PASSKEYS vs PASSWORDS
Why the future will have no passwords
While passwords are the current standard for logging into digital accounts and platforms, they are fast becoming a relic of the past as tech giants are moving towards passkeys, a password-less login method that is arguably more secure and convenient.
Password vs. Passkey
Passwords are user-generated, while passkeys are automatically generated using public-key cryptography. As a new type of digital credentials, passkeys, unlike passwords, are resistant to phishing attacks and way more difficult to compromise as they also employ two-factor authentication (2FA).
In short, phishing is when a third party pretends to be an entity they’re not, like a company, family member, or friend, and persuades an unwitting victim to divulge sensitive information that they might use to access their accounts.
This can be done, among other ways, by providing shady links that, when clicked on, take the victim to an ostensibly legitimate website that harvests their log-in information, a technique known as spoofing.
While passkeys are more secure than passwords, not all sites and digital platforms currently support passkeys as credentials.
How a passkey works
A passkey contains both a public and private cryptographic key. While the private key is stored locally on the device used to create the passkey, the public passkey is stored with the company or entity that the online or digital account has been created with.
Once a passkey for an account has been generated, it can be used to log into the account without the need to enter a password. When logging into a passkey-enabled account, the account server sends an authentication challenge to either a computer, phone, or password manager.
The authenticating device then uses the stored private key to solve the authentication challenge and respond to the account server, thereby verifying and confirming a user’s identity and ownership of the private key, respectively, and thus granting access to the account. This is the concept of two-factor authentication.
The type of authentication can be biometric, such as a fingerprint or facial recognition, or others, like a PIN or swipe pattern.
Passkeys, while a safe practice, can introduce a bit of complexity and inconvenience. Passkeys are tied to the device used to generate them, and thus, for a user to log into an account, the device used to generate the passkey must be at hand. Across multiple platforms, it can become inconveniencing and downright impractical.
If a user used a desktop PC to generate a passkey, they’ll need the PC to be able to log into the account. It can be impractical to always lug the PC around. If a smart phone is used, it makes it a tad easier, but one still has to have the phone at hand whenever they need to log into an account; otherwise, they’re effectively locked out. Though this can still be circumnavigated by using QR codes, a user can scan the QR code from the passkey device and use their biometric ID to log in from another device.
Passwords…
A password, on the other hand, is a string of characters that, together with a username, are log-in credentials used to log into an account.
Evidently, the longer and more complex the string of characters, the stronger the password is. With that said, passwords over time have become less secure, primarily due to unsafe password creation and utilization practices by users, and thus password-protected accounts have become vulnerable to hackers.
Such unsound password practices include using weak and obvious passwords like birthdays or names or reusing the same password across multiple accounts. Weak passwords are easy to crack, and the practice of reusing the same password for multiple accounts places all these accounts at risk when one of them is breached.
Using phishing and spoofing techniques, a password can also be stolen unless one is using a good password manager that can detect and warn of spoofed websites.
So are passkeys safer than passwords?
Safe password-creating practices include ensuring each password for each account is unique and not used across multiple accounts. This can create a challenge for users with multiple accounts, as they would need to remember all these complex passwords. Hence, some resort to reusing the same passwords across multiple accounts, which, while convenient, exposes one to cyber security risks.
With passkeys, users don’t have to create and remember much. All they need to do is generate a passkey for an account and then log into the account with the device they used to generate the passkey — in most cases, a mobile phone.
Spoofing is easy with passwords since an unwitting user can log into a spoofed website and have their data captured at the log-in portal. Passkeys on the other hand, are phishing-resistant since there’s no requirement to physically enter log-in credentials on the account. They’re thus almost impossible to compromise.
The public and private keys used for passkey log-in have to be used in combination. The account servers only store the public key, while the user’s device stores the private key. If by chance the account server is compromised, the hackers would only get hold of the public key, which is useless without the accompanying private key in the hands of the user. A hacker would need not only physical access to the user’s device but also their log-in method, be it fingerprint, face recognition, or PIN.
With that being said, not all websites and digital platforms support passkeys just yet, but more and more are moving towards the technology. So for sites and platforms that don’t support passkeys just yet, best password practices and policies will still need to be adhered to.
Users can incorporate additional security measures like two-factor or multi-factor authentication while using passwords. This means that in addition to usernames and passwords, an additional parameter would be required to grant access to an account, for instance, a PIN being sent to a preregistered phone or email.
