I’ve avoided “passkeys” like the plague, but with Google [promising a password-less future](https://safety.google/authentication/passkey/) and Apple [forcefully moving people to passkeys going forward](https://developer.apple.com/videos/play/wwdc2024/10125/?time=258), I guess it’s time to figure out what they are.
I consider myself a tech person, but the more I hear about these *passkeys*, the less I understand. Apple’s [overview](https://developer.apple.com/passkeys/) says that they’ll be used “alongside” passwords, so I don’t get what’s being **replaced**, and why the hell we need them. Fido Alliance (the folks that apparently invented the damn thing) says that [passwords are a problem](https://fidoalliance.org/passkeys/), but reading this, it doesn’t seem like it’s **my** problem they talk about.
What I **do** understand though, is that one day I’ve had someone walk into my hotel room in Poland, and walk out with my laptop and cell phone while I was asleep^1.
**So, overnight, I ended up without access to any of my devices or phone number abroad**.
Luckily, because I was still in the password-ful past, I could log into my email and Skype from hotel’s computer, and let my wife know that I need some help.
what this scenario wood look like in the future when everything gets switched to passkeys.
____
^(**[1]:**) ^(I have forgotten to lock the door – learn from my mistake. To Krakow police’s credit, they *actually caught the thief* several months later.)
In: Technology
Passkeys are similar to passwords in that they are a secret thing that you have, which is supposed to provide access to your accounts. There are some differences though:
* The Passkey is accessed by typing in the login for the user account on the computer (or with biometrics), not by any webservice-specific login. This means that the user only has to remember one strong password, without taking on the massive security risk of using the same password everywhere.
* Seamless two-factor authentication is built in, without any additional step. Because only your computer has the Passkey stored to be decrypted by a TPM or similar technology when you type your password, the login can only be made from your devices. You need both your device and your password/biometrics to log in, but the process in seamless in that the two-factor confirmation does not require a separate interaction.
* Due to some clever use of public/private key cryptography, websites do not even have sufficient information to leak your Passkey, so that others can gain access. They only have enough to make queries that confirm that yours is real. This means that the risk of websites with improper password security is gone.
As for how you’d recover if your devices gets stolen, it really depends on what your backup strategy is. The big three in operating systems (Google, Apple, Microsoft) are all happy to do a cloud backup of your Passkeys by default, so most users would just need to use the traditional recovery options for those accounts, but if you opt out of that or use Linux, then the decrypted passkeys can just be treated as any other file when you make a backup strategy.
Latest Answers