Everything You Need to Know About Passkeys
May-25-2024
In light of World Password Day, our BetaNews team sparked discussions about the emerging concept of passkeys and their functionality. We realized that if we were puzzled, many of you might be too. Here’s an FAQ-style breakdown of passkeys, how they work, and why you should consider adopting them.
What Are Passkeys?
To start with the basics, passkeys rely on public key cryptography. Each account you have consists of two cryptographic keys: a public key stored on the system you wish to access, and a private key kept on your authenticator device. When these keys interact, similar to fitting a key into a lock, you gain access.
Passkeys are generated using the WebAuthn API, a standard feature in modern operating systems and browsers, ensuring a secure and efficient login process.
Why Choose Passkeys Over Passwords?
One key benefit is the elimination of memorizing complex passwords, simplifying the login process. Another significant advantage is the resistance to phishing. Since a passkey is tied to the specific site it’s used for, it won't work on a fraudulent imitation, no matter how convincing it appears.
What Is an Authenticator Device?
Passkeys are usually managed by your device, either through the operating system or a third-party password manager like Dashlane or LastPass. They can be synchronized across multiple devices for availability in different locations. Essentially, the password manager serves as the authenticator device.
You can also store keys on your smartphone, making it your authenticator device. Passkeys can also be used with dedicated hardware keys like YubiKey or Google’s Titan Key, which employ a secure chip to establish the passkey. On trusted devices, you don’t need to keep the key connected all the time but will need it for new account setups.
Concerned about losing your device? Don’t worry. Your password manager is protected by another authentication method, such as an old-school password or biometrics like a fingerprint, making your passkey secure. Upgrading to a new device? Your passkey data can be transferred. If you’re using a password manager, your keys are stored in your cloud vault.
Lost a hardware key? It’s essentially useless to anyone without knowing what it accesses. Using a trusted device, you can remove the lost key from your account and set up a new one.
How Do I Create a Passkey?
Let’s take Google as an example. Visit g.co/passkeys and sign in to confirm your identity. Once logged in, select 'Create a passkey.' Choose your preferred authentication method. If you have a hardware key, select 'Use another device.'
If you opt to use a smartphone, scan the displayed QR code to link Google with your phone. Future logins using a passkey will send a notification to your phone, where you can confirm your identity using biometrics or a PIN.
More websites are beginning to support passkeys. A searchable list of such sites is available on Passkeys.directory, reflecting a trend towards more secure and user-friendly authentication methods.
Conclusion
Passkeys mark a noteworthy advancement in online security, providing a more secure and user-friendly alternative to traditional passwords. Leveraging public key cryptography and the WebAuthn API, passkeys eliminate the need to recall complex passwords and offer robust phishing resistance. Managed across various devices and password managers, passkeys offer seamless access to accounts while maintaining high security.
As more websites and services adopt passkeys, their convenience will become more apparent. By understanding how passkeys function and their benefits, you can make informed decisions about securing your online accounts. Explore the world of passkeys and enhance your digital security today.