There is increased push for Passkeys (instead of passwords), with Google now rolling out Passkeys as default sign-in option. Can someone please to me what “Passkey” is, how its different from passcode, and how it will change an average person’s login process on a daily routine basis?

391 views

I think of myself as tech savvy but for some reason i either missed the memo on Passkeys, or just misunderstand how the thing works. Im reasonably sure my parents/granparents will start asking me about this stuff soon (as google / other websites push it on them), and id really like to understand it myself first so i can explain it to them as well.

Right now, to login to website/account/etc i just need to know my login (i.e. my email address, or my username) and my password. For example, “FakeDogLover”+”CatsRule123”. How is Passkey different?

In: 1799

9 Answers

Anonymous 0 Comments

A passkey, unlike a password, uses a trusted device to verify your identity and grant you access to the account you’re trying to access. This eliminates the need to have passwords.

This is achieved through cryptographically generated public and private key. The private key is stored on the trusted device – like your phone – which is protected by whatever means you use to unlock your phone (face, fingerprint, passcode, etc.) The public key is shared with the app or website you have an account for.

When you want to sign in, your device will prompt you to verify your identity using your device – which is only accessible through your biometrics or passcode. Then your private key and the public key are used to generate an authentication that tell the company you are who you say you are which allows you to log in. This is the same process by which ubikey and other physical authentication devices work (as far as I know), but eliminates the need of carrying a second device in addition to your phone.

You can also check out this thread for a more fleshed out (but still digestible) explanation:

EIL5: Passwords versus Passkeys
byu/pconwell in1Password

Note: This is not the same as multi-factor authentication (MFA) which is a (normally) 6 digit code sent to your device to act as a secondary layer of authentication to your password. MFA are generally considered unsecure and easily obtained by bad actors through social engineering.

You are viewing 1 out of 9 answers, click here to view all answers.