What is Passkey authentication | One Identity (2024)

Passkeys are a secure and robust alternative to passwords. They arespecifically designed to protect against phishing attacks, simplify the loginprocess, and eliminate the need to remember and manage multiple passwords.

Standardized by the FIDOAlliance, passkey authentication leverages public key cryptography andbiometric authentication to verify a user. Unlike passwords that are stored onservers, passkeys are stored on user devices. This means that even in theevent of a server breach, passkeys will not be stolen.

When a user registers on a passkey-enabled website, a unique passkey isgenerated and stored on their device. From that point forward, every loginattempt to the website can be authenticated seamlessly using either abiometric sensor, such as facial recognition or a fingerprint scan, or byscanning a QR code.

Passkeys are cross-platform and cross-device, which means that you can usethe same passkey to log in to a website or app from any device. For example,if you createa passkey for a website on your Mac, you can use the same passkey to login on the website from your iPhone or iPad.

Passkeys and passwords are two fundamentally different methods ofauthentication. Let us explore their key differences:

1. The onus of creating and remembering

Passwords are created by the user, making the user responsible forremembering them. This can be difficult, especially if the user must remembermultiple passwords for different apps. Based on company policies, passwordsneed to be updated regularly. Conversely, passkeys never need to be updated.Passkeys are generated by the service provider and remembered by theuser’s device, shifting the burden away from the user.

2. Security

While passwords are inherently insecure, passkeys are secure andphishing-resistant by design. Users often choose weak passwords or reuse themacross different accounts (both corporate and personal), making themsusceptible to compromise. Additionally, passwords can be intercepted, guessedor stolen through data breaches.

Passkey authentication uses encryption and device-bound storage to enhancesecurity. Moreover, private keys are never shared with the application a useris logged into. By eliminating the need for users to remember passkeys, therisk of password reuse or misplacement is effectively eliminated.

3. User experience

Managing multiple passwords can be burdensome for users. Frequent passwordchanges and complex requirements can be frustrating, and this may cause usersto adopt unsafe practices, such as writing passwords down or storing them ininsecure locations.

Passkey authentication is a more seamless, user-friendly and sustainable wayto access applications. Users can log in to an application by scanning abiometric or entering a device PIN, regardless of the device they are using.

Passwordless authentication refers to any method that eliminates the need to use passwords for authentication. This can be done using different factors, such as biometrics, device PINs, physical security keys or passkeys.

Since passkey authentication replaces passwords with passkeys, passkey authentication is a type of passwordless authentication.

Now let’s explore the passkey authentication workflow:

1. The user visits the login page of the website from a browser and selectsthe “Login with passkey” option.
2. When prompted, the user selects the device which contains the passkey forthis website.
3. Once the user has selected the passkey, they are asked to verify theiridentity using a facial/fingerprint scan or a device pin.
4. The website uses the registered public key of the user to verify thepasskey.
5. If the verification succeeds, the user gets access to the website.

MFA refers to any authentication mechanism that uses two or more factors forverification. For example, a password and a one-time password (OTP); or apassword and a fingerprint scan.

Passkey authentication achieves MFA in a single step. While the user onlyneeds to perform a biometric scan or enter the device pin, the underlyingauthentication process combines two factors: the passkey itself and thebiometric/device pin. This streamlined approach enhances security withoutadding friction to thelogin experience.

Passkey authentication offers several advantages for businesses:

• Passkeys are much less susceptible to password-related attacks, like phishing, credential stuffing, brute-force attacks and dictionary attacks.
• Passkeys reduce the risk profile of an organization by limiting the impact of a potential data breach. Even if a credential database is compromised, the attacker would only have access to public keys, which are not enough to gain unauthorized access.
• Passkey authentication makes the login process secure and convenient by verifying two authentication factors in a single step.
• Passkeys are designed to be cross-platform and cross-device. This interoperability ensures a consistent and user-friendly login experience.

Passkey authentication has potential drawbacks and challenges that you should also consider.

• While passkey authentication is gaining traction, it is not as prevalent as other authentication methods. This means that users may not be able to use passkeys to sign in to all websites and applications. If the user’s device is lost, stolen or compromised, it could grant unauthorized access to the passkey and the associated accounts.
• Passkey recovery is the weakest link as it usually relies on SMS OTP.
• Public key infrastructure (PKI) relies on large prime numbers that can be easily cracked with quantum computing.
• Some users may be hesitant to adopt passkey authentication because they are unfamiliar with the concept. Education and awareness are essential to promote user acceptance and drive adoption.