An Overview of Passkeys

An emerging authentication method could mark the end of the password era, ushering in a much more secure way to log into your accounts.

They are called passkeys, and this guide will explain how they work.

What Are Passkeys?

Passkeys are an authentication method that allows users to log into their account without them having to enter in a username and password. Typically, a person logs into their account with a username and password they have created. Passkeys avoid this with the creation of keys stored in a more secure method. A person would need a second device to log into the account.

How Do Passkeys Work?

A passkey consists of two separate keys that are created by an authenticator, which could be a mobile device, or a password manager that supports passkeys. The first key is a “public” key that is stored on the site where you create an account. This key cannot be used to log into an account on its own.

It needs the second key, which is the “private” key. The private key is securely stored on a user’s device, and is activated by an action, essentially serving as an authenticator. Once the user performs the action, the private key will communicate with the public key. The public key can only be used with the specific private key. If the authentication method the public key receives is correct, the user will be able to log into an account.

The action that would activate the private key could be a biometric identifier such as a facial ID scan, or a fingerprint scan. It could also be a PIN that you enter. After you perform whatever action you set up, you would be able to log into your account.

How Are Passkeys Secure?

Passkeys are meant to eventually phase out the use of passwords, and one of the major reasons why is that they are much more secure than traditional login methods. This is tied to how the credentials are stored, especially compared to traditional passwords. Websites that use passwords have to store details about the password on a server that could be stolen by cybercriminals in a data breach.

That doesn’t happen with passkeys. Since the private key is stored on the user’s device, the website doesn’t need to store anything on its servers. Sure, cybercriminals can possibly view the public key, but that key is useless without the private key for any specific account/. The private key only communicates with the public key when prompted, and even then it’s only for a short period of time.

Cybercriminals couldn’t access the account without having that private key. Passkeys have been designed to protect users from having their credentials compromised in traditional cyberattacks.

Do Any Companies Leverage Passkeys?

Some of the largest organizations in the world have started to adopt passkeys as a login method. Apple, Google, Amazon and several social media profiles allow users to set up passkeys.

While passkeys are the authentication method of the future, adoption is still limited. When signing up for an account, check to see if the website or service allows for the use of passkeys. If it does, it’s highly recommended you choose that route over the traditional combination of a username and password.