Passwords have been the cornerstone of all authentication methods since the 60’s. And as the internet grew we have tried to patch up it’s security flaws with password policies, multi factor authentication, password managers, and hardware devices. 

Users simply have to many passwords, and it is hard to keep up with them. 

What if there was a better way, a way that let you sign in without passwords, with much higher security and much better user experience?
Passkeys is the solution that holds this promise and in this article we will go through  how passkeys work, why passkeys are more secure, whether passkeys can be hacked, and how to implement passkeys .

‍

What is a Passkey and How Does it Work?

Passkeys is developed by the FIDO alliance,  and is an authentication method designed to eliminate the need for passwords, providing a seamless login experience without compromising security. Rather than relying on a string of characters (like a password), passkeys use asymmetric cryptography, aka public-key cryptography  to authenticate users.

Here’s how it works:

• Signing up: To use passkeys a user first have to sign up. The signup process starts  with the service sending a challenge to the users client. The user then approves this challenge by using biometric authentication, such as touchID, faceID. Or a hardware device.
  The authenticator generates a pair of cryptographic keys (a public key and a private key) on their device. The private key is securely stored on the user's device, while the public key is shared with the service provider.
• Logging in: When the user wants to log in. the service sends a challenge, which the device signs with the private key. The service then verifies the signature using the public key. This process is  opaque to the user and occurs in their background once they have authenticated themselves with biometric authentication or another form of device authentication.

In simpler terms, a passkey eliminates the need to remember passwords and instead relies on cryptographic keys, ensuring secure and user-friendly authentication.

Passkeys can be synced across between your mobile device and laptop by using a password manager like apple keychain, google password manager or 1password. And you can also have them on one single device which is the most secure option. When you have them on a single device you will use the same authentication method you used to sign up with.

‍

Why Are Passkeys More Secure?

Passkeys are more secure than traditional passwords because they rely on something you have instead of something you know. 

1. No Password Reuse: Users often reuse passwords across multiple sites, which creates security vulnerabilities if one site is compromised. Passkeys eliminate this risk since each key pair is unique to the service.
2. Protection Against Phishing: Since passkeys do not require the user to manually enter any information, phishing attacks that rely on tricking users into revealing their passwords are effectively useless.
3. Cryptographic Strength: Passkeys leverage asymmetric encryption, which is far more difficult to crack than most user-generated passwords.
4. Device-Specific Authentication: Since private keys are stored locally on devices, they cannot be intercepted during login attempts, further reducing the risk of attacks.
5. Data breaches: Since no passwords are stored on the service there is no risk of data breaches.

Thus, passkeys offer a significant improvement in security compared to passwords, which can be guessed, leaked, or hacked.

Can Passkeys Be Hacked?

Passkeys are a novel technology and no system is bulletproof, However, it is much more resilient to hacking than traditional passwords.

Here's why:

• Local Storage: The private key used in passkey authentication is stored only on the user’s device and is never shared with the service provider. This makes it nearly impossible for attackers to intercept or steal the key by breaching into the service. 
• Biometric or Device-Based Authentication: Most passkeys are implemented using device-specific authentication methods, like biometrics (e.g., fingerprint or face recognition) or PIN codes. This adds an additional layer of protection even if someone gains access to the device.
• Phishing Resistance: As previously mentioned, passkeys cannot be phished. Attackers can't deceive users into giving away their passkeys since no manual input is required during the login process.
• Replays: Passwords can be intercepted when transmitted and reused later. Even if they are encrypted in the form of a hash. Passkeys cannot be intercepted and replayed as the information sent is the challenge which can only be decrypted with the private key. 

An attacker would need to go through many layers of security to steal a single password. They would need to compromise or steal a device and then bypass the device level security like biometrics, multi-factor authentication or encryption.
Attacking at scale and compromising thousands of passwords is extremely difficult. However a theoretical possibility exists if password managers are used to sync passkeys across devices

‍

How Does a Passkey Work in Comparison to the Password Authentication Protocol?

The password authentication protocol typically involves the user sending a username and password to the server, which then checks it against a stored hash. If the password is correct, the user is authenticated. However, this authentication process is vulnerable to various attacks, such as:

• Brute force attacks, where attackers attempt to guess the password.
• Credential stuffing, where attackers use stolen credentials from other sites to gain access.
• Phishing, where attackers trick users into revealing their passwords.

Throughout the years, passwords have been patched by making users create more complicated passwords and add multi factor authentication to the process. Although reducing the user experience the improvements have increased the security, however, when a hacker steals a password, the damage is done at scale. They either breach a whole database or if they get access to one of your single passwords the chances are that you reuse it throughout many of your other applications. 

In contrast, by using public-key cryptography in passkeys. The server never stores sensitive user credentials (like passwords); instead, it stores the user’s public key, which can only be verified with the corresponding private key stored on the user’s device. The public key does not need to be secure. The private key is however stored securely on your device and works only for one specific service, and can only be used when combined with biometric or device based authentication.

‍‍

How to Implement Passkeys on a Website

At this point we hope you feel that passkeys is the future and that you wish to implement it for your service.
Implementing passkeys on a website requires integrating WebAuthn, and we have a guide for you in this article where you learn how to implement passkeys in NextJs with real code examples.

You might know this but Passkey as a concept has been around for a while. The new thing is that with FIDO 2  it now supports browsers and not just hardware which makes it much more accessible.   Better 

security, better user experience and no more of passwords. Sounds like a fantastic future,  so go ahead and support passkeys in your application right away.

If you wish to explore more about authentication have a look at our article about different authentication methods and how to master signup systems

‍