Passwords may soon become passé.
Effective passwords are cumbersome, especially when they are reinforced by two-factor authentication. But the need for authentication and secure access to websites is as great as ever. Enter passwords.
Keys are digital credentials stored on your phone or computer. They are analogous to physical keys. You can access your password by logging into your device with a personal identification number (PIN), swipe pattern, or biometrics such as fingerprints or facial recognition. You set up your online accounts to trust your phone or computer. To break into your accounts, a hacker must physically own your device and have the means to log into it.
Like a cybersecurity researcher, I believe that passkeys not only make for faster, easier, and more secure logins, but also minimize human error in password protection and authorization steps. You don’t have to remember passwords for every account and you don’t have to use two-factor authentication.
How passkeys work
Passwords are generated via public key cryptography. They use a public-private key pair to ensure a mathematically protected private relationship between users’ devices and the online accounts being accessed. It would be nearly impossible for a hacker to guess the access key – hence the need to physically own the device used to gain access.
Passkeys consist of a long private key – a long string of encrypted characters – created for a specific device. Websites cannot access the value of the access key. Rather, the password verifies that a website owns the corresponding public key. You can use the passcode of one device to access a website with another device. For example, you can use your laptop to access a website using the passcode on your phone by authorizing the login from your phone. And if you lose your phone, the password can be safely stored in the cloud with the phone’s other data, which can be recovered to a new phone.
Why passkeys matter
Passwords can be guessed, phished or otherwise stolen. Security experts advise users to make their passwords longer with more characters, combining alphanumeric and special symbols. A good password should not be in the dictionary or in sentences, should not have consecutive letters or numbers, but should be remembered. Users are not allowed to share them with anyone. Last but not least, users must change the password for all devices and accounts at least every six months. Make use of one password manager remembering and updating strong passwords helps, but can still be a nuisance.
Even if you follow all best practices to keep your passwords safe, there’s no guarantee of watertight security. Hackers are constantly developing and using software exploits, hardware tools and increasingly sophisticated algorithms to break through these defenses. Cybersecurity experts and malicious hackers are engaged in an arms race.
Passkeys take the responsibility off the user of creating, remembering and guarding all their passwords. They are Apple, Google and Microsoft supporting passwords and encourage users to use them instead of passwords. As a result, passkeys are likely to soon overtake passwords and password managers in the cybersecurity battlefield.
However, it will be some time before websites add support for passkeys, so passwords won’t disappear overnight. IT managers still recommend that people use a password manager like 1Password or Bitwarden. And even Apple, which encourages passkey adoption, has its own own password manager.