Passkeys are a digital credential that can be used to log into websites and applications. Based on FIDO (Fast IDentity Online) standards, passkeys were designed to provide a secure, user-friendly method of authentication that does not use any passwords.
How Passkeys Work
Passkeys work through the Web Authn API, which was developed jointly by the World Wide Web Consortium (W3C) and the FIDO Alliance. Instead of a password, WebAuthn verifies identity using a public-private key pair.
Public and private keys are mathematically linked; they’re designed to go together, and you need both pieces to authenticate successfully. Unlike a traditional password, the private key isn’t shared with the website you are signing in to. To sign in, the website sends an assertion challenge to your authenticator. You then must take the required action on the authenticator, such as entering a PIN or presenting a biometric.
Your authenticator then signs the authentication assertion with your private key and sends it back to the website. The website verifies the signed authentication assertion using their copy of your trusted public key, granting you access. While this sounds complicated, in practice passkeys are easier to use than a password as you don’t have to worry about typing in a long string of characters.
Moreover, unlike traditional passwords, which are susceptible to various cyber threats, passkeys provide a secure and seamless authentication experience. For a detailed explanation of the workings of passkeys and the technology behind them, check out HYPR’s comprehensive guide on how passkeys work.
How Secure Are Passkeys?
As one of the top entry points for cyberattacks, the security of authentication methods is of utmost importance. Passkeys offer a much more secure alternative to traditional passwords.
Leveraging public-private key cryptography, passkeys are phishing-resistant, providing enhanced protection against common attack vectors, such as credential phishing, brute force attacks, credential stuffing, AitM (adversary-in-the-middle) and other attacks on authentication.
Passkeys' security lies in the fact that, unlike passwords and some other forms of authentication, such as one-time-passwords (OTPs), SMS and email links, there are no shared secrets. The confidential credential information is not transmitted and is decentralized, rendering interception, theft, breaches, or cracking implausible.
Passkeys offer a promising solution to the vulnerabilities of traditional password-based authentication. Passkey authentication uses on-device verifiers, like the TouchID used to log into a computer or the face scanning used to unlock a phone, and combines this with public-key cryptography to prove identity to the website or app.
"With the industry at an inflection point, passkeys promise to be the vehicle to tip us over by finally presenting the world with a phishing-resistant, user friendly and scalable alternative to passwords as a primary authentication factor.”
Andrew Shikiar, Executive Director & CMO, FIDO Alliance
Source: The State of Passwordless Security Vol.3
For a discussion on the security merits of passkeys, explore the article “How secure are passkeys” on HYPR's blog.
Passkeys vs. Passwords
Let's compare passkeys and passwords side by side to understand their respective strengths and weaknesses:
|Pros of Passkeys
|Pros of Passwords
|Passkeys use public-private key cryptography, making them more secure against various attacks.
|Passwords have been around for a long time, and users are accustomed to the concept.
|Passkeys eliminate the need for users to remember complex passwords, reducing the risk of weak password usage. In addition, passkeys remove the reusing of passwords across different services.
|No Device Dependency
|Users can log in from any device with their passwords. Passkeys require users to have their devices accessible for authentication.
|Since passkeys are not entered by a user or shared, they cannot be phished or intercepted during transmission.
|Supported by all websites and apps
|While there is global acceptance of passwords, passkeys are still a new alternative form of securing accounts and as such are not as globally accepted.
Types of Passkeys
Different types of passkeys cater to specific use cases. There are two prominent types of passkeys worth mentioning:
Synced passkeys offer convenience and flexibility. As their name implies, synced passkeys can be synchronized across multiple devices, within the same family of devices, ensuring seamless access to accounts. The synchronization is securely managed by the passkey provider. For example, a user might have a synced passkey on their iPhone, Macbook, and iPad managed through iCloud keychain.
When a user generates a passkey on an Android device, it is securely stored and synchronized with their other Android devices. The passkey secrets are encrypted with end-to-end protection and the passkeys are available to the user across all Android devices utilizing Google Password Manager and linked to the same Google account.
Synced passkeys are much more secure than passwords and many other methods such as OTPs and push notifications, but the fact that they are synchronized across devices means that they carry some security and regulatory compliance limitations.
A device-bound passkey cannot be passed amongst devices. It is designed for enterprise environments with security and operational requirements that make synced passkeys unsuitable. HYPR Enterprise Passkeys are built on this type of passkey.
Device-bound passkeys are primarily used within organizations to enhance security and streamline user management. These passkeys are tied to specific devices issued or used by the organization, such as company-issued smartphones, an individual employee’s phone or hardware tokens. By embedding passkeys in these devices, organizations can tightly control access, ensuring only authorized personnel can log in to their systems and services.
If a passkey is device-bound, the passkey is not allowed to be synced and is not backed up by the cloud. If the user loses or wipes the device, the passkey cannot be recovered and a new one must be issued.
Where Can You Use Passkeys?
Websites that support passkeys use the passkey icon shown below:
Passkeys are created by the user on their device and copied across their Google, Apple, and Microsoft accounts on their phones, tablets, and laptops.
- Apple announced support in iOS 16 in Sep 2022, and iPadOS 16 and macOS Ventura in Oct 2022.
- Google announced support in Android starting October 2022 and plans passkey support in ChromeOS by 2023.
- Microsoft Windows is set to deliver support in 2023.
Most platforms already support sign-in with a passkey from a nearby device such as a mobile phone or security key. These include:
- Microsoft Edge and Google Chrome on Windows
- Edge, Safari and Google Chrome on macOS
Passkeys are accessed using the same WebAuthn API which has been available across all the platforms and browsers since 2018. The cross-device sync of passkeys is managed transparently by the OS.
"I set up passkey authentication on my iPhone for my Best Buy account. Now I just approve passkey sign-in by using FaceID, like I do to unlock my phone, and I can access my account."
FIDO Alliance and W3C Standards for Account Security
The FIDO Alliance and World Wide Web Consortium (W3C) play pivotal roles in shaping standards for passwordless authentication, including passkeys. FIDO (Fast IDentity Online) is a collection of technology-agnostic security specifications designed for robust authentication.
The FIDO Alliance is an open industry association launched in February 2013 whose stated mission is to develop and promote authentication standards that enhance security and streamline authentication processes across various technologies and platforms, promoting a safer and more user-friendly digital experience and reducing the world’s over-reliance on passwords. The W3C is the World Wide Web Consortium, which is an international organization that develops web standards and ensures these standards are seamlessly adopted on the web.
Passkeys are based on the FIDO2 standard, which is a set of open standards for passwordless authentication. As passkeys are built on FIDO standards, all browsers can adopt them.
Passwordless Authentication with HYPR
As technology advances and the demand for tough authentication grows, passkeys are poised to revolutionize how we secure our digital identities and interact with online services.The strides made by Apple, Google, and other companies in the realm of passwordless authentication have brought significant attention to the issue of authentication security. Their endorsement of FIDO standards reinforces the idea that this approach holds promise for the future.
However, it is essential for organizations to recognize that off-the-shelf solutions may not encompass the required scalability and comprehensive functionality. As the landscape continues to evolve, HYPR, a pioneering company in passwordless authentication, stands equipped with a profound understanding of potential challenges, empowering enterprises to make well-informed decisions when integrating passwordless authentication into their operations.
HYPR supports both synced passkeys and advanced device-bound enterprise passkeys. Read more here on how to deploy the right passkeys for your business. HYPR enables organizations to implement secure and convenient passwordless authentication methods.
What is the difference between MFA and passkeys?
MFA (multi-factor authentication) and passkeys are both security measures aimed at enhancing authentication, but they differ in their underlying principles and execution.
MFA involves the use of multiple independent factors, such as something the user knows (password), something the user has (security token or smartphone), and something the user is (biometric data like fingerprint or facial recognition). It requires the user to provide multiple forms of verification before gaining access, thereby adding an extra layer of security. Under traditional multi-factor authentication, this usually takes place in multiple steps, with the user entering a password in the first step and an additional factor in the second step.
Passkey authentication, depending on the implementation, embodies the core principles of multi-factor authentication in a single step. The biometric verifier or PIN is the first factor and possession of the passkey on the device possession is the second factor. However, synced passkeys do not meet multi-factor requirements for some regulations as you cannot prove sole possession since they can be used by multiple devices.
Are passkeys safe?
Yes, passkeys are considered safe and more secure than traditional passwords. Passkeys utilize public-private key cryptography, making them resilient against common cyberthreats like phishing and brute force attacks. By eliminating the reliance on passwords, passkeys enhance security and provide a seamless authentication experience.Do passkeys replace passwords?
Passkeys offer a promising alternative to passwords, but they might not entirely replace passwords in all scenarios. While passkeys are gaining popularity, some legacy systems or services may still require passwords for compatibility reasons. However, as technology evolves, the adoption of passkeys and passwordless authentication is expected to increase.
Can passkeys be hacked?
Passkeys are designed to be highly secure, but no authentication method is entirely immune to potential risks. The security of passkeys relies on the strength of encryption and proper implementation. As long as users follow best security practices and companies prioritize robust security measures, the risk of passkey hacking remains minimal. However, it's crucial to stay vigilant and continuously update security protocols to stay ahead of potential threats.