How passkeys will kill passwords and become ubiquitous

In early June 2022, at its annual developer conference, Apple announced a new security feature coming later in the year with the release of iOS/iPadOS 16 and macOS Ventura. The new security feature is passkeys, and Apple intends to use them to eliminate traditional passwords. So that their customers will not need to remember and type a password again, despite all the fanfare of the announcement, this is part of an overall technology industry change to address the fragility of traditional passwords used for authentication and the common security issues derived from them. In fact, a month earlier on May 5th 2022, on world password day, Apple, Google, and Microsoft made a joint commitment to adopt the non-proprietary FIDO Alliances multi-device FIDO credentials (aka “passkeys”) framework that provides password-less sign-in credentials.

The three giants of the technology industry joining forces is significant because they collectively touch just about every person on the planet through their range of software and devices. This means their adoption of password-less credentials will accelerate mainstream use through all the operating systems and browsers of the three companies. The current commitment is for the three to adopt passkeys into their software over the coming year. Whilst Apple has garnered much initial attention with their branding of multi-device FIDO credentials as passkeys; it will be a commonly used term by all three companies to engage with the public.

For decades passwords have been the primary means of access to a range of digital and online services. Despite their necessity, they have also been a significant area of focus for hackers and criminals to gain access to personal and financial-related data. The following is a selection of techniques used by bad actors to get access to a password:

• Key logger, phishing, and sniffer tools
• Brute force attacks by generating millions of passwords to guess the correct one
• Password recovery or reset systems using previously exposed personal data
• Reuse of password exposed through a previous data breach
• Use of default passwords or passwords embedded in unencrypted code

So given the overall weakness and fragility of passwords, it is essential to ask what passkeys are and how they are any better than passwords. The passkey form of credentialing replaces the password-only and two-factor authentication methods of authentication. In doing so, it addresses the challenges of existing password authentication through the following behaviour:

• Every passkey is unique and generated using a strong encryption algorithm, eliminating the weak password scenario.
• Passkeys are generated on devices (e.g., laptops, smartphones, tablets, etc.), and a private element of a passkey is retained securely on the device and never leaves it during a login process.
• The device-driven private and public key nature of passkeys means they can’t be stolen, so they don’t need to be changed and incorporate two different authentication factors as part of their nature.
• Passkeys’ public and private key nature mean a website or application can’t leak a person’s authentication credentials as they only retain the public component. This means a person’s credentials are secure because the private key used for validation remains on the source device.

So, considering the above behavioural dynamics of passkeys, how does this new form of authentication credentialing address the weaknesses of passwords? The following are examples of how passkeys are intended to address the common means of usurping traditional password authentication:

• Passkey authentication eliminates brute force, dictionary, and guessing attacks because each is an encrypted private and public key combination that can’t be guessed.
• A passkey is created by making a specific connection between a person’s device and a website or application. This means the risk of exposure to phishing attacks is minimised because a deceptive site can’t emulate one-half of the encrypted key.
• The nature of a passkey makes it a unique authenticated association between a person and a website/application. If a website/application suffers a cyber-security breach, only the public key element of the passkey can be stolen, which is of no use or value without the private key.

PAC expects the proliferation of passkeys to occur rapidly over the coming year as Apple, Google, and Microsoft update their software for it to become the ubiquitous form of authentication. No doubt bad actors will focus all their attention on trying to find new mechanisms to corrupt the value of passkeys but the benefits of them ensure they will be a true successor to fragile password authentication.