Passkeys are the future. You may not be using them yet, but a world in which we never create or memorize a password and use just your username and biometrics to log in is fast approaching. It's a better world. At least I think it is.
Recent conversations with those outside the tech industry, however, make it clear that most consumers don't understand passkeys, let alone trust them to protect their precious data and identities.
The chief concerns are:
- They think passkeys are less secure than passwords
- They're easy to set up but the tech confuses most consumers
- After you set them up, it's non-obvious to consumers how you'll interact with them
Like everyone else, I found comfort in understanding the fundamentals of passkeys (although they, too, can get a bit tangled).
In its simplest form, a passkey is a form of localized, encrypted identification that often uses biometrics as an authentication system. If you've created a passkey for a system, the next time you log in it will read the user ID you share and ask your system for authentication (the passkey). Authentication can then happen with the biometric security system you already have on your phone or computer. This would be your fingerprint, facial recognition, or even iris scan.
Nowhere in this process does the system, either yours or the one you're logging into, ask for a password.
At a more tactical level, imagine you visit Gmail and enter your user ID. The mail platform accepts the ID and sends back a challenge which your passkey solves locally and sends back a signature. At this point, the system may ask for the biometric authentication you previously set up on your phone or laptop. The flow for passkey registrations and logins is pretty well explained here.
All that I've described happens in a few seconds and with no recall of or even access to a password manager for your login credentials.
While the backend system for managing all this is somewhat complex and well beyond the ken of most consumers, the cryptographic magic that powers passkeys is hidden, and you're never forced to consider it.
Even if you don't fully understand passkeys or distrust them, you should distrust your passwords more.
Interestingly, some consumers I've spoken to still don't trust this form of security because they assume that anyone stealing their phone could log into their accounts. This isn't true, as the criminal would still need your face, fingers, or eyes. I know, there is the gruesome option of a criminal making off with those bits, too, but it's a highly unlikely scenario.
Even if you don't fully understand passkeys or distrust them, you should distrust your passwords more. It's likely that your credentials have been stolen and are on the dark web and because of our predilection for reusing passwords, we're mostly screwed.
There is wide consensus in the tech community that passwords are an unsustainable security framework. Even password managers that let you use one strong master password could be at risk. First, some of them have been hacked and then there is the risk that those protected passwords are no longer secure. Plus, the system is still secured by a password, and if that's breached, you are once again screwed.
It's obviously not just consumers. Industries, institutions, and organizations are suffering through waves of ransomware attacks. Many of them start with social engineering emails but then continue by installing, say, keystroke sniffing software that can watch people enter their IDs and passwords. But what if you never enter a password? The ransomware attack could be thwarted before it starts.
A passwordless system is the only reasonable answer.
So I'm ready for passkeys. And yes, I signed up for my first one with Google.
My action does not represent the majority and, despite the simplicity and clear benefits, passkeys penetration in the marketplace is slow. My own anecdotal poll shows passkeys have a long way to go before they become the standard.
Are you using passkeys?October 17, 2023
Part of it is the industry's problem. Google's pitch for passkeys, which you can find here, is high on enthusiasm and low on details. Google doesn't entirely make it clear what happens next after you finally switch your Google account login to a passkey. And because the system often leaves us logged in, we may not immediately understand the change.
There is also not yet a single passkey to solve all problems. You will have different passkeys for different systems and platforms. Your passkey for Google, for instance, won't be the same as for Apple, which is also hoping to drive the passkey revolution.
However, this doesn't really matter. The signup for passkeys is easy and consistent on all platforms in that there will never be a password attached to it. It will use the same biometrics you use for your other platforms, services, and their respective passkeys. In other words, it can feel like it's one passkey for all systems.
Ultimately, this will be a frictionless system that will only require you to have the hardware you own on you. If you use your best iPhone's Face ID to unlock your phone, it will be the same biometric system that you use with your passkey systems.
It's true that the industry is still doing a poor job of explaining why you should embrace passkeys, but I'm here to tell you that it's coming whether you like it or not, and in the end, you should like it because passkeys will ultimately save your data and digital identity.
You might also like
