I’ve avoided “passkeys” like the plague, but with Google [promising a password-less future](https://safety.google/authentication/passkey/) and Apple [forcefully moving people to passkeys going forward](https://developer.apple.com/videos/play/wwdc2024/10125/?time=258), I guess it’s time to figure out what they are.
I consider myself a tech person, but the more I hear about these *passkeys*, the less I understand. Apple’s [overview](https://developer.apple.com/passkeys/) says that they’ll be used “alongside” passwords, so I don’t get what’s being **replaced**, and why the hell we need them. Fido Alliance (the folks that apparently invented the damn thing) says that [passwords are a problem](https://fidoalliance.org/passkeys/), but reading this, it doesn’t seem like it’s **my** problem they talk about.
What I **do** understand though, is that one day I’ve had someone walk into my hotel room in Poland, and walk out with my laptop and cell phone while I was asleep^1.
**So, overnight, I ended up without access to any of my devices or phone number abroad**.
Luckily, because I was still in the password-ful past, I could log into my email and Skype from hotel’s computer, and let my wife know that I need some help.
what this scenario wood look like in the future when everything gets switched to passkeys.
____
^(**[1]:**) ^(I have forgotten to lock the door – learn from my mistake. To Krakow police’s credit, they *actually caught the thief* several months later.)
In: Technology
a lot of close answers, but not ELI5…
consider your credit card (the chip and pin card), the card itself donesnot contain any information about the account, but an encrypted reference to where it should be found. when you enter your pin, this reference is decrypted and your actual account is then located to be used. This way even if your card gets stolen, the stealer cannot get any useful information from the card itself. you need both pieces of information (the card and the pin) to make it useful.
passkeys do the same function:
the issuer (apple or google or something else) stores your “actual credentials”. these are your “identities” in a encrypted format. the issuer ,in perfect world, should not have any way of decrypting this information by themselves. your biometric/pin/password is the only way to decrypt this information. The identity contains the username and passwords (usually system generated)
every time i want to login to a website, i use my biometrics to get back this credential from the issuer (there is complex tokenisation and access management process but i wont go into that for sake of ELI5).
I use “master” password only to log into new devices and register it with the issuer. which i keep in a safe.
This means, that i cannot provide a “hacker” with a password to a website because i dont know what that password is (thus removing that attack vector).
If the issuer gets hacked , the encrypted credentials is useless without a way to decode it (this removing this attack vector as well).
physical seperation of the biometrics and the encrypted file itself means that a hacker will find it difficult to get both pieces of information quickly, and this discourage all but “very high value” attacks.
Hopefully, this helps?
Latest Answers