The world is about to undergo a major shift in logging into e-mail and other accounts, using a new technology known as passkeys.
Google, Microsoft and Apple are the major operating manufacturers adopting this, with Gmail the first to do so.
Passwords have many weaknesses, among them susceptibility to data breaches and phishing. Despite there being a range of upgrades for logging in — using password managers and authenticator apps — passwords are reused across many websites.
Once someone has your password they have access to your account— if you haven’t set up two-factor authentication, requiring either a six-digit code from an authenticator app or a much less secure SMS. This is why phishing is so effective. Many people don’t have this second login verification, and their e-mails, bank accounts, Facebook pages and other social accounts are gone.
A passkey is linked to the trusted device you always use: your smartphone or laptop. It can be used only once. The device is effectively the new password. When you log into Gmail, for instance, the e-mail service validates who you are. The smartphone or laptop requires a PIN or biometric login first to establish your identity, then unlocks your phone or computer.
It is similar to the way Apple Pay or Samsung Pay works. Instead of entering your credit card’s PIN into the point-of-sale terminal in a store, you’ve already inputted it. It’s security in reverse to a previous habit. But it is more secure.
Passkeys are an initiative of the Fast Identity Online (FIDO) Alliance, an industry body that developed and maintains this “global authentication standard based on public key cryptography”.
Google’s announcement last month that it is shifting its 1.8-billion users to passkeys is the beginning of this new tech upgrade.
“It’s very, very significant,” says Andrew Shikiar, executive director of the Fido Alliance. “It’s an inflection (sic) point. [With] a company like Google enabling this and so many people seeing passkey sign-ins, [users] will be more likely to [apply] them elsewhere.”
It will also help “accelerate other companies’ deployment plans and help them deploy better, because we will learn from this as a body”.
Why don’t you know about it yet? Because of geeks.
This is how the Fido Alliance describes it: “Organisations can deploy Fido sign-ins with passkeys across a variety of use cases. Passkeys enable users to access their Fido sign-in credentials on many of their devices, even new ones, without having to re-enrol every device on every account. Alternatively, device-bound passkeys that are bound to a Fido security key or platform are an option for organisations that do not require syncing.”
Makes sense, if your first language is jargon. Geeks are brilliant at technology, not at communication.
Most importantly, this login upgrade will be a game-changer for security.
“There are no password attacks when there’s no password present,” Alex Weinert, Microsoft’s director of identity security, said earlier this year. “I’m hugely hopeful about the ability for this to get us to a new era in terms of end-user security.”
The users are excited, especially this writer. One of the reasons passkeys are likely to succeed is that they are simple to set up and use. Cybersecurity has always involved tension between ease of use and security. More secure options are always more difficult, which is why people repeatedly use the same, often easy-to-guess, password. If that password is compromised in a data breach, or through phishing, any other accounts using that password can be just as easily hacked.
“We have an opportunity here to change the way users think about signing in,” says Christiaan Brand, the co-chair of the Fido2 technical working group, who is an identity and security product manager at Google. “If we can change the way that signing-in works for your Google account, we hope that consumers will start to get more accustomed to the technology. It will also signal to industry that we’re not just talking about this stuff — it is ready for prime-time adoption.”
If you set up your smartphone with a passkey, you can use that authenticated device to give access to another device, say your computer, by scanning a QR code. This is how WhatsApp authenticates a laptop so you can use the desktop app for the messaging service.
Passkeys will ultimately become the ubiquitous way to log in to cloud-based services, and a new generation of internet. The sooner we all adopt them, the better.
- This column first appeared on Financial Mail.