What are passkeys and how do they work?

Passkeys is the password's little brother, which is even easier and safer to use when accessing different websites and applications.

25-11-2022 - 6 minute read. Posted in: awareness.

What are passkeys and how do they work?

Passkeys are an emerging feature that ensures better cyber security; it works like a keyhole where only you have the key that fits. Passkeys are the proxy for passwords, which should also be more stable, secure and easier for users to remember and use.

What are Passkeys?

Passkeys allow you to access online portals without using passwords. You avoid having to remember passwords and go through two-factor authentication, which some users may find inconvenient and time-consuming. Instead of multi-factor authentication, you simply choose your desired form of confirmation that you want to use when logging on to a particular site.

How do passkeys work?

When you log on or sign up to a website, the website will ask you which device you want to use for authentication; this could be a smartphone, computer or tablet. When you register a device, two encrypted keys are generated; one is private and uniquely made for you, where the other is a public key belonging to the website or application you want to sign in to.

Each time you try to connect to these websites or applications, a "riddle" is sent to your device - a "question" to which only the user knows the answer with the unique key. Once the question has been solved with the key, your device will ask for permission and confirmation that it is you who wants to use the key - this is done just like when you unlock your devices; whether it is a fingerprint, facial recognition, a PIN code or something else that needs to be entered.

Once the key has been used and verified, it goes into a keychain that contains all the different keys you have for various websites and applications. A new feature means that this keychain is stored in an online storage; e.g., Google Drive, Apple's iCloud, or Microsoft's OneDrive - depending on the software on your device.

This makes your passkeys available to all the devices you have connected to that operating system; for example, if you log in with your iPhone, you'll have the keychain on your iPhone, iPad, and Macbook. The keys are stored in an encrypted folder online that only you, the user, can access.

To sum up;

  • You log on to a website
  • You choose which device to use
  • Two encrypted keys are generated; one unique for you, and one public for the website
  • When you log in, the key will allow the forwarding of an authentication
  • You authenticate the forwarding with a fingerprint, facial recognition, pin or similar.
  • Your key is stored online and your keys are shared across devices

You can then log on to websites and applications without a password, using passkeys instead.

An example of passkeys in a more practical sense

Understanding how passkeys work can be a bit tricky, so here's how they work in practice:

Imagine that you want to sign up to a website - one that supports passkeys, mind you. You start by creating a user account and choose to secure it with passkeys instead of the classic password.

The server on the website shares some information about the site, and asks you to confirm your authentication; it can be either your phone, computer or tablet.

A passkey is then created specifically for the website you are logging into. All this happens locally on your device. Once the two encrypted keys are created, the public one is sent to the website and the unique key remains safely on your device.

The next time you log into the website it will make an "challenge", like the aforementioned "question" - your authentication will then answer this question using your unique key, and then send a final signature to the website. Finally, the website uses their key (which matches yours) to verify the signature. And then you're done!

The benefits of using passkeys

There are many reasons why passkeys are easier and better to use than the usual passwords. So we'll present some to you here:

All passkeys are unique and thus stronger

  • As you may know, most password recovery systems ask you to create strong passwords. They need to be longer and more unique with numbers, unique characters and upper and lower case letters. If you use passkeys, don't worry about having to come up with a unique password - where you'll end up reusing your old passwords anyway - this is also not hard for hackers to crack. That's why passkeys are optimal to use, since you don't have to think about making passwords and can leave the complicated stuff to the devices you use for it.

Your unique key is not shared with the website you are logging into

  • Unlike passwords, your passkey is not shared with the website you are logging into. Your passkey is stored on your own device and the online store you've linked it to - nowhere else. The website you sign up to stores the public key used to log in to the website.

Your public key cannot be used to track down your unique key

  • You also don't have to worry about your unique key being traced through the public key that websites hold. So if a cybercriminal hacks a website you have a user on, they can't use the public key to find your unique key and hack your profile.

Passkeys are a secure tool to avoid phishing attacks and social engineering

  • Hackers will most often impersonate others, or create social media-like websites where you have to create a login. By signing up to them, you give the hacker free access to your computer and data. But if you use passkeys, which belong to WebAuthn (short for web authentication), you avoid falling into the hacker's trap. WebAuthn verifies websites to make sure they are safe to use.

The future of passkeys

It's a bright future for ease of use when it comes to secure web browsing - especially for those of us who can't remember long, difficult passwords. The good thing about passkeys is that you can't write them down on a piece of paper - as opposed to having passwords stolen this way. Passkeys are a secure system that even avoids having to remember passwords and other security measures.

Work is underway to transfer keys between "ecosystems", i.e. Windows, Apple, Google, etc. This is still a problem if you want to switch systems - you have to transfer the keys manually; it would be preferable to be able to transfer them easily between ecosystems. This is being discussed precisely because as a user you verify each key to avoid a virus going in and transferring all the unique keys you have. It is first and foremost about cyber security, which is the cornerstone of passkeys.

Author Caroline Preisler

Caroline Preisler

Caroline is a copywriter here at Moxso beside her education. She is doing her Master's in English and specializes in translation and the psychology of language. Both fields deal with communication between people and how to create a common understanding - these elements are incorporated into the copywriting work she does here at Moxso.

Similar posts