What are Passkeys?
A passkey is a new type of digital credential that can be used to log in to websites or applications without the use of a password. Based on standards by the Fast Identity Online (FIDO) Alliance and the World Wide Web Consortium (W3), passkeys represent a significant step forward in the adoption of passwordless authentication.
Soon after passkeys were introduced in 2022, Apple, Google, and Microsoft announced their support for passkeys, and many companies have followed suit. There are important reasons technology leaders are embracing the use of passkeys.
For users, passkeys are convenient — they simplify account registration and login, and they can work across most of a person's devices. Providing pleasant user experiences that are unencumbered by forgotten passwords, reset processes, or account lockout are important to building customer satisfaction, a key differentiator for digital businesses.
Passkeys also offer far better security than the age-old password. Data breaches that expose user credentials (usernames and passwords) are a common occurrence, sometimes the result of phishing and other social engineering attacks. And passwords are bought and sold on the dark web again and again to break into user accounts and carry out fraud, such as account takeover (ATO). Passkeys, on the other hand, are phishing-resistant. There is no password exchanged between a user and a website, so there is no way to "intercept" a password in transit and no password to steal in a data breach.
For these reasons and more, passkeys help to protect online accounts from unauthorized access, the leading cause of data breaches.
A little background on FIDO2 WebAuthn
Passwordless authentication is based on the FIDO2 Web Authentication (WebAuthn) standard, which eliminates the need to enter a password by using private and public key cryptography for secure authentication along with a secondary form of authentication, such as a fingerprint scan, facial recognition, or other biometric authenticator. Push notifications on a mobile authenticator app can also be used, as can one-time passcodes (OTPs) or the device's unlock PIN.
Until now, the widespread use of passwordless has faced some hurdles due to limitations in the portability of WebAuthn, which has been tied to the physical device owned by the user. If the user loses or replaces the device used for passwordless, the new device no longer holds the user credentials (private key) to authenticate, and the user must begin the passwordless process again.
Passkeys, also known as multi-device credentials, eliminate this restriction by allowing the private keys to be stored in a vault in the device vendor's cloud instead of on the device itself. What this means is that you can register one device, such as an iPhone, and, because your identity is connected through the Apple ecosystem, your passkey can also be used with your iPad and MacBook.
Because passkeys remove the reliance on hardware, a user can change devices without having to start over with passwordless. Furthermore, even if a device is lost or stolen, the passkey is stored in the mobile phone's encrypted memory, so the likelihood of it somehow being extracted from the device is slim — and even if it could be, the passkey wouldn't work without the user's biometric or other secondary authentication.
How do passkeys work?
The password is known as a static shared secret, which means that the user knows the secret and so does the server on the other end. That's one problem, because any time something is known, it can be shared, stolen, or phished.
Instead of relying on a shared secret like a password, WebAuthn generates a pair of security keys on the user's device, one is private and the other public. The private key is securely stored on the device and never leaves it, while the public key is shared with the web service.
When using a passkey to sign up for a service or website, such as an online retailer, the user needs a personal device, like a smartphone, that is not shared with others. During registration, the smartphone will create two encrypted keys, which are unique and specific for each service. There is the private key, which remains on the smartphone, and the public key, which is held by the website. These keys are linked together and both keys are required for authentication.
Each time the user attempts a login, the service will pose a "challenge" that only the user will be able to solve with the private key on that user's device. Once this "challenge" is solved, the user proves that they are the owner of the smartphone by putting their finger on the fingerprint reader (or another biometric), or using an OTP or push.
Unlike a traditional password, the user's private key is never shared with a website or service, nor is it stored on their servers.
Why passkeys are far superior to passwords
Besides creating a terrible user experience, the problems with passwords, especially their security weaknesses, are well known. Best practices say that passwords should be long, complex, and unique for every online account and service. But it's difficult to create and remember hundreds of different passwords. So people tend to create simple passwords that they can remember, and they tend to use the same ones for multiple accounts. And they rarely change them, if ever.
The risks with this approach are two-fold. Not only are these passwords easy to crack, but attackers know that if a password works for one account, it is likely to work for many accounts.
Attackers have a range of tools at their disposal for obtaining people's passwords. Some of the traditional approaches, which remain incredibly effective, include phishing, brute-force attacks, credential stuffing, and more. In 2023, the use of generative AI emerged with the potential to crack passwords and develop new methods of attack far faster than humans ever could.
With passkeys, on the other hand, the user doesn't have to remember a password or enter it. The private key is stored on the user's device, and it's retrieved automatically when signing into an account. A copy of the public key is stored with the account provider.
The private key is never shared with the website the user is signing in to. That eliminates the concern of websites storing user credentials, because the public key on its own can't be used to gain access to an account even if it were to be stolen. Public keys can't be used to "decode" a private key. If a website's servers are breached, the best an attacker can hope to find is a public key, which can't be used to sign in to any account and can't be reverse-engineered to reveal the associated private key.
Passkeys are a strong defense against phishing and other social engineering attacks. Criminals will often create fake but seemingly authentic websites to try to trick users into sharing their login credentials. They will also try to exploit users' security fatigue with tactics like MFA prompt bombing, which tries to get users to "accept" an MFA push notification. Passkeys, thanks to the WebAuthn standard, protect users by ensuring that their credentials are never shared.
ForgeRock Intelligent Access
ForgeRock Access Management
Blazing the Trail on Passwordless Authentication with Passkeys
ForgeRock’s support of FIDO2 passkeys enables passwordless authentication for better user experiences and reduced credential phishing attacks