This week, it’s finally time to start digging in to passkeys, and how they work. If you didn’t read our last couple of newsletters, we suggest you take a peek to read up on the foundations. Here’s an overview of passkeys, as well as a newsletter that covers some of the problems passwords face.
In essence, passwords kind of suck, because humans have to create, remember and send a sensitive piece of information to the provider to authenticate themselves. This isn’t great for security, because humans are error-prone, and do things like:
- Creating weak passwords that are crackable.
- Reusing the same passwords across multiple accounts, leaving them vulnerable to credential stuffing attacks.
- Accidentally handing over their passwords when they fall victim to phishing attacks.
- Forgetting their passwords.
Passkeys allow users to authenticate themselves without having to create, remember or send a sensitive piece of information. This mitigates many of the weaknesses surrounding passwords, which is why there has been so much hype around passkeys lately.
But how do passkeys achieve this?
The first thing you need to wrap your head around is public-key cryptography. This differs from symmetric-key encryption in that instead of having a single key for both encryption and decryption, you have two separate ones, a private key and a public key, which are mathematically related. The private key is kept secret, while the public key is shared openly.
Typically, if someone wants to send secret information to another party (that they haven’t already established a secure channel with), they will seek out their public key, and then use it to encrypt the data they want to send (often just a symmetric key). Once the data has been encrypted by the public key, it cannot be decrypted by anyone except those who know the matching private key, which means that only the private key’s owner can access the data. Public-key cryptography was revolutionary because it gave us a way to establish a secure channel where none had existed beforehand.
RSA was one of the primary public-key algorithms, but these days we tend to see more of a shift toward algorithms that use elliptic-curve cryptography (ECC). There are a number of reasons behind this, including the substantially smaller key-size that ECC uses to provide the same level of security.
Public-key cryptography can be combined with hashing and performed in reverse. This gives us a way to verify the integrity and authenticity of a message. Basically, you create a message, hash it, and then sign it by performing a specific computation with your private key. This gives you the digital signature. You then send this digital signature alongside your message to your intended recipient.
If they want to verify that the message is actually from you and maintains its integrity, they can run the message they received through the same hash function, and then perform a computation on it with your public key. If the result matches the digital signature they received, then they can confirm that the message is authentic and has integrity. There’s just one big caveat—your private key must remain private. If it has been compromised, then an attacker can use it to pose as you.
Securely proving authenticity
The interesting thing about digital signatures is that they allow someone to prove their authenticity—that they are who they claim to be—without them having to share any secret information. You never have to send your private key anywhere. All you have to do is use it to sign the hash, creating the digital signature. Digital signatures are non-sensitive information, so we don’t care too much if hackers intercept them.
All of this is possible due to the very strange math of public-key cryptography, and it lies at the heart of how passkeys work. This is what allows us to authenticate users without requiring them to create, remember and send sensitive information, like passwords. Since human error in these activities is a major cause of security problems, passkeys have a lot of potential to boost our overall security.