Passwords as a security feature date at least to the time of Julius Caesar. As you will know from thriller novels, they are only secure if they are kept secret. Once copied, stolen or otherwise leaked, they become a liability. Tech firms have been refining the password over the decades attempting to make the technology more secure, with very little success. Many folks dream up a solid password, but then make the mistake of using it in multiple locations. This means that if the bad guys breach one location, usually the first thing they do is take the stolen passwords, and try them on other websites, banks, and access points. Using the same password across the internet is just asking for trouble.
An attempt to secure things is a technology called two-factor authentication, which has been around for over a decade. Two factor authentication, (2FA) is based on one thing you know (usually a password) and one thing you have (a hardware token or a one-time code that expires in a minute). As an interim step to passkeys, it’s effective in that even if the first part (i.e. the password) is stolen, the bad guys can’t get into your account without the second part. Its drawback is that it can take twice as long to enter as just using a password.
Enter the passkey. Newer technology, it’s designed to cure the problems inherent in passwords. In theory, a passkey is something that is unique, can’t be guessed, is not easily stolen or leaked, and doesn’t require large amounts of user effort to be useful.
A passkey is nothing more than a unique identifier. If you’ve used your fingerprint to unlock your computer, phone or tablet, or if your device supports facial recognition, that is a passkey. As your fingerprint and your face are unique to you, the technology to steal it and use it would have to be very advanced indeed. Other passkeys currently used are voiceprints and retinal scans. While the technology to make this a reality has been around for more than twenty years, only within the past year has it been touted as a replacement for passwords.
If you’re paranoid, Hollywood has your number. They would like you to believe that a severed finger or an accurate rendition of your face in three dimensions can serve as a passkey. As usual, artistic license is a big factor, and this is not actually possible. Fingerprint recognition requires a temperature close to normal body levels, and facial recognition counts on some small movement to be accurate.
A passkey can also be a physical device. Several companies have sold these for some years now. They contain a chip that encrypts a unique identifier, and usually have a fingerprint sensor on the device to unlock the encrypted information. Insert the passkey into a USB port, unlock with your fingerprint, and you have authorized access.
While passwords may take some time to join rotary-dial telephones in the Smithsonian as a curiosity, passkeys are a positive development in cyber security. Make sure the next device you get can use them.