Passkeys 101: the future of passwordless authentication [Q&A]

Passkeys are often touted as being the way to achieve a passwordless future. But as yet passkeys are supported by only a small number of websites. Passkeys are a safer, more efficient way of authenticating users, but it will be a long time before they become the norm -- if indeed they ever become the norm.

We talked to Darren Guccione, CEO and co-founder of Keeper Security, to discuss the use cases for passkeys, the barriers to mass adoption and how users can adopt and secure passkeys in conjunction with their passwords.

BN: What are passkeys, and how do they differ from traditional passwords?

DG: Passkeys are a form of passwordless authentication that aims to replace the traditional password-based login process with a more secure and user-friendly approach. Unlike passwords, which typically involve a combination of characters, numbers and symbols, passkeys are based on public-key cryptography. They utilize a pair of cryptographic keys: a private key that is stored securely on the user's device and a public key that is registered with the service provider.

The process of authentication using passkeys is more technically complex, but from a user perspective can be much easier -- most often just a biometric challenge. Under the hood, it involves a challenge-response mechanism. When a user attempts to access an account, the service provider sends a challenge to the user's device. The device then signs the challenge with the private key and sends the signed response back to the server for verification. Since the private key remains on the user's device and is never transmitted over the network, passkeys offer a higher level of security compared to traditional passwords

BN: Why are passkeys considered a potential savior from passwords?

DG: Passkeys are often billed as a potential solution to the problems associated with traditional passwords. As we have seen in the past, passwords have numerous drawbacks, including their vulnerability to cyberattacks including brute force, phishing and credential stuffing -- especially when people reuse passwords or create weak ones that can be easily guessed. Passkeys, on the other hand, eliminate the need for users to remember complex passwords, add in phishing protection and make it extremely difficult for attackers to compromise accounts.

Additionally, passkeys aim to provide a seamless and user-friendly authentication experience. With passkeys, users don't have to go through the hassle of creating and managing passwords for multiple accounts, which reduces the risk of weak or reused passwords. This convenience encourages stronger security practices, making passkeys a promising candidate to revolutionize the authentication landscape if they do become widely adopted.

BN: How widespread is the adoption of passkey currently?

DG: Despite their potential, the adoption of passkeys has been slow. Out of the millions of websites that exist, only around 55 currently support passkeys. This limited support can be attributed to several factors including underlying platform support, website changes and the fact that it's not a default setting, so the user must take action to configure or set it up.

However, we can think about passkey adoption much like credit card adoption. Today, just as cash coexists with credit cards and contactless payments, passkeys can coexist with traditional passwords. As awareness grows and technology advances, we may see a gradual increase in adoption–but it won’t be quick and it'll take time before it's ubiquitous. Credit cards have been around for a while, and yet, cash still exists. We can expect the same for passkeys for the foreseeable future.

BN: What are some use cases for passkeys?

DG: Passkeys have applications for a variety of scenarios, especially where strong security and ease of use are essential. Some common use cases include:

• Online Accounts: Passkeys are designed to secure user accounts on websites, potentially eliminating the need for passwords and providing a more secure login process.
• Multi-Factor Authentication (MFA): This is an extension of the first use case. Passkeys can be combined with other authentication factors, such as biometrics, for enhanced security in multi-factor authentication setups. They can augment existing logins to make them more secure instead of replacing existing logins.
• Workstations and Devices: Enterprises can use passkeys to authenticate employees into their workstations and devices, ensuring secure access to company resources. Many times these are physical tokens, but use the same underlying technology.
• Internet of Things (IoT): Passkeys can secure IoT devices and prevent unauthorised access to connected devices in homes and businesses.
• Cloud Services: Cloud service providers can leverage passkeys to offer passwordless authentication to their customers, safeguarding sensitive data in the cloud.

BN: What are the barriers to mass adoption of passkeys?

DG: Despite the advantages of passkeys, there are significant barriers to their mass adoption:

• Compatibility and Integration: Implementing passkey-based authentication systems requires changes to the login, MFA and account-recovery process on existing websites, which is challenging for some service providers to undertake.
• User Familiarity: Many users are accustomed to passwords and might be hesitant to adopt a new authentication method, especially if they are not familiar with the security benefits.
• Interoperability: Ensuring that passkeys work seamlessly across various platforms and services poses technical challenges, hindering widespread adoption.
• Device Dependence: Passkeys rely on the security of the user's device, making them vulnerable if the device is compromised or lost.

BN: What does the future hold for passkeys?

DG: The future of passkeys looks cautiously promising, albeit with gradual progress. Consistent support from major platforms like Microsoft Windows, MacOS and various browsers is almost here. We can expect more websites and service providers to adopt passkey-based authentication as interest grows. Standardization efforts may also play a crucial role in promoting widespread adoption by addressing the challenges with interoperability.

However, it's essential to recognize that passkeys might not entirely replace passwords. Just as cash continues to coexist with digital payment methods, passwords will still have their place with certain applications and websites. In this hybrid environment, it’s critical to ensure the safe storage and use of both passkeys and traditional passwords. An encrypted password manager that supports passkeys can facilitate adoption while preserving security.

BN: How can users adopt and secure passkeys alongside their passwords?

DG: For users interested in adopting passkeys, it's essential to follow some best practices:

• Know where your passkeys are stored: If you store your passkeys within a particular Chrome profile or Apple KeyVault, they may be more difficult to access on the run. Storing passkeys in a browser or OS-agnostic solution allows you to use the same key on an iPhone or Chrome session much more easily.
• Decide between passwordless and Multi-Factor Authentication (MFA): Depending on how the website implements passkeys, you may have an option between adding a passkey as a second factor, or replacing your first factor (the password) with a passkey. Combining passkeys with other authentication factors, such as biometrics or one-time passwords, adds an extra layer of security.
• Keep devices secure: Protect devices with passkeys installed by using strong PINs, passwords, or biometric locks to prevent unauthorised access.
• Remember which sites have passkeys: It’s very easy to forget if you signed in with a password, passkey, MFA, email or social sign in. Using a password manager to store all these removes the needed load to remember this. Without a password management solution, you’ll end up doing more and more account recoveries because of forgotten login methods.
• Ensure some kind of backup: Ensure that wherever you store your passkeys, there is a secure back-up in case of device loss or failure. A good password manager that supports the use of passkeys can help achieve this.

All in all, passkeys offer a promising alternative to traditional passwords, providing a secure and user-friendly authentication method for sites that support it. While mass adoption might take time, the gradual integration of passkeys into various systems indicates a positive trend for cybersecurity overall; however, will society ever attain the goal of a truly passwordless future?

No.

In any case, users and service providers need to stay informed and take appropriate steps to ensure (where possible and where it makes sense) that there is a smooth transition to this potentially transformative authentication solution. Otherwise, users are likely to give up on it before it's even begun.

Image credit: ArtemisDiana/depositphotos.com