Passkeys

At Pythia Cyber, we dream of a world without passwords. True, adding two-factor authentication makes passwords less bad. But imagine a life without them at all. Ah, bliss. But what could replace them? Passkeys have a great shot at that.

What is a passkey? The short answer is this: a passkey is a token generated on one end and verified on the other with Public/Private Key (PPK) encryption. Since most people are not comfortable with PPK encryption, we will start with a simple description of that and then get into how this kind of encryption can be used to replace the user ID / password model of authentication.

The cool part of PPK is the fact that there are two keys: the public one that you publish to the wide world and the private one that you keep secret. The public key is used to encrypt a payload (whatever you want to share privately) and the private key is used to decrypt the payload. While encrypted the payload is secure and only you can read it. Anyone can encrypt, only you can decrypt.

In order to replace passwords you have to shift from specifying a user ID and providing the matching password to the concept of proving your identity. To prove your identity you don't have lots of user IDs with matching passwords but instead you use your private key to establish your identity. The target system uses your public key to encode a challenge and your device uses your private key to decrypt the challenge and then your device proves that you decrypted the challenge.

In this model your private key is your most important digital asset. Your phone (or whatever device you use to store the passkey) becomes a critical asset. But in this model you don't have multiple passwords that you have to change all the time. Hacking the target system doesn't expose *you* because all hackers can steal is your public key which is already public.

In theory all you would ever need is a single passkey which would identify you uniquely once and for all. In practice passkeys are being rolled out piecemeal as individual companies see fit. When I checked my phone, for example, I found that the iOS Password app (I am sure that there is an Android equivalent) already had 3 passkeys in it. A colleague checked her phone and found 1 passkey in it. Neither of us had explicitly decided to switch. The switch is happening behind the scenes as retailers see to get out of the password-based security hole.

This is important enough to bear repeating: passkeys are great but they live somewhere, usually either your phone or the Cloud. Wherever they reside becomes your most important digital asset. If it is your phone then you need to treat your phone as an important digital asset. To quote the great Mark Twain,

"Behold, the fool saith, 'Put not all thine eggs in the one basket'—which is but a manner of saying, 'Scatter your money and your attention'; but the wise man saith, 'Put all your eggs in the one basket and—WATCH THAT BASKET.'" [1, 2]

Many of us feel that passkeys offer far more advantages than disadvantages and that the benefit outweighs the drawback. A growing list of major companies support them. Unless things change very much passkeys will supplant passwords to an ever-growing degree over the next few years. When you consider changing you can make an informed decision.