Passkeys, also known as public-private key pairs, offer a robust mechanism for secure authentication in online systems. Here’s how they work:
- Account Creation: When you create an account on a website, your public key is sent to the server. Meanwhile, your private key remains securely stored in your password manager.
- Login Process: When you attempt to log in, the web server sends a certificate to your device.
- This certificate is signed using your private key and then returned to the server. The server, in turn, authenticates the signature using the public key associated with your account. This ensures that even if an attacker obtains the signed certificate or the public key, they cannot easily calculate your private key. The computational effort required for such a task is immense, taking millions of years even with all the world’s computers combined.
- Protection Against Phishing: Furthermore, the web server signs the certificate received by your device, enabling your device to verify that it is communicating with the legitimate website and not falling victim to a phishing attack.
- Ease of Use: Passkeys offer convenience compared to complex passwords and unreliable autofill functions, as well as the hassle of managing time-based one-time passwords (TOTP codes).
Regarding cryptographic signing:
- With a public-private key pair, data encrypted with one key can only be decrypted with the other. Thus, if you encrypt something with your private key and send it to someone else, they can decrypt it using your public key, thereby verifying your identity.
- In real-world applications, the certificate undergoes hashing, an algorithm that converts data into a fixed-length, irreversible, and pseudo-random string of characters. The hash generated from the certificate is then encrypted with your private key. Simultaneously, the website creates its own hash from the certificate and decrypts the cryptographic signature created by your device
Why passkeys?
- Passkeys offer protection against both user-related mistakes and server issues such as security breaches.
- Traditional passwords, if compromised in a server breach, can lead to unauthorized access if stored inadequately (e.g., in plaintext, using reversible encryption, or hashed without salt).
- Passkeys, on the other hand, only store public keys on servers, which are not reversible. Even if publicly disclosed, these public keys hold no value to attackers.
- In the event of a server breach, the use of passkeys minimizes the impact on users, as their private keys remain secure and unaffected.
- Google highlights this security advantage by noting that storing only public keys on servers significantly reduces the incentive for attackers to target breaches and simplifies the cleanup process post-breach.
A Walk Through Time: The Evolution of Passwords
- 1960s: In the 1960s, Fernando Corbató at the Massachusetts Institute of Technology (MIT) recorded the first use of a password. It provided a simple solution for a time when computer access was limited and security threats were less sophisticated.
- 1970s and 1980s: As computers became more accessible, password usage surged. However, limitations like weak passwords, password reuse, and lack of multi-factor authentication (MFA) exposed vulnerabilities.
- 1990s and 2000s: Security concerns rose with the rise of the internet and online threats. Password complexity requirements increased, and MFA started emerging, but challenges like phishing attacks and password breaches remained.
- 2010s and beyond: Data breaches and hacking incidents became commonplace, highlighting the limitations of passwords. Password managers gained popularity, but concerns about single points of failure persisted.
Enter Passkeys: A New Era of Secure Authentication
The limitations of passwords have paved the way for a more secure and user-friendly solution: passkeys. Introduced by the FIDO Alliance in collaboration with major tech companies like Apple, Google, and Microsoft, passkeys are a significant step forward:
- Stronger Security: Passkeys are based on public key cryptography, making them significantly more resistant to brute-force attacks and phishing compared to traditional passwords.
- Convenience: Passkeys eliminate the need to remember and manage complex passwords. Users can simply use their fingerprint, face recognition, or a secure element on their device to authenticate.
- Universal Compatibility: Passkeys are being developed to be interoperable across different platforms and devices, eliminating the need for platform-specific logins.
Timeline of Passkeys:
- 2017: The FIDO Alliance starts developing the FIDO2 standard, which forms the foundation for passkeys.
- 2019: Apple introduces support for passkeys in its iCloud Keychain.
- 2022: Major tech companies collaborate to announce broader adoption of passkeys on various platforms.
- 2024 and beyond: Widespread adoption of passkeys across different platforms and services is expected.