I think of myself as tech savvy but for some reason i either missed the memo on Passkeys, or just misunderstand how the thing works. Im reasonably sure my parents/granparents will start asking me about this stuff soon (as google / other websites push it on them), and id really like to understand it myself first so i can explain it to them as well.
Right now, to login to website/account/etc i just need to know my login (i.e. my email address, or my username) and my password. For example, “FakeDogLover”+”CatsRule123”. How is Passkey different?
In: 1799
A passkey, unlike a password, uses a trusted device to verify your identity and grant you access to the account you’re trying to access. This eliminates the need to have passwords.
This is achieved through cryptographically generated public and private key. The private key is stored on the trusted device – like your phone – which is protected by whatever means you use to unlock your phone (face, fingerprint, passcode, etc.) The public key is shared with the app or website you have an account for.
When you want to sign in, your device will prompt you to verify your identity using your device – which is only accessible through your biometrics or passcode. Then your private key and the public key are used to generate an authentication that tell the company you are who you say you are which allows you to log in. This is the same process by which ubikey and other physical authentication devices work (as far as I know), but eliminates the need of carrying a second device in addition to your phone.
You can also check out this thread for a more fleshed out (but still digestible) explanation:
Note: This is not the same as multi-factor authentication (MFA) which is a (normally) 6 digit code sent to your device to act as a secondary layer of authentication to your password. MFA are generally considered unsecure and easily obtained by bad actors through social engineering.
Latest Answers