In a world where hackers can brute force even moderately complex passwords in a matter of minutes, the security staple we’ve been taking for granted doesn’t seem to work anymore. Luckily, a new and more secure authentication method is gaining ground: Passkeys.
In this article, we discuss the differences between passwords and passkeys. Read on to familiarize yourself with how they work and each authentication method’s strengths and weaknesses.
Passwords – Familiar yet Faulty
A password is a string of characters used to verify your identity when accessing an account. Nowadays, passwords are incredibly common for logging into online stores, websites, and social media platforms, so it’s standard practice to create one whenever you sign up for a new service.
Both you and the service know your password, and the most common ways people manage it are memorizing, writing it down, or storing it in one’s device memory. The service keeps its own database of usernames and passwords, and if the credentials you provide when logging in match those in the database, you’re granted access to your account.
Password security and complexity are generally up to the user and can vary widely. Studies suggest people use up to 100 passwords, which makes it easy to fall into habits like reusing passwords, slightly altering them, or opting for ones that are easy to remember – and easy to hack.
Cybercriminals frequently use phishing and brute force attacks to exploit weak security measures, obtaining login credentials directly from users or through service data breaches. This makes passwords a liability, as hackers can use known, valid passwords to take over other accounts if the passwords are identical.
Despite these risks, passwords remain the primary method of account authentication because, when done right, they would still take a millennium to break. So, what does a secure, strong password look like?
Strong passwords consist of long strings of uppercase and lowercase letters, numbers, and special characters. If creating, memorizing, and storing such passwords feels overwhelming, consider using a password manager like NordPass.
Password managers not only simplify password management but also provide two-factor authentication, which is a crucial security measure that helps prevent compromised credentials from automatically being handed over to attackers.
Passkeys – The Future of Authentication
Passkeys are a new and improved authentication method designed to strengthen login security and address password shortcomings.
A passkey consists of public and private cryptographic keys. Your device generates a pair each time you register an account with a service that supports passkeys. The public key is shared with the account issuer, while the private key remains securely stored on your device, often protected by a PIN or biometrics.
Each time you log in with a passkey, the service generates a unique cryptographic challenge and sends it to your device. Your device then uses its private key to sign this challenge, creating a digital signature. The digital signature is then returned to the service, which verifies it using your public key. If the verification is successful, you are logged in.
Now, the service never has access to your private key, and there is no way to derive the private key from the public one or any other part of the login process. Since passkeys are generated automatically, there are no passwords for you to enter, which greatly reduces phishing risk in case you stumble upon fake sites.
While passkeys offer excellent security and significant convenience, they do have their downsides, with adoption being the most notable. Several high-profile websites and services support passkeys, but many still do not. This is largely due to the significant technical changes and resources required for implementation.
Additionally, passkeys are device-dependent, which can be troublesome in some cases. For example, you should definitely avoid damaging or losing your device, as rebuilding passkeys can be difficult.
Finally, passkeys do not replace safe online behavior and practices. Even with passkeys for all your accounts, you’re still vulnerable to threats like man-in-the-middle attacks or fake Wi-Fi hotspots. This is why you should continue following best cybersecurity practices, such as using a VPN on untrusted networks, enabling multi-factor authentication, and keeping your software up to date.
Conclusion
While passwords and passkeys are most likely to co-exist for many more years, we’re inevitably moving towards a passkey-dominated future where accessing all our accounts will become hassle-free yet markedly more secure. While there will be challenges along the way, the benefits far outweigh the cons.