HomeBlogWhat are Passkeys? Sign in effortlessly without a password

What are Passkeys? Sign in effortlessly without a password

Locker blog reading time6 minutes read
Locker Avatar

Ly Hoang

July 24 2023
Copy

Marketing Executive @locker.io

Reading Time: 6 minutes

With privacy and security concerns at an all-time high, the world eagerly awaits the next big thing in online authentication.

Enter passkeys – a feature that has become a hot topic in the tech world thanks to companies like Apple and Google. Many even attribute it to a proprietary part of iOS. But in reality, it’s a novel approach to authentication that has the potential to be used across devices and platforms.

What makes passkeys such a big deal? Read on to find out.

What are Passkeys?

Passkeys are a huge innovation in online authentication. Image: Freepik

This approach doesn’t test whether you remember your password anymore. Instead, websites see whether you have the required passkeys.

This unique digital key stored on your devices can be used to establish and verify your identity online. Using them means you no longer have to memorize or manage complex passwords. They can also protect you from risks like phishing attacks and data breaches.

Based on the WebAuthn standard, this method aims to make online authentication safer and more user-friendly. This technology comes about in response to increasing password management and security concerns.

Major tech companies like Apple, Google, and Microsoft encourage the adoption of passkeys. However, not all websites currently support this technology.

How Do Passkeys Work?

Passkeys are a form of possession-based authentication that leverages public-key cryptography.

When you add a passkey to an account, an authenticator (such as your smartphone or a password manager) will generate a pair of public and private cryptographic keys. These keys are mathematically related but serve different purposes.

The public key will be sent to and stored on your service server. It’s akin to your username and can be shared publicly without posing a security risk.

On the other hand, the private key is stored on your device and must remain secret. Your authenticator will use it to respond to a challenge from the server during the authentication process. This means you can only sign into your account with your device.

How to Set Up and Use Passkeys

Confirm That The Site Supports Passkeys

Not all websites or online services support passkeys as of yet. If a site supports this technology, it will usually indicate this in its security settings or during the account creation process.

A website that supports passkeys.

Create A New Account Or Access Security Settings

You’ll be asked to choose an authentication method if you create a new account. Choose to secure your account with a passkey.

If you’re accessing the security settings of an existing account, look for options related to passkeys, WebAuthn, or FIDO2 standards.

Verify With Your Authenticator

This could be your smartphone, tablet, computer, or a password manager that supports passkeys. The authenticator may ask for your biometrics, passwords, PIN codes, or whatever method you use to authenticate yourself with it.

Generate Your Passkeys

Once you confirm your identity with your authenticator, a passkey is generated. This passkey consists of a public-private key pair.

The public key will be sent to and stored on the website’s server, while the private key remains securely on your device. This process is done automatically – you won’t see the keys and don’t need to remember them.

Creating a passkey on Android.

How to log in?

The next time you visit the site, instead of asking for a password, it will send a challenge.

Logging in with passkeys. Image: Google

Benefits of Passkeys

This solution has many advantages compared to the traditional authentication model that uses passwords and optional MFA.

No Need To Create And Remember Passwords

Passkeys eliminate the need for creating and remembering complex passwords since this approach requires no passwords, to begin with. You can take a few seconds to create a new account supporting this method.

Also, this passwordless technology is already linked to the device and its local verification measures (like fingerprint or face recognition). Users do not need to go through the additional step of setting up multi-factor authentication.

No Need To Type In Anything When Logging In

With this type of protection, you don’t have to type in the password or MFA code whenever you want to access your account. Instead, you just verify your identity with your biometrics or scan a QR code.

Your device will automatically detect the username and the associated passkeys you have created for the site. Logging in becomes quicker and more convenient – everything is just a few taps away.

With passkeys, you can log in to websites with your fingerprint like you unlock your phone. Image: Freepik

Cross-Device Sync

Many authenticator systems, like Apple’s Keychain, automatically sync your passkeys across all your devices.

So if you set up a passkey on your iPad, you can also use it to log in on your iPhone, assuming they are connected to the same iCloud account. This makes it easier to manage your accounts across multiple devices.

Stronger Than Passwords

Passkeys are much stronger and more unique than average passwords. They are immune to common attacks like brute force or dictionary attacks. This is because these attacks typically rely on guessing a password, and this technology has no password to guess.

Private Key Stored Securely

In the case of passkeys, the most critical part – the private key – is stored securely on your device. The authenticator never sends it to the website where you register an account.

This means that even if the website’s server is breached, your account remains secure because it doesn’t have your private key. Meanwhile, the public key stored on the server alone is insufficient to access your account.

Safe Against Phishing

The private and public keys only work together on the sites they were registered with.

Even if you were tricked into trying to log into a fraudulent site that looks like the site you’re trying to access, your device wouldn’t provide the private key because the site is not the one it’s associated with.

This prevents unauthorized access to your account, even in the face of sophisticated phishing attempts.

Traditional phishing methods don’t work with passkeys anymore. Image: Freepik

Which Devices and Sites Support Passkeys at the Moment?

Android and iOS platforms are fully equipped to support passkeys right out of the box. Users can easily create, use, and sync passkeys across devices within these operating systems, ensuring a seamless and secure authentication experience.

However, the number of services and websites with integrated passkeys support is still somewhat limited, with Google, Microsoft, Best Buy, PayPal, eBay, and Kayak among the early adopters.

Conclusion

Passkeys are poised to play a pivotal role in the feature of authentication. By offering a safer, more convenient alternative to traditional passwords, they are set to revolutionize how we secure our digital identities.

Locker supports traditional passwords and passkeys, becoming a flexible solution for protecting your accounts.

Locker has implemented passkeys in our web and mobile applications. With the addition of this advanced and robust authentication method, you can experience hassle-free logins on supported websites and services. Download Locker today to take the leap toward a safer, passwordless future.

You’ll be asked to choose an authentication method if you create a new account. Choose to secure your account with a passkey.

If you’re accessing the security settings of an existing account, look for options related to passkeys, WebAuthn, or FIDO2 standards.

Latest news

Locker blog

Interviews, tips, guides, industry best practices, and news.

Sign up for our newsletter

Be the first to know about releases and industry news and insights.

We care about your data in our Privacy Policy.