Did you know that Microsoft blocks 4,000 password attacks each second? This month we will talk about the difference between a password and a passkey. Passkey technology is in the news and has been for a couple of years now. Microsoft and Google both believe that everyone should switch to passkeys as soon as they can. Passkeys can be difficult to understand and the technology behind them is complicated. We will try to keep it simple.
Passkeys are an authentication method that eliminates the need for usernames and passwords. It is supposed to be a more advanced way to authenticate who you are when logging in to an account. Think of the lock on your front door and the key used to get in; if they match – you are in. No passwords are required. Passkeys use public key cryptography in combination with biometrics like fingerprints, facial recognition or a PIN number to verify an account owner’s identity. Cryptography simply means using coded algorithms to protect and obscure transmitted information.
In very basic terms: A public key is stored by select websites, apps, and services from companies like Google, Apple, and Microsoft. A private key stays securely on your personal device. When you log in with a passkey, your device uses biometrics or a PIN to unlock your private key and responds to a security challenge from the server of the service provider. If the two keys match, you are in. The public key stays on the server of the service provider, and the private key is kept on the user’s device. It never leaves the device and is always protected by a strong form of user verification. The public key is used to encrypt data, and the private key is used to decrypt data.
The evolution of passkeys actually began back in 2012 when the FIDO Alliance was formed by companies like PayPal and Lenovo, with the mission to eliminate passwords and to help reduce the world’s over reliance on password usage. FIDO supports authentication technologies like biometrics (fingerprints, iris scanners, voice, and facial recognition) and various other communication standards. We will discuss authentication technology in greater detail next month.
Passkeys are unique to each user device, and it is nearly impossible for hackers to steal them because passkeys rely on the physical possession of a device rather than a password. If a passkey is compromised, the attacker still needs the physical device it is on in order to complete the authentication process. Billions of usernames and passwords are available on the dark web, so for this reason alone, passkey technology has an advantage.
Passkey systems, however, are not compatible with all devices, platforms, and applications. People also have real concerns regarding the protection of their biometric data and the integrity of their passkey storage. iPhone and iPad users running at least iOS 16 can use passkeys. Mac users with macOS Ventura 13 or newer can use passkeys. Android devices running Android 9 or higher support passkeys with Google Password Manager. Windows 10 and 11 users are able to use passkeys through Windows Hello. Some browsers have integrated passkey support. They are Google Chrome version 109 or later, Apple Safari version 16 or later, and Microsoft Edge version 109 or later. Mozilla Firefox offers limited support. (Interested readers can find several articles online for installing a passkey on a Windows 11 PC.)
The Bottom Line: The world’s largest technology companies are doubling down on efforts to convince billions of global users to start using passkeys instead of passwords. Many organizations are transitioning from traditional passwords to passkeys to gain improved security. Microsoft Authenticator (we will cover it next month) will require passkeys in August. We agree with Consumer Reports that it is too soon to switch away from using passwords for all your online security as passkey technology continues to mature. If an end user’s device is lost or stolen, anyone who can unlock the device can use the passkey. It does not require any additional authentication factor. Most websites still use traditional logins. Expect Passkey authentication to keep evolving.
Two Techs – your locally owned computer support company. Find us on the web at www.twotechs.com or email us at: support@twotechs.com or call 352-200-2365. USF, MIS, MCP, A+, Network+ & CISSP (References used; Techtarget, Microsoft, Consumer Reports. ZDNet, Forbes, CNet)