I'm a tech professional (ex-Amazon) with experience including software engineering, and management. Currently living in NYC. Passkeys vs Passwords
Authentication
You may have heard of passkeys, heralded as the “password replacement.” But how do they work? And can they truly replace passwords? Let’s start by taking a step back and thinking about what both passwords and passkeys are trying to accomplish.
In a word, authentication. Authentication is about verifying who you are. This is different from authorization, which is about verifying what you’re allowed to do after you’ve authenticated.
The most popular way to bypass authentication is through a technique called phishing. This is when the attacker tricks the user into inadvertently giving up their credentials. This is usually done through a website or app that looks identical to the real thing. The user is tricked into entering their login information into the phishing site that the attacker controls, which the attacker can then use to log in as the user.
Passwords
Ah, the good ol’ password. The thing everyone loves to hate. They’re difficult to remember, easy to misplace, and often the weak link in account security. But! They are the only form of authentication interoperable with basically every single device since the dawn of computers. And with plenty of easy-to-use and secure password managers out there, some of those deficiencies can be mitigated.
A major downside of passwords is that they are not phishing-resistant (i.e., a phishing site could steal your password). Also, the service you’re authenticating to still needs to use a secure password hashing algorithm to store the passwords as well.
Passkeys
Passkeys are the new kid on the block. The term first started being used sometime in the last 5-10 years as a synonym for FIDO credentials—though the white paper for what we refer to today as passkeys was released in March of 2022. FIDO (specifically FIDO2) is a standard for enabling passwordless authentication. The group behind the standard was formed back in 2013. Passkeys became widely known back in 2022 when Apple, Google, and Microsoft all announced plans to support interoperable passkeys.
In a sense, passkeys have actually been around since at least 2014 with the release of the Yubikey Neo. Yubikeys are devices that plug into USB-A, USB-C, etc… ports to perform passwordless authentications. Passkeys are more-or-less the digital equivalent of that. The 8 years leading up to the 2022 announcement were spent improving on the FIDO standard, and building out ways to make it more interoperable. So how do passkeys work?
Public-key cryptography
Modern computer security is built around encryption. Encryption is the process of using complicated math + a secret (e.g., a string of characters) to turn data into unintelligible gibberish, which can only be turned back into its original form by using the same complicated math + the secret. Public-key cryptography is one way to perform encryption. You have a public key and a private key (a key is just a long, binary secret). Thanks to some of the aforementioned complicated mathematics, the public key can encrypt data that only the private key can decrypt, and vice versa.
When you register a passkey with a website, your device creates a public key and a private key. The public key is given to the website, and the private key is what becomes your passkey. When you want to log in, the website will send a random string of characters (known as a challenge) to your browser. Your browser then uses the private key to encrypt (technically this is known as a digital signature, which is a little different, but for the purposes of this explanation it’s fine to simplify it as such) the challenge, your username, and the URL of the website.
It sends it back to the website, which then uses the public key to confirm that it’s really you who’s authenticating. Remember that only the public key can decrypt whatever the private key encrypts – this property of their relationship means that if the public key can decrypt the response, then we have mathematical proof that your private key is what was used to encrypt (i.e., the use of your private key functions as a signature of sorts to prove you are who you say you are).
You might wonder how this is any different than passwords. If your private key gets stolen, then anyone can impersonate you. Very astute! That is why the private key is kept as secure as possible. But don’t you need to use the private key when trying to log into a site? So couldn’t it get stolen then?
Nope! This is one of two reasons why passkeys have a major advantage over passwords. You don’t enter the contents of the private key when authenticating to a site, but rather use the private key to encrypt some data that the server gives you. It is theoretically impossible to reverse engineer the key based solely on the encrypted data. So your private key, unlike a password, never leaves the safety of your device.
The second reason why passkeys have a major advantage is that the URL of the website is part of the encrypted response that gets sent back when logging in. Why is that useful? It means that passkeys are phishing-resistant! Say that I’m trying to log in to my apple/google/meta/whatever account, but I get tricked into going to a phishing website that looks exactly identical. It prompts me to log in with my username and passkey. My browser uses the passkey to encrypt the challenge, my username, and the URL of the phishing website. This gets sent to the phishing site, which then tries to pass it on to the real site. The real site will use my public key to decrypt the contents of the encrypted response successfully. But it will see that the URL of the server doesn’t match! So it will fail the login attempt.
You may wonder why the phishing site can’t just change the URL to be the real URL. A) The browser is in charge of providing the URL to be encrypted, not the server. B) While the phishing site could get access to the public key to decrypt the response (a public key is meant to be shared, well, publicly, so it’s plausible the phishing site could obtain it), it can’t re-encrypt the response because it won’t have your private key. Therefore, any response it tries to tamper with will not be decryptable with your public key.
So… why use passwords?
Passkeys are phishing-resistant. They obviate the need to memorize anything. Does this mean we can dispense with passwords entirely? Not quite. Passkeys have great interoperability, but they aren’t backwards-compatible. That means there are a significant number of things that will never be able to support passkeys because they will never be updated.
Passkeys also can’t solve every authentication use-case. For example, there’s a chicken-and-egg problem where the place you store your passkeys needs to be secure. But you can’t secure it with a passkey because then you’ll have no way of securing that passkey.
Passkeys have a significant advantage over passwords, and should be used wherever possible. But they can’t be used everywhere, and for those cases, the humble password is still the way to go.
About the author: Bradley Neumaier is a software engineer specializing in cybersecurity. He is the creator of the security education site AppSec Cheat Codes, and blogs at neumaneuma.com.