At the RSA-Conference 2023 in April, Google presented an update to their Authenticator, hinting at the imminent switch away from passwords and towards «passkeys». A short time later, and on the eve of the World Password Day, namely on May 3, Google announced that the possibility to log in with passkeys for all accounts of its most important platforms would be activated shortly. Users who already use 2-factor authentication and log in to google.com have since been told by Google to set up a passkey to simplify their login. Android smartphones even work directly as passkeys for the Google account. iphones or computers - both Macs and PCs - can be turned into passkeys with just a few clicks.

So perhaps May 3 could now be declared «World No-Password Day», because so-called passkeys actually make passwords superfluous to a certain extent. But what exactly are passkeys and how do they differ from the passwords used up to now? And why are they more secure than passwords?
Passkeys are a relatively new technology for logging into apps and services. They are a replacement for passwords and are considered more modern, secure and simple. They use an authentication method developed by the FIDO Alliance. This alliance includes Google, Apple and Microsoft, among many other companies. The procedure is open and works independently of the device manufacturer. Other technology companies besides Google have already announced that they will fully rely on passkeys in the future. Soon, hardly anyone will be able to avoid setting up a passkey.
In our blog article, we'll show you how passkeys work, how you can use them, and what to look out for when using them.

Passwords vs. passkeys

Passwords are so-called «shared secrets». The user shares his password with the web service. When logging into the web service, he enters his username and password, thus proving that he is authorized to use the account. The web service compares the entered password with the password stored with the web service - if the passwords match, the user is logged in.
This is a highly simplified representation, but it basically corresponds to how passwords work. However, this method, which used to be considered secure, was developed before the emergence of phishing, Trojans and other cyber attacks on security. Getting passwords and taking over personal accounts has become relatively easy for hackers. To further secure passwords, people now use 2-factor authentication and password managers, for example, but even these methods cannot guarantee 100% security.

With passkeys, there is no longer a «hackable» password that alone provides access to the account, but a private key that only the user possesses and a public key that the web service knows. These two values are linked and together form the «key pair» that only works in combination. Passkeys therefore do not use passwords, but work with asymmetric encryption. Instead of the «secret» password, a so-called «crypto key» is used - a randomly generated long string of characters. Unlike the password, this key remains secret and is not shared with anyone, not even the service provider. It is stored permanently on the device that is to be used for passkeys, for example on the smartphone. When a user wants to log into a service, the web service sends data to the relevant passkey device - a kind of task that the device has to solve by signing it with the secret key and sending it back to the service, which then authenticates the user as authorized. The digital signature proves to the web service that the request comes from the user in question, since that user alone possesses the key.

Note:

1. The public key can be derived from the private key, but not vice versa.
2. The private key is created on the device used for the passkey.
3. In principle, the whole world is allowed to know the public key (see point 1); on its own, it does not pose any threat to the security of the account. It is stored at the web service and works only in combination with the secret private key.

The login with the passkey briefly explained

Figuratively speaking, you can imagine the Passkey as a normal U-lock. However, it is actually the most secure lock in the world and only one matching key exists for it.

If you want to log in to the corresponding web service with the passkey, this is done as follows:

1. You enter your user name.
2. The web service then searches for the lock with the correct user name from a large number of locks.
3. The web service locks the lock (it doesn't need a key for that) and sends it to the user with that username.
4. The user uses his passkey (on the smartphone or other device) and opens the lock with his private key; then he sends the opened lock back to the web service.
5. The fact that the lock is now open proves to the web service that the user has the correct private key, or passkey, to open it, because it knows that no one else knows it. Since it is the most secure lock in the world, the service can know with absolute certainty that it is really the authorized user who has opened the lock.

In the next step, the user is logged in and has access to his account.

Facts at a glance

Why are passkeys more secure than passwords?

• Passkeys are created on the basis of established, cryptographic processes. They are therefore always equally «strong» and significantly stronger than any passwords a human could ever come up with.
• Since the secret part (the private key) always remains with the user, there is no «shared secret» that could be lost or hacked by the service provider.
• Passkeys are resistant to phishing because «the secret» never leaves the user's device. Therefore, no «second factor» is needed at login.

What do I still have to pay attention to?

• Like passwords, passkeys can also be lost - for example, if the passkey device is lost. It is therefore always a good idea to save passkeys in your password manager - as supported by «Prime Password».

Most web services introduce passkeys at the beginning in parallel with the passwords already existing for the web service - users will then still have a password with these services for the time being. This password must, of course, continue to meet the highest security standards and should definitely be secured with a second factor, at least until passkeys have displaced and replaced passwords worldwide.

Which web services already support passkeys?

• The support is not yet widespread, but already considerable, and the development is progressing quickly. You can find a current overview at the provider 1Password: https://passkeys.directory/

Our IT security consultant Marius Dubach will be happy to answer any questions you may have on this and other security topics. You can find our security products here.