What's The Issue With Passwords?
Passwords are synonymous with internet usage; we use them to log in to emails, and social media accounts, and to check our bank balances. We are urged to create 'good' complicated passwords, with each site defining what good looks like.
Despite these attempts, passwords continue to be a problem since many people use weak passwords and/or the same password across several accounts. Phishing occurs when people fall prey to websites that masquerade as legitimate services.
This occurs when consumers click on a link that appears to be real but is a fraudulent website designed to obtain the user's password.
What Exactly are Passkeys?
Passkeys are password replacements that are resistant to phishing assaults. They also make the login procedure considerably easier for users while also increasing security.
Consider Nancy, who has been logging into her Gmail account using a password. She may log in using her fingerprint or face by switching to a Passkey. If she is unable to use the Passkey, the password becomes an alternate means (passwords will ultimately be removed).
Instead of a passphrase, passkeys employ the notion of private and public keys. Nancy now has a private key that is produced, saved, and maintained by her phone. This might be done using an authentication app or through the operating system.
As part of her Passkey creation with Gmail.com, Nancy's phone understands how to immediately submit her new public key to Gmail.
Gmail is now aware of Nancy's public key and will request that she authenticate its ownership by unlocking her phone and signing it with her private key.
All of this happens in the background between Gmail.com and her phone, so Nancy just needs to worry about unlocking her phone with her fingerprint or face biometrics as usual.
If she has multiple Gmail.com accounts, she may have to choose which Passkey to use.
Fake websites are no longer a threat since they lack Nancy's public key, preventing her from signing on. Remember, the private key is never left in her phone.
How Does Nancy Make the Transition From a Password to a Passkey?
The figure below depicts Nancy's transition from a password to a passkey for her Gmail account.
Nancy enters her account and password into the service (Gmail).
Because Gmail now allows Passkeys, a request is made to Nancy to generate one, or she may need to go to g.co/passkeys.
A message comes instructing you to establish a Passkey.
Nancy selects to generate a Passkey and is requested to unlock her phone using the biometric option, allowing her phone to safely create and store a new Passkey for Gmail.com for her.
The private key is linked to her user profile and is synchronized across all of her devices. In this case, Nancy is utilizing an iPhone, which may be linked via iCloud. Alternative techniques, such as Microsoft Authenticator or Google Password Manager, may be utilized by various providers.
While Nancy is using the Passkey, it is the same as unlocking the device or logging into online banking — the digital representation of her fingerprint or face NEVER LEAVES the mobile phone, is encrypted in the phone, and cannot be accessed by Gmail or whoever created the device, such as Apple or Android.
How Does the Login Procedure Work Now That Nancy Has a Passkey?
The graphic below depicts how Nancy will use her passkey to connect to her Gmail account.
Nancy navigates to the login website for a specific service, in this example Gmail.
Because Nancy already produced a passkey (see above), a challenge is received from the Gmail service.
The Challenge is received by Nancy's phone and displays as a list of available passkeys from the provider; for example, if Nancy has several Gmail accounts, two passkeys will show.
Nancy chooses the Passkey for her Gmail account and then unlocks her phone using biometrics, allowing her phone to utilize the private key.
The Google challenge is then signed with Nancy's private key.
A signed challenge is then transmitted to Google, providing reassurance that Nancy is logging in.
No More Passwords
Google will now prompt you for the Passkey wherever feasible when you log in. Nancy can still use her Google password if Passkey is not accessible.
This is part of a planned transition to Passkeys. As more services adopt Passkeys, we expect to see a future without passwords and greater resilience to phishing.