The UK Government has announced that they will be embracing the use of passkey technology to log on to the services it provides. This is seen as being more secure and more user-friendly than the usual user account – password – multifactor authentication (MFA) combination recommended previously.
But what exactly are passkeys, why are they a better solution and do they really mean the end of passwords? Let’s delve a little deeper…
So what is a passkey?
The basic principles used by a passkey have been around for many years and are a fundamental form of cryptography. When you register with a website to use a passkey, your device creates two electronic keys – a public one which it gives to the website, and a private one which is stored on your device. These keys are different, but linked, so that a message encrypted with your private key can only be decrypted using your public key and vice versa. When you come to log in, the website sends a challenge message to your device. Your device encrypts the message with its private key (which only it knows) and the website tries to use your public key to decrypt it – if it is successful then it knows that you must have the correct private key and you’re in!
Your passkeys can be stored on a wide range of devices, including mobile phones and laptops, in a credential manager, which also allows them to be backed up so that all is not lost if you lose your device.
For example, I might use the Microsoft Authenticator app on my iPhone to create and store my passkeys (or I could use iCloud Keychain). My iPhone links to my laptop via Bluetooth so that when I come to a website that I need to log on to, the iPhone provides the necessary passkey without me having to do much. The iPhone simply checks it’s me using the usual face scan or fingerprint I use to unlock the device.
Why is a passkey better than a password?
Where do we start! First of all there’s nothing to remember, nothing to lose or have stolen, and you won’t have to navigate the awkward complexity rules when creating a password initially. Many of the dangers of phishing messages are reduced, especially as the passkey will only be triggered if the website is the correct one and not a fake. You won’t have to receive an SMS and type in a number to keep your account protected, or try to find the right code from the long list in your authenticator app. All of this means that your logon experience can be quicker and less taxing on your brain.
Does this mean that passwords are dead now?
Not yet! But the list of websites and other services that allow the use of passkeys will surely grow, as will the public awareness and usage of them. At this early stage there is still an issue with passkey standards, and industry groups such as FIDO (Fast Identity Online) Alliance are working to get to a point where as many devices as possible support passkeys in the same way, making their adoption by websites easier. See a list of organisations that have adopted their standard already.
What if a website doesn’t support passkeys yet?
Ask them why and suggest that they get with the times! In the meantime, all of the normal recommendations apply; choose a long, hard to guess password that is different to all your other passwords and set up MFA straight away. Given how obviously difficult it is to use different passwords, you’re best to use a password manager to keep track of them all, but make sure your master password is a good one. Why not look for a password manager that has already adopted passkeys and use that to log on to it.
Final thoughts
It’s taken a long time, but it does feel like it’s the beginning of the end for the password era. Passwords have long been possibly the biggest weak link in the chain of cybersecurity and it’s good to have the option to do away with them, at least in part. But the key to this will be adoption and it’s up to organisations to push the benefits, both in terms of support on their web services, and for their internal users. The challenge will be to encourage widespread public adoption but this will come in time, even if it takes a generation or two.
RIP passwords!
