3 min read

The Password-Less Internet

It’s not too often that Apple, Microsoft, and Google cooperate to create something together. But that’s now happening with passwords. Thanks to the folks at the FIDO Alliance, hundreds of the largest companies are working together on the password-less Internet.

The new alternative is known as passkeys. Generically, passkeys refer to various schemes for storing authenticating information in hardware, a concept that has existed for more than a decade. What’s different now is that Microsoft, Apple, Google, and a consortium of other companies have unified around a single passkey standard shepherded by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks. – Ars Technica

No more MFA (multi-factor authentication) prompts, password manager apps, security questions, or CAPTCHAs. With passkeys, all you need is your device and some form of biometric authentication.

Passkeys can reduce the risks of account compromises because it removes passwords, which can be leaked, exposed or stolen, from the authentication flow. Plus, passkeys are not reused across sites like passwords can be, so the risk of stolen credentials affecting other accounts is less. – TechCrunch

How Do Passkeys Work?

Rene Ritchie does a wonderful job explaining how passkeys work in the video below. He covers everything from how passkeys are created and stored to how they sync across devices and even how they can be used to securely sign into an account on a device you don’t own. Definitely worth the 10-minute watch:

In short, passkeys work by generating a pair of keys for account login. One public key and one private key. The public key is stored in the cloud and shared between your devices. The private key is stored locally on your device and requires biometric authentication to operate (Face ID, Windows Hello, or other biometric readers offered by device makers).

This essentially turns your device into the lock and key for an online account.

Even if an adversary were able to extract the cryptographic secret, they still would have to supply the fingerprint, facial scan, or—in the absence of biometric capabilities—the PIN that’s associated with the token.

What’s more, hardware tokens use FIDO’s Cross-Device Authentication flow, or CTAP, which relies on Bluetooth Low Energy to verify the authenticating device is in close physical proximity to the device trying to log in. – Ars Technica

In other words, if the hacker made it through the above security measures (device-stored private key and biometrics), they’d still have to be in the Bluetooth range of your device.

The benefits:

  • Security – You literally cannot have your password stolen b/c it’s not something you know. You can’t be shoulder-surfed because you’re not typing a password in at all. And there’s no 2FA code to intercept.
  • Simplicity – Passkeys offer the same simplicity as a password manager or iCloud keychain, where they’ll auto-generate your login for an account and store it without the need for you to save or memorize a password manually. However, there’s no copy of your passwords floating around because they’re no passwords at all. So it’s just as simple with added security.
  • Sharability – Passkeys make it easy to share an account log-in with a trusted friend or family member without creating more security risks. On iOS, you’ll be able to Airdrop a login to a friend.

My Thoughts

Onboarding sites, services, and accounts will be tricky. There aren’t many sites that offer passkey functionality yet. However, given the number of companies that have joined the FIDO Alliance, I don’t think this will be a limiting factor for passkeys forever. Realistically, given how many accounts are tied to people’s Facebook profiles or Gmail accounts, these two companies are a major part of making passkeys ubiquitous.

I think that the ability to gift/share a login more securely is huge. Ryan and I share an account on several professional services (don’t tell on us). But as it stands today, we’re both just using LastPass to manage our shared accounts. Passkeys will make this more convenient and secure.

Lastly, I wonder if this will create more or less parity between Android, iOS, and Windows. Will this make it easier to pollinate between these ecosystems? Or will this ultimately further lock us into hardware providers?

Although they’re all implementing the same passkey standard, it doesn’t necessarily mean you’ll be able to move your private keys to a new device maker. In other words, there’s no guarantee that the process of moving your passkeys from an iPhone to a Samsung device will be seamless.