Passkeys: Building Inertia, But Not Ready for Prime Time

Passwords might become a thing of the past if the IT industry can manage a way to make "passkeys" a simple part of our daily tech workflow. The technique has been making strides toward the mainstream, but it's still a long way from being the norm.

The pitfalls of passwords have been discussed at length:

1. They need to be robust — long combinations of letters, numbers and special characters.
2. They need to be replaced — ideally every six months.
3. They need to be unique: You should use a different password for every website, service and app you access.
4. They need to be managed by password management software, since, if you're following those just-mentioned best practices, there's no possible way to remember the dozens or hundreds of passwords you need in your day-to-day life.
5. While passwords are a good start to safe authentication, they really should be combined with a second authentication factor — a method that uses, for example, a mobile device that needs to be in the hands of the person attempting authentication.
6. Passwords are stored on servers that belong to the vendors we interact with, which are susceptible to security breaches well out of our control and survey.

Passkeys solve a number of those issues.

Using public key cryptography, passkey technology involves users generating a public and private key — two blocks of data. You then freely share the public key with those you need to authenticate with. Without the private key, the public key is meaningless. You keep the private key securely on your device where it's never shared. In theory, the private key is unguessable.

During authentication, the webserver sends a "challenge" generated using your public key to your device. Your device requires as PIN, face recognition or a fingerprint from you so it can then "sign" the challenge using your private key and return it to the webserver. Finally, the website examines the returned signature and determines whether or not your public and private keys are a match.

There's no need for multiple passwords, password resets or password managers. And passkeys eliminate the need for a second authentication factor, since they require the authenticating user have the device in their possession, which is the whole point of two-factor authentication that uses tools such as SMS texts or apps such as Google Authenticator.

Though the technology behind passkeys is solid, making it practical for users is the current challenge. Tech companies such as Google and Apple are beginning to encourage passkeys. But streamlining logins across devices and platforms is still a work-in-progress. And many websites haven't yet gotten on-board, or have buried their passkey login details well beyond their front page.

Password management tools such as 1Password, Bitwarden and Dashline have started to include tools to help make the passkey system easier.

As the industry adaption of passkeys continues to build inertia, it might not be too long before we have a simpler and more secure alternative to passwords.