What is a Passkey?
Passkeys seamlessly authenticate users by using cryptographic security “keys” stored on their computer or device, and are considered a superior alternative to passwords since users are not required to recall or manually enter long sequences of characters which can be forgotten, stolen or intercepted.
The term passkey is an amalgamation of the terms password and key, a simple but subtle way of highlighting its utility as an authentication mechanism as familiar and ubiquitous as the traditional password, but invoking the imagery of reliability associated with a sturdy lock and a physical key. Pass “words” rely on a word, phrase, or string of characters (usually combined with a username) to authenticate users, while pass “keys” by comparison, use the mathematical underpinning between public and private cryptographic keys to authenticate. Once a passkey has been set up, the authentication process happens opaquely at login, with minimal additional involvement from the user. As a result, a login event becomes an effortless, almost automatic experience for people who have access to the registered passkey while simultaneously becoming essentially impossible for anyone else. Passkey implementation is also extremely flexible, as it can be implemented as either hardware bound or cloud synched, depending on the options afforded to the user by their device and the service or application in question.
Passkey technology is the cybersecurity industry’s attempt to unify, streamline, modernize and rebrand existing authentication lexicon, even if the underlying technology is essentially identical to FIDO2/WebAuthn, which has existed since 2018.
View the full size infographic
Learn everything you need to know about passkeys.
How Does Passkey Work?
Passkey login as a functional alternative to password login is still a nebulous, emerging and evolving technology, so the exact mechanics of how a passkey works may differ in the future, even if the central concept should remain the same. When a user requests access to a relying party (such as a website or an app) with passkey technology enabled, they will be prompted to create an original (or initial) passkey upon the first login. It will be this passkey which will be used for future authentication, and will require biometrics or a personal pin to access, depending on user preference but also what is available on the device of choice. During this ceremony, a key generation process creates a pair of mathematically related cryptographic keys: one private key that will reside on the user’s hardware or cloud account, and another public key that will reside with the relying party but linked to the account. During subsequent logins, the relying party will submit a randomly generated “challenge” to the user’s device, which must be responded to by signing said challenge using the private key. The relying party can then validate the authenticity of the private key by verifying the response using the associated public key. If the original randomly generated challenge matches the verified signature in the response, authentication is confirmed and access is granted, otherwise it is denied. Keep in mind that all this authentication happens in the background using lightning-fast computer processing, likely taking no more than a few hundred milliseconds, which effectively means an extremely fast alternative that could spell the end of vulnerable traditional logins as we know it. Thus, passkey technology removes cumbersome barriers to entry whilst even enhancing security in the process.
Another unique feature of passkey as an authentication mechanism, is its potential to be shared. As previously stated, passkey implementation is still evolving, but some vendors have even described the possibility of copying credentials between users, so long as the passkeys themselves remain secured in the cloud and away from would-be attackers. This ability may add to the overall user experience, since sharing account access between friends, family and even colleagues becomes easier, requiring no more than a swipe or button press for example, but it remains to be seen how this capability can be safely managed within an enterprise context in particular. Additionally, there are serious concerns about whether companies should double down on their dependency upon cloud providers and relinquish even greater control and ownership of credential management, since a data breach of said providers would almost certainly lead to catastrophic and widespread effects. It goes without saying that even passwords today can be shared between users, but that practice is generally not recommended by security experts and certainly discouraged at the enterprise level.
In contrast to passkeys in the cloud, hardware bound passkeys live on physical hardware authenticators, security keys or dedicated hardware integrated into desktop and laptop computers, where the passkey cannot be copied or shared. These represent a great alternative for those who wish to retain physical ownership of their own keys, but obviously prevents the ability to copy or share keys across the whole gamut of devices such as smartphones, laptops and tablets.
Why is Passkey Important?
An Apple passkey, Microsoft passkey and Google passkey are all coming down the pipeline, so why do the biggest tech companies on Earth consider passkey technology to be so important at this particular moment? Mostly because passwords and specifically, password management, are so problematic. Passwords are easy to forget, especially as they get more complicated and prolific with regards to minimum accepted requirements (e.g. eight character minimum length with a mix of upper case, lower case, special characters and numbers). They are also relatively easy to guess, steal, buy on the black market, or trick someone into exposing (also known as phishing). Both inconvenient and insecure, passwords are loved by no one, and there has long been a push within the security industry to replace them with something that makes authentication both easier to accomplish yet harder to exploit. Passkey does exactly that. Since users do not have a password (or anything else) to remember, there is nothing to forget or expose at login, or a constant need to change the mechanism periodically. And since public/private key combinations make it essentially impossible to steal or phish the information needed for login assuming the user’s device is able to properly manage the private key, passkey protected accounts are highly secure. The creation, evolution, and now maturation of passkey technology is important for all because it means we can soon leave passwords (and their many flaws) behind in favor of passkey logins that are regarded by security experts as superior in every way.
Who Needs Passkeys?
The more invested an organization or individual is in cybersecurity, the more likely they will benefit by transitioning from passwords to passkeys, although there is clearly value at all levels to transition away from password as an authentication mechanism. There are currently no formal requirements for someone to use passkeys per se, but based on past pressure to adopt stronger authentication standards (eg. the push for general 2FA across many services, the Whitehouse’s mandate for phishing-resistant MFA within the Federal government or the development of a unified electronic ID scheme within the EU), it’s easy to imagine future requirements to use passkeys by law, under contract, or as a requirement to be covered under cyber insurance. Global passkey adoption is currently quite small, but all the pieces are in place and momentum is building for passkey technology to become the next standard.
What are the Benefits of Passkey?
The primary benefits of a passkey system are two-fold. First, accessibility improves significantly by replacing passwords – which can be lost or exploited – with a passkey stored on a device and exchanged seamlessly at login through the use of a swipe, press, tap or biometric gesture. Second, passkey login makes credentials harder to exploit and unauthorized access much less likely since it uses public key cryptography rooted in mathematical theory. Credential exploitation generally plays a huge role in cyberattack initiation – it’s easier to slip through a door than break through a wall – but passkey makes that particular risk vector much smaller. Passkeys make authentication exceedingly more difficult to break, even with a large amount of computing power and resources. As cyber attacks become more common and credential exploitation cuts deeper, the benefits of passkey entry start to look especially appealing. Furthermore, as digital transformation progresses and technology facilitates an increasing amount of workflows, identity and access management will be a bigger headache for users and security teams alike. Already an obstacle, password usage will be increasingly out of step with the demands of modern IT as time goes on. Passkeys represent a viable and superior alternative with a clear path to adoption.
What are Passkey Best Practices?
Under the hood, passkeys utilize FIDO2 credentials, a collectively developed “gold standard” for authentication protocols that have existed since 2018, but it was not until 2022 and the collective announcement of Google Passkey, Microsoft Passkey, and Apple Passkey capabilities that passkey technology came into the spotlight. As the adoption of passkeys accelerates, best practices will continue to develop, meaning their use will evolve as the user base grows and the use cases for passkey software further expand. At least for this period of time until the technology fully matures, the impetus is merely to understand how passkey technology works, explore the different types that are available (more on that below), and plan how to transition away from passwords. One best practice that is evident already as users and enterprises investigate their alternatives, is to begin building a passkey ecosystem that makes it easy to adopt and manage passkeys for all involved.
What are the Different Types of Passkey Solutions?
The widely accepted passkey definition simply specifies that cryptographic keys are used for login rather than passwords. The exact implementation can vary between vendors, however. With one form or variation of passkey technology, known as synced passkeys, the passkey itself can be shared between devices and even users. With the Apple passkey, for instance, the private key is stored in a user’s iCloud keychain where it can then be accessed by any other authorized Apple device. This type of passkey login makes access especially easy, since the passkey can traverse between devices through an encrypted channel and can be easily restored even if a device is lost or a new one is introduced. It does, arguably, compromise security in the process by adding a potential new vector of attack, since hackers can potentially breach cloud accounts (or password managers in other instances of shared passkeys) unless there is phishing-resistant two-factor authentication in place there also, which is beyond the user’s control.
The alternative to synced passkeys are hardware-bound passkeys (sometimes called single-device passkeys) that only exist on a single piece of hardware. While synced passkeys are a new term to enter the collective lexicon, hardware-bound passkeys are actually discoverable FIDO2 credentials and have been supported as far back as 2018, by the YubiKey 5 Series for example. It’s important to clarify that this means authentication must originate from the one particular piece of hardware used during registration, or at the very least, by a device that has been previously used in conjunction with the hardware and subsequently denoted as trusted. With a hardware-bound passkey, the passkey cannot travel to other devices, but the device it does live on can authenticate any login that requires a passkey. Flexibility suffers somewhat, since each device must be registered separately before it can be used in an authentication ceremony, but the trade off is that security improves significantly when the only way to authenticate is by possessing a specific previously registered device. No device, no access.
There will likely be other differences or divergent approaches with how passkeys work unique to various vendors, since broad consensus has yet to coalesce around passkeys. However, the issue of where the private key “lives” will likely be the biggest and most important difference between passkey systems.
How to Choose a Passkey Solution
Cybersecurity always requires striking a balance between accessibility and security, and that’s especially true with passkeys. Focus too much on security, and login becomes an arduous but equally ineffective process to what it was with passwords. Focus too much on accessibility, however, and the risk of fraudulent access remains the same as before. Choosing a passkey solution – an ecosystem of authenticators and identity providers- starts by exploring the organization’s risk and risk tolerance. Those that put a high emphasis on security – tech, government, finance, energy, pharma, manufacturing – will want to explore hardware-bound passkeys, such as the YubiKey. Organizations or individuals that want to upgrade security and both want to take advantage of seamless login but also have the appetite for some risk of a cyber attack, may prefer synced passkey solutions despite their vulnerabilities.
Does Yubico Support Passkeys?
Not only does Yubico support passkeys, we have also been a pioneer in this field and a major force behind the development and adoption of FIDO2, the underlying protocol used within passkey technology. Yubico has worked closely with the FIDO Alliance since the beginning, to develop the authentication protocols and bring these innovations into the product sphere.
Our signature product, the YubiKey, is a security key that plugs into a USB port or read by an NFC reader, to authenticate both the user and the device it’s plugged into. YubiKeys can handle authentication through multiple means: two-factor, (and / or) multi-factor, and touch-to-sign. And with our latest iteration, the YubiKey 5 Series, our security keys even offer passwordless authentication using passkeys.
The passkey technology in the YubiKey works as a passkey generator that can create the public and private keys necessary to begin passkey login with accounts, apps, and vendors that enable it. A YubiKey serves as a repository for up to 25 unique passkeys. These are hardware-bound passkeys, meaning they live only on a particular YubiKey, and so the only way to gain unauthorized access would be to steal the YubiKey itself and then complete the authentication ceremony with either the correct PIN or biometric. This resilience to attack represents the gold-standard in passkey security while simultaneously making it easy to manage passkeys for multiple logins.