Passkeys are widely considered the likely successor passwords, which have been around for over 50 years. However, is that really true? We discuss, and outline some of the pros and cons and the current thinking about passkeys.

 

In an era dominated by having a digital presence and engaging in digital and online interactions, the need for robust security measures has become paramount. Traditionally, passwords were the primary means of securing our accounts and personal data. However, their inherent weaknesses, such as susceptibility to brute-force attacks and phishing, have resulted in us needing to use longer and more complex passwords plus additional security measures, such as two-step or multifactor authentication, to keep our accounts safe.

Although using two-step or multifactor authentication is more robust than using a password alone by adding more layers of security resulting in a reliable and effective system for blocking unauthorized access, it also has some downsides including increasing the log-in time and vulnerability to phishing attacks among others. Hence, there is still a need for a system that is easy to use, can address phishing attacks, and does not require codes or passwords to be transmitted, thus providing an opportunity for interception.

In response to these challenges, a new alternative is emerging: passkeys.

 

What is a passkey and how does it work?

A passkey is a unique and dynamic identifier that goes beyond the static nature of traditional passwords. Unlike passwords which typically comprise a combination of letters, numbers, and symbols, passkeys use a combination of factors, including biometrics, behavioural patterns, and contextual information, to authenticate users.

In essence, a passkey is a type of login credential that removes the need for passwords. Currently, a popular application of passkeys is on smartphones through the use of biometric authentication, such as fingerprint or face recognition, a PIN or swipe pattern to gain access to the device.

Extrapolating the passkey that is used to unlock a smartphone to access other sites, it is important to note that that passkey stays on your device. Similarly, when you sign up for an online service that supports passkey authentication, two keys are generated. The public key is stored in the website’s server, while the private key is stored on your device. Both keys are required to authenticate a user when logging in.

When you are required to log in to an online platform, the server sends a request to your device, and that request is then answered by a related passkey. Your identity as the user is also confirmed via the passkey stored on your device, and if the passkey on your device and the server match, you are granted access to your account.

 

 

Pros and cons of passkeys

Although the tech industry is excited about passkeys and has been promoting its benefits, there are also some drawbacks which also ought to be considered to get a more balanced view. However, first, the advantages:

  • Enhanced security: Passkeys offer a higher level of security by combining multiple authentication factors, making it considerably more challenging for unauthorised users to gain access.
  • User convenience: Unlike traditional passwords that may be forgotten or require frequent changes, passkeys offer a seamless and user-friendly experience. Biometric data and behavioural patterns are innate to the user, thus making memorisation unnecessary.
  • Adaptability: Passkeys evolve with the user, learning and adapting to changes in behaviour and preferences over time. This adaptability can result in enhanced security without compromising user experience.
  • Reduced risk of phishing: Since passkeys rely on unique identifiers and contextual information, the risk of falling victim to phishing attacks is significantly diminished. Even if login credentials are compromised, the absence of crucial biometric or behavioural elements, once again, makes unauthorised access considerably more challenging.
  • Improved privacy: With passkeys, your authentication information is never shared with websites or services, resulting in enhanced privacy.
  • Future-proof security: As technology advances, it Is expected that passkeys will be able to incorporate new authentication factors, thus staying ahead of emerging threats and ensuring long-term security.

On the flip side, and as robust as passkeys might be, in the real world, some drawbacks or limitations are evident.

  • Device-specific. Passkeys are device-specific. So if you tend to access certain websites or online accounts via your smartphone and using passkey technology, you would not readily be able to use those passkeys on your laptop, for example, to access those sites or accounts.
  • Device functionality: Some older or budget-friendly devices, which are prevalent in the Caribbean region, may not support the technologies needed for passkeys, especially biometrics.
  • Limited adoption. Currently, most websites and apps do not support passkeys. However, it is expected that as the technology becomes more accepted, adoption will increase.
  • Access recovery difficulty. Losing access to a device with your passkeys stored locally can be a major inconvenience, requiring complex recovery procedures. Most sites and services support account recovery options if a password has been forgotten. However, similar functionality is not yet standard nor simple for passkeys.
  • Accessibility concerns: For individuals with disabilities who might struggle with biometrics, passkeys may not be the best option.

It is highlighted that over time, many of these challenges may be addressed, but these are considered current disadvantages.

 

Will passkeys replace passwords?

At this juncture, passkeys seem poised to replace passwords. Companies such as Apple, Google and Microsoft have been integrating passkey technology into their devices, and it is anticipated that the rest of the industry will follow suit, especially since cyberattacks and network breaches have been increasing, and vulnerabilities of passwords are widely known.

Having said this, websites and businesses with an online presence may be reluctant to adopt passkeys due to the upfront installation cost, as passkeys need extra hardware and software to generate and validate the codes. Also, if passkeys are to become mainstream, the account recovery and multi-device problems need to be solved, and the solutions need to be sufficiently straightforward for the average user.

 

In summary, as our world becomes increasingly digital, the need for robust and adaptive security measures has become increasingly critical. Passkeys represent a major development in digital security, as they offer a dynamic and multi-layered approach to authentication. However, the technology is still evolving, but it is expected to become more accepted in the not-too-distant future.

 

 

Image credit:  rawpixel.com (Freepik)