What is a Passkey?
Passkeys seamlessly authenticate users by using cryptographic security “keys” stored on their computer or device, and are considered a superior alternative to passwords since users are not required to recall or manually enter long sequences of characters which can be forgotten, stolen or intercepted.
The term passkey is an amalgamation of the terms password and key, a simple but subtle way of highlighting its utility as an authentication mechanism as familiar and ubiquitous as the traditional password, but also conjuring the imagery of reliability associated with a sturdy lock that can only be opened by a physical key. Pass “words” rely on a word, phrase, or string of characters (usually combined with a username) to authenticate users, while pass “keys” by comparison, use the mathematical underpinnings of public and private cryptographic keys to authenticate. Once a passkey has been set up, the authentication process happens opaquely at login, with minimal additional involvement from the user. A login event becomes an effortless, almost automatic, experience for people who have access to the proper passkey while simultaneously becoming essentially impossible for anyone else. Passkey technology is the cybersecurity industry’s attempt to streamline, modernize and rebrand authentication lexicon, even if the underlying technology is essentially identical to FIDO2/WebAuthn, which have existed since 2018.
View the full size infographic
Learn everything you need to know about passkeys.
How Does Passkey Work?
Passkey login as a functional alternative to password login is still an emerging and evolving technology, so the exact mechanics of how a passkey works may differ in the future, but the central concept should always remain the same. When someone requests access to a website or an app (also referred to as the relying party) that has passkey technology enabled, they will be prompted to create an original (or initial) passkey upon their first login. It will be this passkey which will be used for future authentication, and will require biometrics, a personal pin or password to access, depending on user preference but also what is available on the device of choice. During this ceremony, a passkey generation process creates a pair of mathematically related cryptographic keys: one private key that resides on the user’s hardware, and another public key that resides with the relying party, and linked to the account. During subsequent logins, the server will submit a randomly generated “challenge” to the user’s device, which it must respond to by signing said challenge using the private key. The relying party can then validate the authenticity of the private key by decrypting the response using the associated public key. If the original randomly generated challenge matches the decrypted response, authentication is confirmed and access is granted. Keep in mind that all this authentication happens in the background using lightning-fast data exchange and computer processing, which effectively means an extremely fast alternative that could spell the end of vulnerable traditional logins as we know it. Passkey technology removes cumbersome barriers to entry whilst even enhancing security in the process.
Another unique feature of passkey as an authentication mechanism, is its potential to be shared. As previously stated, since passkey implementation is still evolving, some vendors have even described the possibility of copying credentials between users, so long as the passkeys themselves remain secured in the cloud and away from would-be attackers. This ability may add to the overall user experience, since sharing account access between friends, family and even colleagues becomes easier, requiring no more than a swipe or button press for example, but it remains to be seen how this capability can be safely managed within an enterprise context in particular. Additionally, there are serious concerns about whether companies should double down on their dependency upon cloud providers and relinquish even greater control and ownership of credential management, since a data breach of said providers would almost certainly lead to catastrophic and widespread effects. It goes without saying that even passwords today can be shared between users, but that practice is generally not recommended by security experts and certainly discouraged at the enterprise level.
Why is Passkey Important?
An Apple passkey, Microsoft passkey and Google passkey are all coming down the pipeline, so why do the biggest tech companies on Earth consider passkey technology to be so important at this particular moment? Mostly because passwords and specifically, password management, are so problematic. Passwords are easy to forget, especially as they get more complicated and prolific with regards to minimum accepted requirements (e.g. eight character minimum length with a mix of upper case, lower case, special characters and numbers). They are also relatively easy to guess, steal, buy on the black market, or trick someone into exposing (also known as phishing). Both inconvenient and insecure, passwords are loved by no one, and there has long been a push within the security industry to replace them with something that makes authentication both easier to accomplish yet harder to exploit. Passkey does exactly that. Since users do not have a password (or anything else) to remember, there is nothing to forget or expose at login, or a constant need to change the mechanism periodically. And since public/private key combinations makes it essentially impossible to steal or phish the information needed for login assuming the user’s device is able to properly manage the private key, passkey protected accounts are highly secure. The creation, evolution, and now maturation of passkey technology is important for all because it means we can soon leave passwords (and their many flaws) behind in favor of passkey logins that are regarded as superior in every way.
Who Needs Passkeys?
The more invested an organization or individual is in cybersecurity, the more likely they will benefit by transitioning from passwords to passkeys, although there is clearly value at all levels to transition away from password as an authentication mechanism. There are currently no formal requirements for someone to use passkeys per se, but based on past pressure to adopt stronger authentication standards (eg. the push for 2FA or the Whitehouse’s mandate for phishing-resistant MFA), it’s easy to imagine future requirements to use passkeys by law, under contract, or as a requirement to be covered under cyber insurance. Global passkey adoption is currently quite small, but all the pieces are in place and momentum is building for passkey technology to become the next standard.
What are the Benefits of Passkey?
The primary benefits of a passkey system are two-fold. First, accessibility improves significantly by replacing passwords – which can be lost or exploited – with a passkey stored on a device and exchanged seamlessly at login through the use of a swipe, press, tap or biometric gesture. Second, passkey login makes credentials harder to exploit and unauthorized access much less likely since it uses public key cryptography rooted in mathematical theory. Credential exploitation generally plays a huge role in cyberattack initiation – it’s easier to slip through a door than break through a wall – but passkey makes that particular risk vector much smaller. It is exceedingly difficult to bypass passkey system controls, even with a large amount of computing power and resources. As cyber attacks become more common and credential exploitation cuts deeper, the benefits of passkey entry start to look especially appealing. Furthermore, as digital transformation progresses and technology facilitates an increasing amount of workflows, identity and access management will be a bigger headache for users and security teams alike. Already an obstacle, password usage will be increasingly out of step with the demands of modern IT as time goes on. Passkeys represent a viable and superior alternative with a clear path to adoption.
What are Passkey Best Practices?
Under the hood, passkeys utilize FIDO2 credentials, a collectively developed “gold standard” for authentication protocols that have existed since 2018, but it was not until 2022 and the collective announcement of Google Passkey, Microsoft Passkey, and Apple Passkey capabilities that passkey technology came into the spotlight. As such, best practices have yet to develop, but undoubtedly, they will emerge as the user base grows and the use cases for passkey software further evolve. At this point in time, the impetus is merely to understand how passkey technology works, explore the different types that are available (more on that below), and plan how to transition away from passwords. A final best practice as users and enterprises investigate their alternatives, would be to select a passkey system that makes it easy to adopt and manage passkeys for all involved.
What are the Different Types of Passkey Solutions?
The widely accepted passkey definition simply specifies that cryptographic keys are used for login rather than passwords. The exact implementation can vary between vendors, however. With one form or variation of passkey technology, known as copyable passkeys, the passkey itself can be shared between devices and even users. With the Apple passkey, for instance, the private key is stored in a user’s iCloud keychain where it can then be accessed by any other authorized Apple device. This type of passkey login makes access especially easy, since the passkey can traverse between devices through an encrypted channel and can be easily restored even if a device is lost or a new one is introduced. It does, arguably, compromise security in the process by adding a potential new vector of attack, since hackers can potentially breach cloud accounts (or password managers in other instances of copyable passkeys) unless there is phishing-resistant two-factor authentication in place there also, which is beyond the user’s control.
The alternative to copyable passkeys are hardware-bound passkeys (sometimes called single-device passkeys) that only exist on a single piece of hardware. While copyable passkeys are a new term to enter the collective lexicon, hardware-bound passkeys are actually discoverable FIDO2 credentials and have been supported as far back as 2018, by the YubiKey 5 Series for example. It’s important to clarify that this means authentication must originate from the one particular piece of hardware used during registration, or at the very least, by a device that has been previously used in conjunction with the hardware and subsequently denoted as trusted. -. With a hardware-bound passkey, the passkey cannot travel to other devices, but the device it does live on can authenticate any login that requires a passkey. Flexibility suffers somewhat, since only one device is required for the passkey login ceremonies, but the trade off is that security improves significantly when the only way to authenticate is by possessing a single, specific device. No device, no access.
There will likely be other differences or divergent approaches with how passkeys work unique to various vendors, since broad consensus has yet to coalesce around passkeys. However, the issue of where the private key “lives” will likely be the biggest and most important difference between passkey systems.
How to Choose a Passkey Solution
Cybersecurity always requires striking a balance between accessibility and security, and that’s especially true with passkeys. Focus too much on security, and login becomes an arduous but equally ineffective process to what it was with passwords. Focus too much on accessibility, however, and the risk of fraudulent access remains the same as before. Choosing a passkey solution starts by exploring the organization’s risk and risk tolerance. Those that put a high emphasis on security – tech, government, finance, energy, pharma, manufacturing – will want to explore hardware-bound passkeys, such as the YubiKey. Organizations or individuals that want to upgrade security and both want to take advantage of seamless login but also have the appetite for some risk of a cyber attack, may prefer copyable passkey solutions despite their vulnerabilities.
Does Yubico Support Passkeys?
Not only does Yubico support passkeys, we have also been a pioneer in this field and a major force behind the development and adoption of FIDO2, the underlying protocol used within passkey technology. Yubico has worked closely with the FIDO Alliance since the beginning, to develop the authentication protocols and bring these innovations into the product sphere.
Our signature product, the YubiKey, is a security key that plugs into a USB port or read by an NFC reader, to authenticate both the user and the device it’s plugged into. YubiKeys can handle authentication through multiple means: two-factor, multi-factor, and touch-to-sign. And with our latest iteration, the YubiKey 5 Series, our security keys even offer passwordless authentication using passkeys.
The passkey technology in the YubiKey serves two purposes. First, it works as a passkey generator that can create the public and private keys necessary to begin passkey login with accounts, apps, and vendors that enable it. Second, a single YubiKey serves as a repository for up to 25 unique passkeys. These are hardware-bound passkeys, meaning they live only on a particular YubiKey, and so the only way to gain unauthorized access would be to steal the YubiKey itself, figure out which domains have been registered and then complete the authentication ceremony with either the correct PIN or biometric. This resilience to attack represents the gold-standard in passkey security while simultaneously making it easy to manage passkeys for multiple logins.