The passkey primer pt. 1: What are passkeys?

Image of keys - Destination Certification

We’ve got the five-part series you’ve all been waiting for, your definitive guide to passkeys. It’s going to unfold over the next few weeks, so keep an eye on your inbox.

We know, we know, you can’t contain your excitement, so let’s get started.

You may have heard Apple, Google and other major tech players pushing passkeys as the hot new way to authenticate users. Passkeys are being sold as the password-killer, with some hoping that users can say goodbye to remembering their passwords, and that phishing attacks will be vanquished.

But what actually are passkeys?

Passkeys are a relatively new form of authentication based around standards from the FIDO (Fast IDentity Online) Alliance, like WebAuthn. One of the most important features is that passkeys allow secure authentication without secret information being transferred from users to a website or an app.

Instead of having a password that users have to remember, and could possibly divulge in a phishing attack, a private key is stored locally on their device. The website stores a matching public key on its server, and through the magic of public-key cryptography and digital signatures, the user is able to authenticate themselves without ever having to send anyone their private key.

On the user’s end, all they have to do is:

  • Registration – Websites that support passkeys make it easy to get started. Users first log in the normal way with their username and password, to prove that they own the account. Then, they need to find passkeys in the settings (this varies between websites), and enter their device’s PIN, pattern, or biometrics. Behind the scenes, a private key will be created and stored on the device, while a non-secret public key is stored on the website’s server.
  • Authentication – When a user wants to log in to a website or an app, they simply click on their account and then enter their device’s PIN, pattern, or biometrics. Some cryptographic magic happens in the background, and a non-secret digital signature is sent to the website, which then authenticates it with the user’s public key.

This system has some of the advantages of two-factor authentication (which we will dive into in our sixth installment), and it’s faster and easier for users. But like everything in security, passkeys aren’t a perfect solution. They aren’t suitable in all scenarios, and there are still some security weaknesses that need to be acknowledged.

Where can you use passkeys?

Google, Apple and Microsoft all offer support for passkeys. Other major players include PayPal, Shopify, DocuSign, Kayak, Robinhood, Adobe, and many more. You can check out this directory for a more thorough list.

What’s next?

So how does it all work? What’s happening when you dig down deep? Well, you’ll just have to wait.

Next week, we’ll take a step back and take a thorough look at passwords, as well as some of the weaknesses associated with them. The following week we will cover some of the cryptographic fundamentals you need to wrap your head around, namely public-key encryption and digital signatures.

Then we will dive into the WebAuthn standard itself, followed by another newsletter on how syncing and backups work. We’ll close out the series with our sixth and final part on the various security considerations of passkeys.

Image of the author

Cybersecurity and privacy writer.

Would you like to receive the DestCert Weekly via email?

Your information will remain 100% private. Unsubscribe with 1 click.

Page [tcb_pagination_current_page] of [tcb_pagination_total_pages]