Passkeys Are Here to Replace Passwords

We all have a lot of passwords. Ideally, each one is strong and unique, but that isn’t always the case. Many of us reuse the same, weak passwords, which leaves our digital data vulnerable to hacking. Even if our passwords are cryptographically perfect, phishing tricks too many of us into giving up our precious details. There must be a better
September 26, 2023
 / 
meritsolutions
 / 
Image

We all have a lot of passwords. Ideally, each one is strong and unique, but that isn’t always the case. Many of us reuse the same, weak passwords, which leaves our digital data vulnerable to hacking. Even if our passwords are cryptographically perfect, phishing tricks too many of us into giving up our precious details. There must be a better way.

That’s where passwordless authentication comes in: This new way of thinking suggests passwords are an old-school, outdated way of confirming our identities. Rather than refer hundreds of hard-to-remember passwords, all of which are susceptible to leaks or hacks, some argue an encrypted authentication option, unique for each user and account, is the way forward. If each account is only accessible from the trusted device of the one who owns the account, that account and its contents is much better protected than with a simple password.

“Passkeys” offer users a way out of passwords

The idea is this: Instead of using a traditional password, passkeys are “cryptographic key pairs,” created using FIDO Alliance and W3C standards. Unlike passwords, these key pairs cannot be guessed, whether by a human or a computer. That alone will put typical hacking methods, like brute forcing, out of commission. These keys cannot be reused, nor can they be weak: Each passkey will be as strong as the last.

Passkeys are also only available on the website or account they were created for: That means phishers cannot trick you into sharing your passkey on a fake website made to look like the real deal. Unless you’re actually signing into the website the passkey is tied to, it simply won’t work. Best of all, passkeys are end-to-end encrypted: Even though they are stored on the cloud, they can only be read by the device you have access to. Without your Face ID or Touch ID authentication, even companies like Apple, Google, or Microsoft cannot interpret your passkeys.

When signing into an account on an Apple device, for example, accessing your passkey is as easy as a Face ID or Touch ID scan. However, you can also sign into your accounts on a non-Apple device, so long as your iPhone is nearby. You can use a QR code to authenticate yourself, so your passkeys are always available on any device you use.

Passwordless authentication is the way of the future

It isn’t just Apple, of course. Most of the big tech companies are in on passkeys, and have either fully rolled them out, or are slowly taking their time introducing them. When available, you should take them. Authentication protocols like these are much more secure than traditional passwords, and will put a sizable roadblock in front of would-be hackers.

Share This

Leave a Reply



Sign Up for weekly MERIT Security Briefing

By signing up, you agree to our Privacy Policy.