This time I wanted to introduce you to the revolution in the world of passwords, and I don't use the word revolution in an exaggerated way. Although probably soon the formulation world of passwords will be out of place. Imagine not having to create complicated passwords, remember them or even use them. In addition, it is safe, ba safer than using passwords. There are no passwords. There is no two-step authentication, no rewriting numbers from SMS or emails. No phishing will work, password leaks will no longer matter. All you need is your face or fingerprint to securely log in to various sites, portals, services. Too good to be true? Let's take a look at the PassKeys solution. Because it's worth it.

Why don't passwords anymore?

Google Aple and Microsoft have been working for some time to enable fast and efficient login without passwords resulting in the Passkeys mechanism. Passwords so far although necessary are by all means cumbersome. You have to create complicated ones, keep them in a safe place, preferably still change them regularly. Then rewrite these strange and long strings in various places. Then someone tries to extract these passwords from us by phishing. If they fail, they try to guess them and often succeed. If they fail, they can always hash leaks from unwary sites. The necessity and additional nuisance in this situation becomes two-factor authentication, SMS , email or other one-time codes.

 

Why Passkeys like this?

All of these drawbacks are stripped away from Passkeys solution. You enter a login show your face or touch the fingerprint reader and you are already logged in. Is this possible? YES ... and no. Not quite ... or at least not yet. But one step at a time.

 

The days of entering a PIN or drawing patterns on the glass of our private lanyard seem to be passing irrevocably. A significant portion of users use such facilities as fingerprint or facial recognition. So don't be surprised with the assumption that we all have phone locks. Fortunately, some apps try to enforce such locks. Leaving aside the imperfections and risks for each of these methods, however, we can assume that they present some basic form of protection for access to our phone. So if we already have biometric identification set up then this is a great starting point is PassKeys

 

How Passkeys works

Whenever you log in to a particular service for the first time, or when you configure Passkeys on a particular service, a private key and public key pair is created. These keys are based on so-called asymmetric encryption. This means that a message encrypted with the private key can only be read with the public key, and vice versa. After creating such a key pair for a particular service, the public key is sent to the server of the service and the private key is stored on our device. Such a solution makes sure that the server of the service encrypting and decrypting information with our public key that only we can be on the other side. Also the other way around, if our device encrypts and decrypts information with our private key, it is sure that it is talking to the right service.

 

In practice, if we want to log in to some service with the help of Passkeys such service sends us a simple challenge encrypted with our public key, different each time. Only we, having our private key, can decrypt them meet and respond, that is, confirm identity. All this happens in the background without our participation. Please note that we do not send any passwords of anything that could be intercepted or eavesdropped. Our private key, which is the only one that can be used to log in, sits safely on our device.

 

Until now, our super-secret passwords have been stored on service servers in hashed or, horror of horrors, text form.
This made any leakage cause a high or very high risk of disclosure of these passwords. In the case of Passkeys, stored on the server of the service are only public keys which are... well public disclosure of them has no security implications. There is no threat of password leakage here. There is no threat of phishing for access. No one will look over your shoulder as you type your password. Even you won't reveal your password or key because you don't know it.

 

Well, and you are your password

In everyday use, logging in to some service means typing in a username, if it's not automatically filled in, tapping the fingerprint reader or showing your face, and that's it. Done we are logged in. Quickly efficient and secure.

 

Passkeys – Google, Apple, Microsoft

Such a set of private keys will be handled in encrypted form by the default password managers for each of these platforms. This will make it possible to use one's set of keys on all devices connected to a single account without giving access to a particular platform.

 

Passkeys - password managers

What if I don't feel like tying my bundle of private keys to any of the above providers, for various reasons? In such a situation, for the moment Lastpass 1password has already announced the implementation of Passkeys support. Probably other password managers will join soon. This means that we will be able to fully hold the hand of our very private bundle of keys ourselves.

 

Logging in on another device

Sometimes there is a need to log in to some website on a device that is not ours, or we just have our bundle of keys on our phone and Windows currently in use? Then the website generates a QR code which we scan with our phone, confirm and we are in.

 

Status as of November 2022

Apple introduced Passkeys with the latest version of iOS 16. Google announced that Android and Chrome will support Passkeys at the end of 2022. Keep in mind that Passkeys is at the beginning of its journey and the current status will probably change over time. As of now, I haven't heard of any major service supporting Passkeys. Given the involvement of the major players there is a good chance that this will start to change quickly. Because from the current perspective, it seems like a great solution.
Will this solution fully replace passwords? Probably not, but it seems to me that the more mature it is, the more widely it will find use. Note that once Google, Apple and Microsoft make it more expensive, it will have to be impressed on all service administrators on their side. Every single party. This gives serious reason to believe it won't be that fast. And what about the sites that don't implement this? Well we will have to continue using passwords there. I for one am keeping my fingers crossed for the rapid development of Passkeys.

 

I INVITE YOU TO WATCH