Demystifying Passkeys: The User-Friendly Future of Secure Multi-Factor Authentication

Posted April 9, 2024

If you’re tired of juggling dozens of complex passwords and waiting for one-time codes to arrive via insecure SMS, a new authentication technology called passkeys is poised to make your digital life much easier and more secure. Introduced in 2022 by the FIDO alliance, nearly 92% of devices are now passkey-ready as of April 2024. But how is it possible for a single fingerprint or PIN to act as two-factor authentication and be more secure than a password? Let’s demystify the magic of passkeys.

The Power of Asymmetric Cryptography

Under the hood, passkeys leverage proven asymmetric cryptography using public/private key pairs. When you register a passkey, the private key is securely stored on your device. Only a public key is shared with the online service. During login, the service sends a challenge that your device signs with the private key. The service then verifies the response using the public key. Importantly, the private key never leaves your device.

Your Biometric or PIN Unlocks the Passkey

The private key is useless on its own. Whenever a passkey is used, you must unlock it locally on your device with your biometric or PIN. This acts as a “second factor” – something you are (biometric) or know (PIN). But unlike easily phishable one-time passwords sent via SMS, your “second factor” for passkeys never leaves your device unless encrypted in syncing. A remote attacker cannot steal it.

Syncing Passkeys Across Devices

To be practical, passkeys must be available across your devices. But is it secure to sync private keys via the cloud? Yes, when done properly. Passkey data is end-to-end encrypted by the operating system or password manager before being synced, using keys only available on your local devices. The cloud provider only sees encrypted blobs and cannot access the passkey material itself. This is conceptually similar to how end-to-end encrypted messaging apps like Signal work.

Cross-OS Support for Passkeys

One of the most compelling features of passkeys for many people is their ability to work seamlessly across different operating systems. Major OS providers like Apple, Google, and Microsoft have committed to supporting passkeys, ensuring that users can access their credentials on various devices. This cross-OS support is made possible through the use of standard protocols like WebAuthn and FIDO2.

To take advantage of cross-OS support, users simply need to ensure they are using passkey-compatible devices and platforms. When setting up a new device, users can often restore their passkeys from an encrypted cloud backup tied to their OS account (e.g., iCloud for Apple devices or Google Account for Android). Additionally, users can leverage password managers that support passkeys to sync credentials across different operating systems.

Enabling Zero-Trust Security

With passkeys, we no longer have to assume a user is trusted just because they have the right username and password – which could have been stolen or guessed. Instead, we can continuously evaluate risk signals and ask the user to re-authenticate with their passkey when needed. This enables fine-grained, adaptive access control policies where trust is never implicit – a key principle of zero-trust security.

A Simpler and Safer Future

Passkeys are a win-win for usability and security. So fear not if passkeys seem too simple to be secure — simplicity and security were the whole point of their implementation. As applications and devices add support over the coming months and years, we’ll be able to enjoy the convenience of never having to type a password again, with the peace of mind that our accounts are safeguarded by unphishable cryptographic keys. The future looks bright – and a lot simpler!

Kyle Vinar

Kyle Vinar is Partner / President of Verus Corporation. He oversees all business operations and coaches Verus teams to continually improve on their solutions from client experience to product development and overall solution implementation. He works with all Verus resources to increase efficiencies and excellence in every aspect of their organizational roles. Kyle believes that people are the last real competitive edge that a company can have and constructing a rich culture is a vital step in running a world-class organization. Therefore he strives to create a culture within Verus that allows everyone to show up authentically and grow both personally and professionally, which in turn allows Verus Corp team members to provide clients with top-of-the-line service. Kyle helps balance strategy, capacity, and culture in such a way that has allowed Verus Corp to achieve exponential growth since he joined the company in 2013. One of Kyle’s greatest professional achievements has been in helping lay the foundation upon which Verus Corporation could be named the 2nd Best Place to Work by the Minneapolis/St. Paul Business Journal. Kyle holds a Bachelor of Science in Marketing from St. Cloud State University. He lives in Champlin with his wife and 3 children. He has enjoyed volunteering as a soccer coach for over 6 years and was the former Director of Coaching for Rebels Soccer Club. If Kyle isn’t on the sidelines of one of his children’s soccer games or in the audience of his eldest’s musicals, he can often be found cruising scenic routes on his Harley, in a deer stand, or on the golf course.