In the ever-evolving landscape of online security, a new player has emerged: the passkey. Designed to combat phishing and eradicate password reuse, the concept of passkeys may be puzzling to even the savviest of security-conscious individuals. Let’s delve into what a passkey entails and how it can revolutionize the way we protect our online identities.
At first glance, it’s important to note that a passkey differs from a security key, a physical device often used for two-factor authentication. Similarly, it’s not a string of characters like a password, passcode, passphrase, or PIN that can be manually inputted.
A passkey is essentially a chunk of random data, ranging from 100 to 1400 bytes, generated on your device (be it a phone, laptop, or security key) with the sole purpose of facilitating logins on a specific website. Once created, your browser syncs it with the website, storing it securely, often in your password manager. From then on, accessing the website becomes a breeze – simply select the “Sign in with a passkey” option, confirm through your password manager, and you’re in. However, seamless passkey authentication necessitates support from the website, browser, password manager, and often the operating system.
You can have multiple passkeys, each tailored to a specific account on a particular website. This means distinct passkeys for separate accounts on the same platform, such as personal and business profiles on social media.
While you can maintain both a password and a passkey for an account, using the latter is typically more expedient. Your password manager simplifies the process to a single click, as opposed to the multiple steps needed for a password login. Additionally, opting for a passkey often bypasses the need for traditional two-factor authentication methods like SMS or authenticator apps.
But why is it secure to skip these conventional authentication steps with passkeys? They inherently incorporate a second factor. Whenever you use a passkey, your browser or operating system may prompt you to re-enter your device unlock PIN. If you use fingerprint or facial recognition, these may be the required confirmations, adding an extra layer of authentication.
Storage and Backup: Ensuring Accessibility
A passkey confined to a single device isn’t particularly useful. Consider scenarios where you need to log in from a different device or, unfortunately, if your device meets an untimely demise (perhaps in a watery mishap). Here are three distinct solutions, each offering a different approach to passkey storage:
- Password Manager Storage: Passkeys are stored in your password manager, encrypted, backed up to the cloud, and can be effortlessly copied onto all your devices.
- Security Key Storage (Option A): Passkeys are generated and stored in a physical security key, typically connected via USB. When prompted, you plug in the security key to log in on a different device. Note that passkeys created this way are non-replicable, a feature only supported by recently manufactured security keys.
- Device-Embedded Chip Storage (Option B): Passkeys are created and stored in a high-security chip integrated into your computer or phone (e.g., TPM or Secure Enclave). Similar to Option A, these passkeys cannot be copied.
While Options A and B may be slightly less convenient, they provide enhanced security against device theft. However, they don’t entirely mitigate the “device in toilet” scenario. If you opt for these solutions, it’s advisable to have multiple passkeys stored across different devices as a backup. Alternatively, you may find yourself relying on email-based account recovery.
For those choosing Option 1, trust in your password manager is crucial. Additionally, note that most password managers don’t permit the export of passkeys for offline backup.
