Secure Authentication: Will Passkeys Kill the Password?

Passwords have become the biggest frustration of our digital life.

Despite knowing that every login should have a strong password with at least 12 characters consisting of uppercase, lowercase, numbers, and symbols, convenience can beat security for anyone without a photographic memory.

The pain point of keeping dozens of unique passwords for every site and smartphone inevitably means many of us secretly use one password for multiple sites. 

However, when your favorite online store suffers a data breach, hackers will attempt to use your credentials on fan favorites such as Amazon, Netflix, Paypal, and so forth.

Entering your email address into the Have I Been Pwned website will alarm you at just how many data breaches are attached to your email address. This often ushers users to add multifactor authentication and a password manager that will do all the heavy lifting for them. But even these methods can have their drawbacks.

Key Takeaways

  • Passwords, however hard we try, often lead to re-use, frustration, and compromise as users tend to prioritize convenience over security.
  • While password managers offer a solution, recent breaches of popular platforms like LastPass show the need for a new approach to online authentication.
  • Passkeys, utilizing biometrics or device PINs and championed by companies including Apple, Google, and Microsoft, present a potential revolution in online security by eliminating reliance on traditional passwords.
  • However, their widespread adoption faces challenges such as interoperability, privacy, and data security concerns.

Are Password Managers as Safe as We Think?

Password manager LastPass has suffered a series of breaches since 2015 that have exposed user emails and master passwords, and a substantial breach in 2022 compromised customer data and user vault information.

Advertisements

The revelation of stolen encrypted backups and potential access to encryption keys in these breaches underscores a concerning trend in cybersecurity. Elsewhere, the widespread habit of re-using passwords was blamed for compromises in Norton LifeLock’s password manager. Collectively, these trends paint a rather unsettling picture. 

Are password managers safe in 2024? The answer will depend entirely on how you use them. If your go-to password for every account is something as simplistic as “123456” and you’ve opted out of multifactor authentication, the robustness of your password vault becomes irrelevant. 

The reality is, with such predictable credentials, it’s only a matter of time before an unauthorized party deciphers them — the security of a password manager is significantly influenced by how responsibly and wisely it’s utilized by the individual.

In short, we need a new approach.

From Passwords to Passkeys: The Future of Secure Authentication

Passkeys represent a revolutionary shift in online authentication, signaling a potential end to the traditional password era that we love to hate.

These innovative no-password solutions leverage biometrics or device PINs, offering a more secure way to access online accounts. Unlike conventional passwords, passkeys do not rely on potentially weak and frequently re-used credentials. They provide a robust defense against the vulnerabilities plaguing password-based systems. 

Understanding the mechanics of passkeys is crucial to appreciating their potential to transform online security. A passkey involves a combination of a private cryptographic key, stored locally on the user’s device, and a public cryptographic key, held by the service provider.

When logging into an account with passkeys enabled, the server challenges the user’s authenticator (like a phone or computer). 

The authenticator then uses the private key to respond, confirming the user’s identity without needing a traditional password. This process, known as “signing” the data, offers a more secure and phishing-resistant authentication method, drastically reducing the risk of credential compromise.

Google is one of the Big Tech companies in favor of passkeys, and when they came out in support of them last year, they announced it on their blog as “The Beginning of the End of the Password“.

Despite a passkey’s enhanced security, the debate around whether they will actually replace passwords is ongoing.

The main challenge lies in their adoption and interoperability across different platforms and devices. Only a handful of websites support passkeys, and managing them across various devices can be complex.

Additionally, while passkeys eliminate the need to remember multiple passwords and significantly reduce the risk of phishing attacks, relying on specific devices for authentication could pose challenges when the device is unavailable or incompatible with another operating system. 

The Challenges of Transitioning to Passkeys

While passkeys herald a significant advancement in online security, they bring challenges that warrant consideration. The transition to passkeys involves a trade-off between enhanced security and the flexibility of traditional password systems.

For instance, passkeys, tied to biometric data or device-specific credentials, restrict the ability to share access with trusted individuals—a common practice in family or emergencies. This limitation could affect scenarios where parents must monitor their children’s online activities or share access to joint accounts. 

Additionally, the technology raises valid concerns about privacy and data security. Handing unique biometric data to service providers comes with the apprehension of misuse or unauthorized data sharing.

Furthermore, the device-specific nature of passkeys poses a risk of access loss. In situations like theft or changing phone numbers, users could find themselves locked out of their accounts. While most platforms provide recovery options for lost passwords, the equivalent mechanisms for passkeys, like recovery keys, are not yet universally implemented and require proactive measures by users.

The complete phase-out of passwords won’t happen overnight. There’s a considerable journey ahead before companies fully adopt FIDO’s industry standards for developing passkey.

Although the usual suspects, such as Apple, Google, and Microsoft, are embracing and promoting passkey technology, it will take time to trickle down to the hundreds of sites and apps that currently require a password to log in. 

The currently limited support for passkeys across websites and apps also means users must maintain a hybrid approach of traditional passwords and passkeys, complicating the digital security landscape. Although passkeys represent a step forward in securing online identities, their implementation and acceptance require careful navigation through these emerging challenges.

The Bottom Line

The emergence of passkeys signals a significant shift from traditional passwords. This new approach to secure authentication offers a more streamlined, user-friendly, and secure method of protecting our online identities. But replacing passwords with passkeys will be a slow, gradual process that requires a shift in user behavior and technological adaptation. 

For now, embracing passkeys, especially for sensitive accounts, is a wise move toward bolstering security. But until they gain universal support and become a seamless part of our digital routine, maintaining robust security practices, such as enabling multifactor authentication and using strong passwords, remains essential. Passkeys represent a brighter future in cybersecurity, but this future is still unfolding.

Advertisements

Related Reading

Related Terms

Advertisements
Neil C. Hughes

Neil is a freelance tech journalist with over two decades of IT experience. Celebrated as one of LinkedIn's Top Voices in technology and recognized by CIO Magazine and ZDNet for his influential insights, Neil has contributed to publications like INC, TNW, TechHQ, and Cybernews while also hosting the popular Tech Talks Daily Podcast.