The idea is that you register a specific physical device (like your phone) with a website. When you try to log into that site, the website pings your phone to ask if you can log in. Your phone then has whatever security it has to validate you are **you** – and if you are, passes along a signal to let you log in.
The hope is that they will replace other forms of authentication – like passwords and SMS codes – because they are far easier and more secure. A **big** part of cybersecurity is developing a system that users will actually _use_, and passkeys may be simple enough to be that system.
Passkeys tackle the biggest current threat, phishing, by ensuring your login info matches the website’s actual address, and not a dumb fake site. They’re built on an open standard, accessible to everyone, Android, Apple, Windows. Beyond just phishing, they also protect against various other threats, like hacks on website servers, by using a “public key” not a password, so it doesn’t matter if it’s hacked or leaked. It’s really a similar tech that is used in SSL / https that’s been used for ages to prove the server’s identity, just flipped around.
Let’s imagine your Gmail account is a box safe in your house. In order to access the stuff you keep stored in your safe (your emails), you need a way to open the safe.
Your password would be like a combination lock. It’s convenient because as long as you know the combination (password), you can open the safe. That convenience can be a risk, however, because someone could steal your combination, or if given enough time, they could guess your combination by trying all possible combinations until they find yours (brute-force crack your password).
A passkey would be like a key lock. It’s a little less convenient because you must have the key to open your safe, but it’s much more secure because it’s much harder to guess/figure out a key pattern or create a copy of the key. However, if you lose your keyring (phone), you won’t be able to access your safe.
This explanation leaves out a lot of nuance obviously, but this is a rough analogy that’s easy to understand.
Fingerprint/Touch ID/Face ID is technically separate from a passkey, but it is the most common method by which to authenticate a passkey. So most people who interact with passkeys now and in the future will do so by verifying their identity with biometrics, which will give your device permission to “put the key in the slot” and unlock a given account.
A passkey is basically just a long, randomly generated password that the phone remembers and automatically submits for you so you don’t have to think about it. That’s it.
A passkey is “more secure” than a regular password, but not because the technology itself is all that different from regular passwords. It’s more or less the same thing under the hood. It’s “more secure” specifically because the password is not living in your dumb monkey brain that can forget it or be tricked into giving it up by a well-crafted scam email.
The downside of making your phone responsible for remembering the password for you is that if you lose or break the phone, you’re screwed. Unless you have a backup method to get in, that is, such as a list of one-time-use emergency codes or another authorized device.
The biometric part is just a feature of your phone that is used to lock and unlock the digital safe where the phone keeps the passwords. You are not giving your fingerprint data to apps and websites.
Latest Answers