Introduction to Passkeys

Posted on by Tim Hannon in Passwords, Security/Privacy

Have you heard the term passkey but don’t know what it means? Passkeys have been around for a few years and are becoming more pervasive. I find Passkeys appealing, and I encourage you to become familiar with them and give them a try. Below I offer a plain English explanation of what a passkey is, how it works, and why passkeys are more secure than passwords.

Passkeys are a replacement for passwords. They are a way to log into a website without using a password. I know this concept likely feels foreign or jarring since we’re so accustomed to using passwords, but once you understand the concept I think you’ll agree that it has advantages over the current password system.

Passkeys let you log in to a website, such as Amazon.com, using a secure private digital key which is stored in a password manager such as Apple’s Passwords app or 1Password. Your fingerprint or face or Mac password is used to unlock your password manager and retrieve your private digital key. This private key is then able to communicate securely with its partner, a public key, which is stored on Amazon’s web server. You gain access to your account as a result of this secure conversation.

Here are some key advantages to using passkeys:

1. The private key never leaves your device and is never stored on a website’s server. This keeps your private key quite secure. The public key, by itself, can’t be used to gain access to your account. Thus, if the bad guys ever steal your public keys, it can’t be used by the bad guys to gain access to your account. This reduces the number of headaches we all have to deal with as a result of breaches of corporate networks.

2. Phishing scams are also ineffective because your private key is tied to the exact website it was created for — thus a phishing site can’t trick your Mac to divulge your private key. 

3. Passkeys typically don’t require two factor authentication. So using a passkey to sign into a website is faster and easier than signing in with your password and then waiting for a code to be sent to via text message. 

4. You don’t have to remember anything. You don’t need to keep a written list or memorize anything. Each of your accounts will be protected with a unique passkey. These passkeys are stored in an encrypted manner in your password manager.

In short: tap your finger or look at your camera to unlock your password manager. The web browser can then use the private key, stored in the password manager, to get you signed into a website. No passwords to remember. No risk of them being stolen. No need for two factor authentication.

Currently, if you setup a passkey for one of your accounts, you’ll be able to use either your passkey or your password to get signed into that account. In the future, companies may get rid of the password option altogether. Then you’ll have to use a passkey but, currently, you’ll be able to use either your password or passkey to sign into your account. I expect the universal adoption of passkeys will take many years. So, we won’t be getting rid of passwords anytime soon.

Hopefully this overview gives you enough confidence to give passkeys a try. If you’d like to learn more, check out this article from Dashlane which offers additional explanations.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.