The new way of logging in
Nowadays, password managers and even browsers allow you to log into your accounts (like e-mail) by setting up a Passkey. You may have seen the Gmail form “Simplify your sign-in” after you first login with your password and 2FA.
From the user perspective, this new login becomes as simple as a “Continue” click. No passwords, no SMS to verify or other 2FA (2-Factor authentication) method. Is this safe?
Also, if you try to login in a different device, you can use that first device to login, thus you end up not needing any password unless you lose all your devices.
Overview of a Passkey
To simplify, passkeys work with asymmetric encryption, your device holds the private key, the server – let’s use Gmail – holds the public one. When your device attempts to authenticate to Gmail, the server sends a “challenge” – which is a time-based data that is encrypted with the public key – and your device needs to decrypt that challenge and send it back to the server. If what your device decrypted and sent to the server matches the original, unencrypted data, you’re in.
The time-based detail is important, because it is a component of 2FA, thus getting a security feature from TOTP. (Time-based One Time Passwords, essentially the 2FA authentication codes)
The usage of asymmetric encryption is similar to how SSH logins with private keys work, so it’s basically porting that secure authentication method, to personal services.
If you know about this encryption type, you know that it’s physically impossible to brute-force the key (physically in terms of computing power). At least at the time of writing, we’ll see whether the advancements of quantum computing change this ;).
Benefits over Password + 2FA
We should have one password per-service and have it be strong. To achieve this, we use password managers, however not everyone does, and this already serves as a strong benefit for the “general population”, not relying on weak passwords.
But, even with a weak password, there is 2FA, but while 2FA is a good workaround to the insecurity of passwords, it is very common to be used in phishing. Imagine someone reusing their password, an attacker having access to a leak of it – on a different website, and phishing that person to receive the code – or through a more sophisticated method like SIM swapping. While one could argue this is the victim’s fault, we have to bear in mind not everyone is a tech geek like us.
With this, we also see another key difference, which is preventing interception/man-in-the-middle (MITM) from any kind. The private key of the passkey is never sent, unlike the passwords. (and not even password managers have access to it, since it’s end-to-end encrypted with your account password)
Furthermore, the user experience with passwords and 2FA isn’t great at all. Let’s login to our account on an website, we open the website, enter on our password manager with a pin code, fill the password with it, request the 2FA code to be sent via SMS and type it. What about just a single “sign in” click?
Any downsides?
There isn’t really a downside to this way of authentication. One could argue that we don’t have 2FA, because if my phone or laptop is stolen, they steal the credentials to my accounts. However, there is a missing piece in that line of thought, which is the security of where the passkey is stored.
With a password manager, even if someone had your phone, they would need to know your pin or password of your password manager to access it. (not to mention the phone’s pin itself)
Thus, the passkeys lend the 2FA from where they are stored, while having a form of credential much more safe than a regular password.
Plus, some services allow you to use a passkey with the regular SMS 2FA method, making it even more bulletproof.
Conclusion
As you can see, passkeys are indeed safer and even achieves a better experience to use than the old password + 2FA method. By using asymmetric encryption with a time-based challenge and lending the device protection mechanisms, we can achieve a safer authentication method for end users.
For more conceptual details, you can checkout this article, which links to the protocols used by Passkeys.
For a guide on implementing it, that website also has a guide.
David Gomes 