Hello everyone and welcome back to the Cognixia podcast. Every week, we talk about the latest happenings, bust some myths, discuss new concepts, and much more about emerging digital technologies. From cloud computing to DevOps, containers to ChatGPT, and Project management to IT service management, we cover a little bit of everything weekly to inspire our listeners to learn something new, sharpen their skills, and advance in their careers.
Cybersecurity concerns have given rise to new measures of identity and access management. Passwords are becoming obsolete or at the very least, becoming one part of a multi-part means for logging in, such as two-factor or multi-factor authentication. A lot of platforms are already doing away with passwords and switching to other authentication methods. One such authentication method that is gaining a lot of popularity is passkeys. And that is what we are going to talk about in today’s episode.
Passwordless authentication is increasingly becoming the norm, while at the same, it is also evolving and getting better. With the rising incidents of phishing and other scams & attacks, authentication methods also need to pull up their socks and get stronger.
So, what are passkeys?
A passkey is a specific authentication method that can be used as commonly as a password but provides greater security than a password. So, how are they different from passwords? Well, passkeys combine private and public cryptographic keys for user authentication. In contrast, a password uses just a set of characters – alphabets, numbers, and special characters only.
According to Google, one of the most important benefits of passkeys is that they are phishing-resistant, plus, users don’t have to remember all the numbers and special characters that they have used in their passwords. We all know that the more unpredictable the mix of numbers and characters in the password, the stronger it is. Remembering where you inserted that underscore or after which alphabet you had a number and which number it was, can be quite a headache. With passkeys, this no longer must be the situation.
Passkeys are often used in conjunction with usernames or user IDs as part of the two-factor or multi-factor authentication. The passkey is generally followed by a biometric authentication like a fingerprint or facial recognition. For users who switch to using passkeys, logging in is an easy-breezy process but for unscrupulous elements like scammers and attackers, it becomes practically impossible to crack.
So, how do passkeys work?
When using passkeys for the first time, there needs to be a short setup process, but next time onwards, it is straightforward. The first time, the user would be asked to generate a unique and original passkey. In the future, the same passkey will be used for authentication along with the usual biometric authentication or PIN-based authentication.
When a passkey is created, two mathematically linked cryptographic keys are generated. One of these is a public key which remains with the website, service, or application, and would be connected to the user account. The other is a private key which would remain on the user’s hardware or cloud account.
Now, when a user wants to log in using the passkey, the passkey authentication and logging-in process takes place in the background. The application or service would send a randomly generated challenge or exercise to the user’s device for logging in. The user must respond to it by entering the private key. The app or website would then check the legitimacy of this private key by using the public key that was saved when the passkey was created. Once the authentication is done, the user is allowed access. If the authentication fails, the user will not be allowed access.
Interesting and complex, but effective.
What makes passkeys different from passwords then?
See, passwords can be stolen through brute-force hacking, social engineering, data breaches, phishing, etc. But stealing passkeys is extremely difficult. A hacker would need to steal your device or breach your cloud account physically, then guess your PIN, and then even have to bypass the biometric authentication. Now, this may seem like a piece of cake for Ethan Hunt and Benji Dunn in the Mission Impossible saga, but that’s not quite how it is in real life.
Plus, when you use passwords, you also need to remember the passwords or employ a password manager. This comes with its own challenges and risks. Passkeys work more, let’s say, automatically using the device’s unlocking mechanisms for authentication, which makes the process more secure and easy.
One interesting feature of passkeys is that passkeys are usually tied to the hardware while passwords remain constant across all devices and platforms. So, your passkey would be specific to say your phone and you would need a different passkey for your laptop, desktop, tablet, smart TV, and all other devices. However, this is not the case with passwords, the same password is used to log in on all devices. One bypass from this is using a cloud-based passkey solution. Such a passkey would work across multiple devices but users would need to remember that in such a case, the user’s private key would be stored on someone else’s passwords and not on the local device.
Can you see how this makes your accounts super secure and safe?
Passkeys are based on cryptographic key pairing technology which offers secure and unique authentication credentials for every login attempt. This way, hackers have nothing to guess or figure out and steal. Brute force attacks and social engineering methods like phishing are useless in the face of passkeys. Even a data breach can’t expose passkeys.
Passkeys function on a sort of in-built two-factor authentication mechanism. Even if you are using a cloud-based passkey instead of one stored locally, the hacker still must fulfill the authentication to get access. This prevents your account from getting compromised.
The best part – you don’t have to memorize or write down passkeys like you would do for passwords. One click or one press of a button and you just unlocked a seamless authentication experience.
Passkey technology has been developed according to the W3C and FIDO Alliance standards to aid compatibility. The Big Three manufacturers – Apple, Google, and Microsoft, as well as all major browsers support passkeys now.
But, can you share passkeys like you would share passwords?
Passkey technology is still developing and evolving. But, if actual passkeys are kept safe and secure, credential sharing might still be possible among users. Sharing passkeys among friends and family is still doable but it is still not established to be possible and as secure in a business setting. Hardware-bound passkeys would usually have the advantage here because they are stored on secure keys, physical hardware authenticators, or specialized hardware that gets integrated into devices. So, passkeys cannot be transferred and cannot be duplicated. So, if one of your employees quits, you don’t need to worry about changing passwords, deleting accounts and data, etc. So far as the person was using company-provided devices, which is usually the case, that get collected back by the IT teams when they quit, your accounts would continue to remain secure.
So, is a passkey hack-proof?
Sadly, nothing is.
Passkeys can be hacked. But it is not as easy as stealing passwords.
Owing to the many advantages of passkeys, with time, passkeys will quite likely completely replace passwords. It is still too soon to say or predict. Innovations happen every day. There are some limitations of passkeys currently. For instance, passkeys that are created in one ecosystem will not work in another. So, say you created a passkey on your iPhone, you won’t be able to use it as easily on a Windows laptop. You also can’t transfer the passkeys from one ecosystem to another. But this is also only for environment-native passkeys that are offered by the newer devices. But with time, an increasing number of third-party passkey providers are entering the game so there could be some focus on cross-platform support and easier portability.
Again, how things will turn out, only time will tell.
With that, we come to the end of this week’s episode of the Cognixia podcast. We will be back again next week with another interesting and exciting new episode. Until then, happy learning!
