Come up with something at least 10 characters long. Include numbers, at least one symbol, and — just to be safe — maybe some hieroglyphics. Oh, and make it something you’ll remember, of course. Yes, passwords are maddening, but their days are numbered: Passkeys are here to make passwords obsolete.
An even better reason to kick passwords to the curb is that they’re a security nightmare. Data breaches, hacking tools, and phishing scams to trick users into revealing sensitive information are all becoming more frequent and more sophisticated. Better security was the impetus behind the Fast Identity Online (FIDO) Alliance, a nonprofit association of over 300 companies that has been working for over a decade to develop authentication standards to reduce reliance on passwords. Their solution? Passkeys.
What are Passkeys?
With passkeys you don’t have to remember — or make up — anything. When you register to use a site or app, your device generates two cryptographically linked keys: a public key and a private key. The public key stays on the servers of the app or website you’re signing in to. The private key, a long string of characters, is stored only on your device. When you sign in, the server, like the guard at the gate demanding “friend or foe,” presents a challenge to your device. Your device responds by using the private key as your personal signature or authorization. You then use your PIN, fingerprint, facial recognition, or similar means use to unlock your device to approve the signature, and the server verifies your signature by matching it with your corresponding public key. Your private passkey is safe because there’s no way to derive a private key from a public key.
Because passkeys are generated for a specific site or app, they won’t work on fake sites (those that look just like your bank’s website, for example, and steal your password when you try to sign in). Passkeys are also immune to social engineering attacks like phishing, because you don’t know the passkey; only your device does.
Andrew Shikiar, executive director of FIDO, says the new process is now a reality because the major tech players — who are often, as he puts it, “fierce competitors” — worked in close collaboration to make passkeys possible. In 2023, Google joined Apple, Microsoft, and many other tech companies in giving users the option of using passkeys across all their sites, greatly increasing passkey availability.
Are Passkeys Safer Than Passwords?
While acknowledging that nothing is completely bulletproof, Jonathan S. Weissman, a cybersecurity expert on the Rochester Institute of Technology faculty, says passkeys are “as foolproof a solution as has ever existed.” But for passkeys to work, we have to use them. As long as companies offer an option to use a password, many people will stick with what they’re comfortable with, Weissman says.
Shikiar agrees that people resist change, but believes that consumers eventually adapt to new technologies. People were slow to adopt touch ID, he says. But then they realized it’s not only safer, but faster and more convenient than a PIN. It’s now widely used. “I think the same thing will happen with passkeys,” Shikiar says. He predicts that the vast majority of consumer services will offer a passkey option within three years, and people will use them exclusively a couple of years after that. “We’ll come to a point where we look back on passwords like we do the rotary phone,” he says.
This story was originally published in our January February 2024 issue. Click here to subscribe to read more stories like this one.