Passkeys are all the rage these days as an alternative to passwords. The FIDO Alliance and major tech companies are promising that they are faster than passwords, phishing resistant, offer biometric integration and more fancy upsides. If you believe the hype, passkeys are the next big trend in authentication.
Unfortunately, this newsletter ain’t about passkeys—but next week’s will be, we promise. This is the second installment of our six-part series on passkeys. If you didn’t catch the first one, you can check out our overview on passkeys here.
This week, we’re going to focus on passwords because to truly understand passkeys you need to understand the intricacies of how passwords work, as well as some of their shortcomings.
Then you will be able to contrast the two and see why passkeys are being hyped as a solution to some of our password-related problems.
Passwords: A tool for user authentication
Passwords are one of the primary mechanisms we use for user authentication. We use them as a somewhat imperfect proxy for verifying that a user is truly who they claim to be. Of course, they aren’t perfect, and attackers who know a user’s password, or can guess it, may be able to access their account as though they are the legitimate user. To limit this possibility, we often combine passwords with a second factor of authentication, making the attacker’s job far more difficult.
The different authentication factors
There are three different authentication factors:
- Knowledge: Something that you know – These include passwords, PINs, and the answers to security questions.
- Ownership: Something that you have – Examples include hardware security tokens, or phones with authentication apps on them.
- Characteristic: Something that you do or are – These include fingerprints, iris scans, face scans, voice prints and other biometrics, as well as things like your signature, how you walk and how you type.
The weaknesses of passwords
As knowledge factors, passwords are a pretty good tool for authenticating users. However, there are a few problems:
- Attackers may be able to uncover passwords or trick users into handing them over via phishing attacks.
- Weak passwords can be brute forced.
- Many users reuse passwords across accounts, making them vulnerable to credential-stuffing attacks.
- Users may completely forget their passwords, and either have to reset them, or get completely locked out of their accounts.
When you zoom out, these issues show some of the innate weaknesses of passwords. These tend to revolve around the fact that users must create, remember, and then send sensitive information to the provider in order to authenticate themselves. This introduces a lot of room for human error, because people can create weak passwords, reuse their passwords, get tricked by phishing attacks, and forget their passwords.
Over the next few newsletters, you will see that passkeys avoid many of these issues, because users aren’t responsible for creating, remembering or sending any secret information. This helps to limit a bunch of security issues.
Multifactor authentication to the rescue
These clear weaknesses are why we implement additional authentication factors on top of passwords whenever we are securing anything important. If an attacker not only needs your password, but also requires your phone to access its authentication app, the attacker’s job is much, much harder.
Note that the second factor should always be a different type to the primary factor. If your primary factor is a knowledge factor, like a password, then you should not use another knowledge factor, like a PIN, as the second factor. Instead, you should use an ownership factor, like an authentication app, or a characteristic factor, like a fingerprint. If an attacker can find your password, then they may also have access to your PIN. It’s generally harder for them to also get their hands on your phone, or your biometrics.
But multi-factor authentication adds an extra step to the login process, increasing friction and reducing convenience for users. Over the next few newsletters, you’ll learn how passkeys can make multifactor authentication easier, helping to ease some of the burden users face.