The most secure passkey authenticator could be a physical device — here’s why.
Passkeys are more secure than passwords for authenticating with online accounts.
Working with passkeys requires an authenticator and other technologies.
The roaming authenticator could be the most complicated — and secure — type of authenticator.
Let’s face it. When it comes to passwords, we are truly our own worst enemies. Too harsh? I don’t think so. We’re doing everything we can to make it easy for threat actors to inflict their worst — from the exfiltration and distribution of our sensitive information to the emptying of our bank accounts. Given how frequently end-users continue to inadvertently enable these hackers, we’ve practically joined the other side.
In fact, research now shows that, despite receiving some thorough and comprehensive cybersecurity training, a whopping 98% of us still end up getting tricked by phishers, smishers, quishers, and other threat actors who attempt to trick us into accidentally divulging our secret passwords.
Realizing that training and education are apparently futile, the tech industry decided on an alternative approach: eliminate passwords altogether. Instead of a login credential that requires us to input (aka «share») our secret into an app or a website (collectively known as a «relying party»), how about an industry-wide passwordless standard that still involves a secret, but one that never needs to be shared with anyone? Not even legitimate relying parties, let alone the threat actors? In fact, wouldn’t it be great if even we, the end-users, had no idea what that secret was?
In a nutshell, that’s the premise of a passkey. The three big ideas behind passkeys are:
They cannot be guessed (the way passwords can — and often are).
The same passkey cannot be reused across different websites and apps (the way passwords can).
You cannot be tricked into divulging your passkeys to malicious actors (the way passwords can).
Easy peasy, right? Well, not so fast. Whereas 99% of today’s user ID and password workflows are straightforward to understand, and you don’t need any additional purpose-built technology to complete the process, the same cannot be said for passkeys.
With passkeys, as with anything related to cybersecurity, you’ll have to trade some convenience for enhanced security. As I’ve previously explained in great detail, that trade-off is worth it.But included in that trade-off is some complexity that will take getting used to. Behind the scenes with passkeys
Each time you create a new passkey or use one to login to a relying party, you’ll be engaging with an assortment of technologies — your device’s hardware, the operating system it’s running, the operating system’s native web browser, the relying party, and the authenticator — designed to interoperate with one another to produce a final and hopefully friction-free user experience. Some of these technologies overlap in a way that blurs the boundaries between them.
The word «passkey» is actually a nickname for the FIDO Alliance’s FIDO2 credential specification, which itself is essentially a merger of two other open standards: the World Wide Web Consortium’s (W3) WebAuthn standard for Web (HTTP)-based passwordless authentication with a relying party and the FIDO Alliance’s Client-to-Authenticator Protocol (CTAP).
