Anyone remember the last time you used a physical key to unlock and start your car? Me neither! Most modern cars use a smart key fob to unlock and a push button to start, with the added security of the key fob needing to be near to operate the vehicle.
Technology has evolved over the last several years, improving both user experience and security when accessing various products. Yet we still haven’t moved past using passwords – the weakest form of security as they’re easily compromised and reused in multiple applications and websites. When the strength of the password is improved with complex phrases, characters, and length, it leads to frustrating experiences with users often forgetting their password and locking themselves out of their accounts.
With the support for passkeys by all major OS platform vendors (Microsoft, Apple, Google), organizations can now offer a truly passwordless login for users that is both secure and that provides a seamless and enjoyable user experience. The end of passwords is truly here.
What Passkeys Are
Passkeys let you sign in or log on to applications and services without passwords or even usernames if configured that way. They are digital credentials in the form of cryptographic key pairs, with the public key stored on the application server and a private key stored on your device that can be accessed via biometrics authentication on your device.
Using passkeys to log in to applications and services make it seamless and easy to use, just like you would unlock your phone with Face ID or other biometrics.
How Passkeys Work
Passkeys are cryptographic key pairs typically stored on a user’s device and used to authenticate users into various applications. A public key is stored on the application server and a private key is stored on the user’s device.
When a user tries to log in to an application, passkeys use Bluetooth® to communicate between the user’s phone (FIDO authenticator) and the device from which the user is trying to authenticate.
The application issues a security challenge to the user’s registered device via Bluetooth. The user is then prompted to authenticate via biometrics to accept the sign-in request, which is signed with the private key on the user’s registered device and sent back to the application to be verified with the corresponding public key, after which the user is signed in if successful.
Passkeys: A Gamechanger
Given the increase in data breaches that involve email addresses, passwords, profile, and contact information that are being sold on the dark web recently, attackers are orchestrating multiple account takeover (ATO) attacks such as social engineering, credential stuffing, brute force, password spray, phishing and spear phishing, and MFA fatigue/prompt bombing, among others. Users are increasingly facing ATO threats from multiple attack campaigns on multiple applications or services that they access daily.
With passkeys, connecting to the user’s authentication device (mobile device) over Bluetooth requires physical proximity, which means that we now have a phishing-resistant/remote attack resistant way to leverage the user’s phone during authentication to protect against remote-based attacks. Having the capability to support passkeys natively in all platforms helps with large-scale adoption and users finally moving toward a secure passwordless future. In addition, incorporating biometrics allows for increased security as well as a more seamless authentication experience for users when logging in to an application.
In addition, every application generates a unique key pair – eliminating duplication or reuse that we see quite often with password fatigue – making this a highly scalable and secure passwordless solution.
Learn how you can enable passkeys for your users with Entrust Identity as a Service.
