Passwords that we have become accustomed to using to gain access to the many accounts that we have, are not very good if you think about it critically. Good passwords that are hard to guess for hackers are also hard to remember, while those that are easy to remember are also easy for hackers to crack.
There are also people who use the same password on different websites. This means that should one of the websites fail to properly store the passwords and hackers get access to it, they will then try the passwords they have retrieved on other websites, potentially gaining access to those accounts where users have reused their passwords.
FIDO (Fast IDentity Online) Alliance, the organization responsible for the security industry is well aware of these limitations and has been working to come up with a system that will replace the traditional passwords.
Two-Factor Authentication (2FA) has made passwords more secure, but there are people who still do not exactly understand the benefits or feel it is an added, unnecessary step that only makes logging into their accounts a tiresome process of waiting for a text message or email before inputting the secret code then finally getting access.
This is where the new system of ‘passkeys’ comes in, with support from both Android and Google.
When the passkeys system is adopted, signing in to a website will no longer involve entering a password, even those that are auto-filled by the browser or password managers that you might be using. Instead, the new system will leverage the use of cryptographic keys.
When you sign up on a new website, your phone or computer will generate two keys, a public key that will be stored by the website and a private key that will be housed within your device.
The public key stored by the website can only be unlocked by the specific private key stored on your device. When logging in, the website will lock a secret message in the public key and send it to your device. The private key in your device will then unlock the message and send it back to the website.
You will then only get access to the website when the message sent back matches what was locked in the public key.
There is also no need to remember long passwords as each website gets its own set of independent keys, therefore should one website get compromised by hackers, the information they retrieve will not allow them to gain access to other accounts on other websites.
The keys are stored on the device you sign up on, but to be able to gain access to your favourite websites from other devices that you own, you can securely store the cryptographic keys on cloud services like password managers.
This way you will be able to log in from any device instead of being locked to the device the private key was originally stored in.
For this passkeys implementation to work, third party adoption is crucial, however, there is hope that it will see the light of day as Google has the leverage and authority, especially in the Android space to convince third parties to embrace the new system