Passkeys: the end of passwords?

More security and fewer constraints? This is the challenge that the Passkeys aspire to take up. Stored in your smartphone, these virtual keys allow you to access sites without having to remember your password. But this standard technology is just beginning to be rolled out.

Paranoid or not? If you are in the first category, you are sensitive to the protection of your personal data and you more or less respect the basic rules of computer security. Namely, a unique password per account and passwords that are difficult to remember, for example Aj+577kRt!Z.

If you are a little less, you consider the risk limited. As a result, you often reuse the same passwords to access your favorite e-commerce site, online banking account, and video streaming account.

No matter what category you fall into, everyone agrees that passwords are a pain. Even if there are effective methods and solutions (and not complicated such as software called “password managers”), passwords complicate the life of the Internet user.

But above all, passwords do not offer a high level of security (unless you use the famous “managers”) and you are also vigilant. Because scammers are increasingly good at recovering our usernames and passwords thanks to increasingly perfect phishing emails.

A secure key in your smartphone

But all of that will soon be a thing of the past if the heavyweights of American tech are to be believed. Passkey is a joint initiative of Apple, Google and Microsoft – in conjunction with the FIDO Alliance – aimed at improving authentication. These “passkeys” should be more secure than passwords, as criminals must have access to the device and the fingerprint, face ID or PIN to unlock it.

Or, they must be near a person’s device to use Bluetooth. If someone loses a device, the thief will not be able to access the information without biometric authentication.

Each access key is also unique and created using a strong encryption algorithm. The consumer or business user (Microsoft having announced compatibility with Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure) need not worry about weak passwords that can be guessed.

How does Passkey work? Unlike standard two-factor authentication (code received by SMS, fingerprint, etc.), Passkey uses Bluetooth connection instead of Wi-Fi. This wireless connection was preferred because it requires physical proximity, which allows to verify that it is indeed the user who is trying to connect.

Once you have signed up and linked to your various accounts, you will receive a push notification on your smartphone via Bluetooth. By unlocking your phone, by PIN code or biometric authentication (including Windows Hello), your device under MacOS or Windows 10 and 11 will create and send a unique public key to the web service associated with your account. If there is a match, you will be logged into your account.

Source: FIDO Alliance

Passkey is a universal technology, so it should work regardless of OS platform, browser, or device, making it accessible to more users. Passkeys can also be backed up by a major platform, like Apple or Google, which will make it easier to transfer your credentials to a new device and make it easier to sync Passkeys to your phone, tablet, and laptop.

It is important to note that your biometric data never leaves your smartphone, so you do not have to worry that third-party services may have access to your personal data.

The synchronization of access keys facilitates the use of Passkeys, but above all their recovery in the event of the loss of a single device. On Apple devices, they can be retrieved by iCloud Keychain. Optionally, a user can set up an account recovery contact to ensure they still have access to their account, even if they forget their Apple ID password or device passcode.

On paper, the Passkeys look very promising. But for now, few sites and applications have integrated them.

Leave a Comment