Passwords are the keys to our digital lives – think about how many times you log into websites and other systems. But just like physical keys, they can be lost, duplicated, and stolen.
Many alternatives have been proposed in recent years, including passkeys. These offer a significant improvement in terms of user-friendliness and the potential for widespread use.
But what exactly are they – and how are they different from passwords?
Passwords are vulnerable
Simply put, a password is a secret word or phrase you use to prove who you are on computer systems and/or online. If you have an account on a website or subscribe to a service provider, you probably have a lot.
Passwords themselves are fine. It is the way we implement and use them that makes them vulnerable. For example, poor password habits are everywhere. A CyberNews report from earlier this year found that 94% of the 19 billion passwords exposed were reused. It also identified several similarities in passwords, including strings of numbers like “123456”, names of people, cities, popular brands and swear words.
And when a breach occurs, stolen passwords can spread quickly. This leads to account takeovers, identity theft and/or phishing attacks. In one test, hackers were trying to use exposed credentials within an hour.
Passwords are also vulnerable to phishing, which is when fraudsters trick you into typing your password (or other information) into a fake account login page. The number and impact of phishing emails continues to grow, with one report suggesting that more than 3 billion phishing emails are sent worldwide per day.
A good password is unique (ie never used again) and complex (think a sequence of letters, numbers, and symbols like “e8bh!kXVhccACAP$48yb”). It can also be a unique combination of several words to create a memorable phrase or sequence.
This can be difficult to remember, although creating a story that uses the contents of the password may help. For example, say your password was “CrocApplePurseBike”. You can remember it by thinking crocodile who packed it Apple to one wallet Before boarding a bicycle.
What are passkeys and how do they work?
Passkeys first appeared almost four years ago. They use a mathematical process called public key cryptography to create a unique set of information that is split into two parts, or keys.
A key is public and can be shared with websites. The other is a private key that is stored securely on your device. To sign in to an account, the website sends a random challenge (such as a number) and your device uses the private key to “confirm” the sign-in request. This verification is usually called “signing” the request and applies a mathematical process to the challenge.
Your device just doesn’t do this automatically. Usually you have to confirm the request. For many mobile devices, this requires using your face or fingerprint to verify that a reply is being sent.
Finally, the website verifies the signature against the public key it already has. If it approves the challenge, you’re in.
Stronger in design
Passwords are by design stronger than passwords. It doesn’t matter if the public key is stolen, because it can’t be used alone. Your private keys are securely protected by your device’s security, and most use face or finger-based biometrics to unlock (it’s best to avoid relying on a PIN).
Each password is also unique to each service you use. Even if a site’s key is stolen, it cannot be used elsewhere.
About the authors
Paul Haskell Dowland is Professor of the Practice of Cyber Security at Edith Cowan University.
Ismini Vasileiou is an associate professor in the Faculty of Computer Science and Informatics at De Montfort University.
This article from The Conversation is republished under a Creative Commons license. Read the original article.
Another advantage is that passkeys are resistant to phishing. From the user’s perspective, there is no password to send in response to a phishing email. The request to enter the site must be from the registered device with the user’s approval.
A password is also easier than a password. You don’t have to look for the password you used when you signed up – the passkeys are already linked to your device and are just a finger/tap away from authentication.
However, there are some problems with passkeys. For example, while many browsers, operating systems, and websites use passkeys, this is not universal. And some early implementations suffered from cross-device compatibility (such as between Microsoft and Apple devices).
As users move to newer devices and manufacturers improve integration, these issues should disappear.
A clear winner
From a security standpoint, passkeys are the clear winner. They offer stronger protection, can resist phishing and are easier to use. But as long as passkeys are everywhere, passwords still play a supporting role.
Implementing passwords on a website requires the effort of the relevant company. With so many sites requiring users to create accounts, the process of transitioning them all to passkeys would take decades. Many never adopt this practice unless other factors force their hand.
Right now, it’s critical to focus on password hygiene by using strong, unique passwords and enabling multi-factor authentication wherever possible. If you do nothing else after reading this article, at least change your reused passwords.
