The meaning of passkey authentication
The passkey authentication represents an advanced level of security for what concerns users digital credentials that people use everyday to enter their own accounts on websites, applications and services platforms, especially online banking.
The main advantage of passkey authentication refers to the fact that it allows users to authenticate without the need of remembering and entering a combination of username and password or providing any other additional authentication factor.
To better define it, passkey authentication is basically a modern password-less authentication system which works as a real pair of keys that significantly improves security. In fact, it allows users to create a strong and secure connection between a digital platform and a personal device in order to log into their accounts using cryptographic keys instead of classic passwords, where:
- the first key is public and represents a part of the website or application that the user is willing to enter to;
- on the other hand, the second key is personal and directly stored on the user’s devices.
The combination of the two keys, which is unique and specifically effective only for that digital platform, makes it possible to strongly authenticate users providing a better, faster and safer experience.
The origin of passkey authentication and why it is important
The idea revolving around passkey authentication firstly appeared in 2009 when a few innovative companies began working on the possibility to simplify users authentication replacing traditional usernames and passwords with biometric parameters. This concept led to the foundation of the FIDO Alliance in 2012, an organisation especially made of tech companies and aiming to support businesses into the digital transformation making the whole authentication process easier, safer and effective.
Since then, the initiatives to develop and enhance the use of passkeys grew year by year, involving an increasing number of firms operating in different sectors, such as banking, online payments, e-commerce, social media and IT services and systems – Google, PayPal, Microsoft, eBay, ING Bank and Apple just to mention a few. Indeed, the latter was the one that in summer 2022 popularised the concept of passkeys by introducing such technology into its main products and services.
Why passkey authentication is becoming so relevant? The answer can be found in these simple but clear data. According to FIDO:
- weak passwords cause at least 80% of data breaches and this is worrying, considering that 51% of passwords are reused on several platforms and for several purposes;
- 39% of people nowadays are familiar with passkeys, especially Millennials up to 35 years old and younger generations.
Instead, according to Google, data related to March-April 2023 show that:
- the percentage of successful user authentications through same device passkeys (64%) is more than four time higher than the success rate achieved with traditional passwords (14%);
- passkeys take a 15 seconds average time to authenticate users, while classic passwords take twice this time, so about 30 seconds.
How does passkey authentication work?
Indeed, learning such data makes clear that passkeys are safer and faster than traditional authentication methods that all Internet users are used to, representing a challenging point for the development of new technologies, especially concerning younger generations. But a big question remains: how does passkey authentication work?
As briefly mentioned and explained earlier in this article, passkey authentication works as a combination of two pair of keys. The authenticator system generates these keys during the registration of the account on a digital platform or their enabling on that platform: one key is public and directly related to the website or app, whereas the other key is private and stored on user’s devices.
The authenticator system communicates with devices only by exchanging these keys, which occurs automatically: when a user tries to log in, the server sends a communication to the authenticator with the public key asking for data to prove the user identity, a task that will be achieved by the private key before sending a response back to the system – basically a “signing process” to quickly and safely authenticate identity.
The main authentication tools used to enable passkey authentication are:
- biometrical methods like fingerprint ID and facial ID;
- specific unique codes like PINs (Personal Identification Number).
User authentication: what’s the difference between passwords and passkeys?
Definitely, passkeys are more secure than traditional passwords and this is a fact. But why? And what’s the difference between these methods?
Starting from the last question, password-based authentication systems entails that the user must firstly remember the right combination of username and password before actually entering it in specific forms on a website or application: this a process which may be very risky, for example considering the existence of so many fake websites created on purpose for stealing personal data by using phishing.
Instead, passkeys don’t require users to operate actions as the authenticator system and the user’s device communicate each other automatically on a safe cryptographed connection which works only between that digital platform and its registered users. Indeed, this represents a great way to improve digital onboarding processes for companies.
Thus, to sum up, the main factors making passkeys safer than passwords are:
- passkeys can’t be guessed or reused on other platforms;
- passkeys are phishing-resistant, as they are unique to the app or website they’re created for and cyber criminals can’t trick users to use them on a fraudulent site;
- passkeys are only stored on user’s device, this means that cybercriminals can’t steal them by hacking into the provider’s server or databases but physically need to access to their potential victim’s devices.
What is the main disadvantage of passkey authentication?
Even if passkey authentication seems to be an extremely and positively disruptive technology for what concerns digital users authentication, the last factor in the previous bulleted list refers to the only main disadvantage about this authentication method: the potential risk that a personal device storing user’s passkeys may be lost or stolen, giving cyber-criminals a chance to break through private data and information.
Luckily, the concrete odds of this happening are much lower than the risks occurring with criminal hacking activities online everyday. Nevertheless, it appears that very soon passkey authentication is going to be replacing traditional passwords at all, but until that day it’s very recommended to be serious and cautious while surfing the Internet and make sure to activate high levels of security like multi-factor authentication.
