Understanding Passkeys: A Simplified Guide for Those Tired of Passwords

Essential Insights from ZDNET

In recent months, the concept of passkeys has gained widespread recognition. The speed at which people are adopting this new method of authentication is noteworthy, and the trend seems unstoppable. You may find yourself prompted to set up a new passkey every now and then.

Currently, I have a collection of about 40 passkeys. These allow me to access numerous websites by using biometric authentication like fingerprint scans or facial recognition. Popular sites such as Amazon, Walmart, and Target, along with tech platforms like Dropbox and Adobe, have embraced passkeys. My energy provider, banking services, and even my doctor's office utilize them as well.

Yet, many people are still unclear about the nature of passkeys, how they function, or their benefits.

Following an extensive discussion with a friend who eventually understood the concept, it struck me why there's so much confusion: a passkey is abstract. Explanations tend to be overly technical.

Even the person least knowledgeable about technology probably understands a password—a mix of characters, sometimes augmented by symbols. You can jot it on a note or reuse it often, even knowing the risks.

In contrast, describing a passkey—a digital credential derived from linked public and private keys—isn't so straightforward. Adding more technical language doesn't make it easier to visualize.

Together, let's make sense of passkeys in straightforward, mostly non-technical language by addressing common questions.

Defining a Passkey

A passkey is a secure, stored credential that authenticates your identity on websites using biometric data or a PIN. Think of it as your secret key to access online services.

Creating a Passkey: What to Expect

When you set up a passkey, you are essentially creating and saving two encrypted data keys. One resides on the service's server you're accessing, while the other is kept on your device. These keys are interdependent; neither works alone.

This process begins when you log in to a site using your password. Once authenticated, you might be prompted to establish a passkey, or you might need to explore your account's security settings to do so.

You'll be asked to select an authenticator, which could be your computer, a password manager, or a hardware security device. After this step, the service you're connecting with records a key on its server, while your device generates another key, storing it safely.

This generates a pair of linked secrets—one at the service end and another on your side—that authenticate your access. Passwords become superfluous because the private key remains hidden.

Choosing the Right Authenticator

The default storage for a passkey is often the device itself, enabled by systems like Windows Hello. Other choices include password managers compatible with passkeys or physical security keys.

The storage decision is crucial. Authenticators bound to a specific device mean that access is limited without that hardware, whereas a password manager storing passkeys can allow use across multiple devices.

If a password manager already supports passkeys, it's wise to use it. It allows you to manage and deploy passkeys easily.

A pro tip: You can employ several authenticator types and create multiple passkeys for crucial sites, ensuring you can access them from various devices securely.

Utilizing a Passkey

When revisiting a site where you've created a passkey, you enter your username or email, bypassing the password box. Instead, you'll be prompted to log in using your passkey.

The service then matches its stored key with the one in your passkey record. Your authenticator verifies this source, checks for a match, and requests biometric verification or a PIN for identification.

This method ensures that your actual passkey never leaves your device, maintaining a secure authentication process.

Storage of Passkeys

Passkeys are securely held on your devices, safeguarded by encrypted technology like TPM on Windows or Secure Enclave on Apple devices.

Only the designated authenticator has access, and only after verifying your identity. Consequently, passkeys are not directly viewable or transferrable.

Fate of Your Password

Despite the rise of passkeys, passwords remain a backup option. While some platforms might allow password removal after creating passkeys, this isn't widespread.

Why Passkeys Raise the Security Bar

Using a passkey involves seamless authentication, bypassing the vulnerabilities associated with passwords, such as phishing, brute force attacks, and credential theft.

Unlike passwords, properly implemented passkeys cannot be intercepted or replicated by phishing sites, and they remain inaccessible unless your identity is confirmed biometrically or with a PIN.

Are Unique Passkeys Necessary?

The beauty of passkeys lies in their inherent uniqueness. Each passkey is a pair of unique encryption keys tied to a particular site, eliminating the need to manually create different logins for each service.

Multiple passkeys can exist for a single service, perhaps across various devices or involving multiple security keys.