Understanding Why PassKeys will Replace Passwords

Understanding Why PassKeys will Replace Passwords
Photo by Ioana Tabarcea / Unsplash

First, allow me to start off with that I am absolutely loving using Passkeys to login into CloudFlare, Stripe, and other important services that I use to run CoderOasis. This should of been a thing a few years ago – maybe all the way back in 2016 or so.

The growth of highly sophisticated attacks against critical systems, software, and infrastructure has been on the rise more and more each year – it seems like it is constantly growing and outpacing the abilities to stop attacks. Multi-factor Authentication (MFA) has emerged as a critical – if not absolutely required – defense against unauthorized access into systems and applications. Enterprises like Amazon, Salesforce, GitHub, and others are making MFA mandatory for it's users and employees.

With that being said, everyone is used to using passwords for authentication. The majority of users like the status quo. A lot of people see using multi-factor authentication as annoying or too many extra steps to login to their systems. This usually always impacts the user experience negatively.

A new technology will provide a major security enhancement that benefits MFA is now becoming widely deployed more and more everyday. This technology is called PassKeys. They are based on widely accepted industry standards – while offering the promise of eliminating passwords without the issues of user experience of using MFA anymore. This seems to be a cybersecurity professional's dream come true that we are now getting to this point of not having to deal with password authentication. Then or at least as much as we push this new standard.

In other words, with the use of PassKeys, you can have absolutely good security and an outstanding user experience! This is a combination that has until now seemed nearly impossible to achieve for the longest time.

How PassKeys will Eliminate Passwords

The origins of PassKeys could be traced back to the development of Web Authentication (WebAuthn). This is a web standard created by the World Wide Web Consortium (W3C) and the FIDO Alliance. The WebAuthn project is a core component of the FIDO2 project – which was originally launched to create a more secure and convenient open authentication standard. The standards they came up with laid the groundwork for the development of PassKeys. They defined a framework for public key cryptography as the basis for authentication.

It saddens me that it took so long for getting all the major industry players to agree on precise details of PassKeys. Apple, Google, Microsoft, and a lot of the other large technology companies either support PassKeys, or even have plans in the works to do so within just the next year. As of right now, major browsers support PassKeys and a growing number of enterprise and consumer applications also support PassKeys.

PassKeys are using public key cryptography. The idea of a traditional password rely on a secret string of characters known to both the user and the server. In contracts, passkeys use a pair of cryptographic keys: a private key and a public key. The private key is securely stored on the user’s device or in their browser and is never shared. The public key is stored on the server of a service or system – as a good example, the authentication module of a software as a service (SaaS) application that someone is using.

When a user goes to login an application that uses PassKeys, the server first sends a challenge to the device or browser. The device or browser signs the challenge with a private key and then will send it back to the server. Then the server verifies the challenge against the public key. A passkey could require a biometric challenge, or it can just work off a device or browser without requiring any user action whatsoever. When PassKeys are implemented extremely well in an application, both passwords and MFA can be eliminated, and logins become completely painless to the user.

Advantages of PassKeys

The main advantage is is that no one has to remember, manage, and rotate passwords anymore! This is a super massive benefit all by itself – and even a core feature to the PassKey standard that people are in love with. Besides that, PassKey have other important benefits that are worth noting also:

  • PassKeys are way harder to steal. This is due to the private key never leaving the device. It makes it significantly more difficult for hackers to steal credentials compared to a traditional password. 
  • PassKeys automatically rotate. This is because it is a cryptographic algorithm. A passkey generates a different response to each login attempt that the user tries. This prevents replay attacks and simplifies zero-trust security by making re-authentication and continuous authentication seamless and invisible.
  • Passkeys prevent phishing and enterprise email compromise. Dynamically generated passkey responses also prevent phishing and enterprise email compromise (EEC) attacks. These attacks rely on static usernames and passwords that can be tried and tried again.
  • PassKeys eliminate password breaches. This is because there are no passwords actually stored on the authentication server or in a database, the risks of mass password breaches is virtually eliminated now. This greatly reduces the risk of password related cybercrimes broadly and also reduces the operational load on already stretched Cybersecurity Teams.
  • PassKeys integrate easily with existing strong security mechanisms. Security first minded organizations long ago embraced stringent security practices like dynamic authentication codes generated on authentication apps or hardware tokens. PassKeys integrate well with these systems and can be used in conjunction with authenticator apps and hardware keys, which are even able to host passkeys.

PassKeys Face Multiple Challenges

Despite the awesome and numerous, PassKeys will still face a number of challenges for a while to come. One major one is changing people from using a password and choosing to use a PassKey instead. One reason why people use a password is due to memorize and reuse a password – as if that is a major feature to having a password for authentication to begin with – instead of it being a bug. In my experience, Cybersecurity Teams are asked to turn off PassKeys and to revert back to standard MFA after pushback from employees in an enterprise. People tend to stay and use what they are used to – even through PassKeys benefits the user and the cybersecurity teams more. It's supposed to be a win-win for everyone.

Yet, enterprises have the power to enforce good, security minded behaviors. For a consumer, embracing PassKeys could definitely take a while to achieve wide adoption from users. The process of getting PassKeys up and running from Android phones, the iPhone, or even the browser that people use will remain a little complicated. Also, adding to the complications is the potential for the PassKey to be confused with password wallet users storing some passkeys in their wallets and others in on-device keychains.

Users also seem to be wary of complications resulting from trying to reset a PassKey should they ever lose control of their device. Even then, still other users dislike the use of biometrics, which can add an extra layer of security to PassKeys and also a way to authenticate users for passkey resets.

They Truly are the Future

While all of these challenges are real and valid, we are seeing a strong demand for PassKeys as organizations look to provide a better user experience without ever compromising on security of their systems. When people allow PassKeys work right in their applications and systems, users stop thinking about logging in as a barrier, and one of the biggest time sucks for IT Teams disappears. This does allow the freeing short-staffed teams to focus on more complicated issues within a company or enterprise. Even the users save time and hassles on password resets and on the confusing and painful management and rotation of passwords – which are still highly essential companions to MFA. 

Here is the bottom line for all of this. As organizations navigate the balance between robust security and a positive user experience, passkeys are emerging as a powerful solution for them to choose to use. By people embracing the use of passkeys, organizations can strengthen their security posture while enhancing the login experience for their users.

Do you like what you're reading from the CoderOasis Technology Blog? We recommend reading our Implementing RSA in Python from Scratch as your next choice.
Implementing RSA in Python from Scratch
This is a guide to implementing RSA encryption in python from scratch. The article goes over the math and has code examples.

The CoderOasis Community

Did you know we have a Community Forums and Discord Server? which we invite everyone to join us? Want to discuss this article with other members of our community? Want to join a laid back place to chill and discuss topics like programming, cybersecurity, web development, and Linux? Consider joining us today!
Join the CoderOasis.com Discord Server!
CoderOasis offers technology news articles about programming, security, web development, Linux, systems admin, and more. | 112 members
CoderOasis Forums
CoderOasis Community Forums where our members can have a place to discuss technology together and share resources with each other.