Passkey: nearing the end of passwords?
The use of a single password for logging into online accounts has been called into question in recent years, notably due to user complacency and increasingly sophisticated attempts by criminals to steal login details.
Data theft from businesses largely stems (81%) from passwords that are not sufficiently secure.
To counteract this problem, increasingly complex login methods need to be used, such as multiple factor authentication, without making it too difficult for the user. The solution to this problem is maybe the use of Passkeys, which has already been adopted by major tech actors around the world (and very soon by Gandi as well), to facilitate and make more secure the access to your data and services.
Why is authentication via a single password insufficient?
The limits of passwords
Everyone has, since their very first contact with a secure access to a service or data, had to manage an ever increasingly large number of different passwords. And we have also, with time, been forced to make them more complex, all the while seeing a drop in the efficiency of this technique.
Passwords, limited by constraints
By being forced to come up with increasingly complex passwords, using special characters and a mix of upper- and lower-case letters, and changing them on a regular basis (and even though the efficacy of this practice has never really been shown), it may be tempting to get a bit lazy with them and use the same one for multiple services, or even write them down in a notebook if they are not already on a post-it on the computer.
Passwords, easy to intercept
Even if good practices may hinder attacks, they are not perfect. There is always the chance that the user may be a victim of a phishing attack, which will lead them to enter their password – no matter how complex it may be – on a fraudulent website. Additionally, the way that the passwords are stored by the service in question might not be sufficiently secure: if they are stored in plain text and not encoded, your data is in danger, even if your password is extremely complex and kept secret.
The password, due to the constraints and precautions that it requires to be effective, is insufficient to guarantee the security of important data. It is necessary, at a minimum, to combine this method of identification with another factor, of another nature than a string of characters to memorize. For several years the disappearance of the password has been in the air, Bill Gates even predicted it nearly 20 years ago, and the generalization of multiple factor authentication must be used, but without increasing the complexity of the login process.
The principle of multiple factor authentication
What its name does not indicate is that two-factor authentication more than doubles the level of security over single-factor authentication (password), because the factors must be of a different nature:
- The “what you know” factor: a password, PIN code, secret question, etc. Some information that the user should be the only person to know.
- The “what you possess” factor: a credit card, a smartphone with a specific application installed, a USB key like a YubiKey, etc. any unique physical object that only you have in your possession.
- The “who you are” factor: a fingerprint, iris scan, voice, or facial recognition are some sources of biometric information that only you are able to reproduce in theory. This is similar in a way to a signature, or even localization at a given moment: “If it is really you, your smartphone should be close by.”
Multiple factor authentication requires factors that are of a different nature, because you would not be more secure if you just followed a password by another one, all the more so if it was just to ask the name of your first pet or city of birth.
On the other hand, with a password combined with a confirmation sent to your cellphone (a “what is known” factor and another that is “what you possess”), it is much easier to restrict access possibilities to just yourself.
This principle is used more and more often for services requiring confidentiality, though it does increase the complexity of logging in, since you don’t necessarily think of having a given physical object with you when you log into this or that service on a daily basis. “Passkeys” therefore exist to overcome this problem.
Passkey, a keychain for all your services
Apple, Google, and Microsoft, aware that their users use the services of these three services simultaneously, came to an agreement in 2022 regarding a standard that they called FIDO (for Fast IDentity Online). The objective was for these operators to agree on a system of identification using Passkeys.
How does Passkey work?
When you log into a service, two encrypted keys are created: one, private, is stored on your device (smartphone for example), and the other, pubic, is kept by the site that you want to log into. When you go to login, the private key lets you get past an initial barrier by “responding correctly” to an initial identification request. You then need to confirm this authentication with another factor, like a fingerprint reading from the device used. Each private key is stored in the device, which lets you use this technique for various services.
Concretely, this authentication protocol may take several forms:
- When you log into a service, the computer tries to reach you by your smartphone via Bluetooth, which sends a request for a fingerprint, and you are logged in once this confirmation is made.
- If your smartphone is not connected to the same account as your computer, you must scan a QR code. The computer, via Bluetooth, confirms that the device that scanned the code is close by.
- In the case where the object storing the keys is not a smartphone, but a USB key equipped with fingerprint detection, then then user must insert this key to confirm their identity.
The advantages of Passkeys
The main advantage of this system is, of course, being able to forego passwords, since the two methods of authentication are the two that are not “what you know” (ie. a complex password), but rather, “what you possess” (a device) and “who you are” (biometric data, a location).
It is therefore an easier way to multiply authentication factors, by notably using “proof of ID” that are not specific to this operation, in a world where the majority of people don’t go anywhere without their smartphone and fingerprint.
This characteristic allows it to be used in similar conditions with various services (Google, Microsoft, Apple) since they have all adopted the same standard, and, with distinct keys. While the use of a single password for several services is strongly discouraged, the use of the same device to log into multiple services is on the other hand very secure if specific keys are created for each service.
Another useful thing about this technique is that any biometric data that may be saved is only done on the object in your possession; Services such as Apple or Google that allow you to use your fingerprint for authentication do not store this data. The use of asymmetrical encryption prevents your authentication data from being obtained by someone who may have hacked into the database of the operator in question.
It would be good if “Passwordless” became the norm in terms of authentication. The Passkey system combines simplicity, the use of extremely reliable authentication factors, and the protection of biometric data. At the moment it is the best compromise of security and convenience. Maybe one day we’ll tell our grandchildren stories about a time when everyone had to remember long strings of characters, mixing upper- and lower-case and special characters, and they won’t believe us.