk signals and ask the user to re-authenticate with their passkey when needed. This enables fine-grained, adaptive access control policies where trust is never implicit – a key principle of zero-trust security.
A Simpler and Safer Future
Passkeys are a win-win for usability and security. So fear not if passkeys seem too simple to be secure — simplicity and security were the whole point of their implementation. As applications and devices add support over the coming months and years, we’ll be able to enjoy the convenience of never having to type a password again, with the peace of mind that our accounts are safeguarded by unphishable cryptographic keys. The future looks bright – and a lot simpler!