Main section
Passkeys: How does the password-free login work?
More and more often, passwords are no longer being required to log in to various online services. ‘Passkeys’, as they are known, enable both the login and authentication of the user. But how does this technology work and how secure is it? An overview.
What is a passkey?
A passkey is a digital authentication credential for online services. It enables both the login and authentication of a user without the need for a password or, for example, an SMS code.
How does logging in with a passkey work?
In a nutshell: if the user wants to log in to an online service, their device will suggest the saved passkey for authentication. To confirm the login request, all they have to do is unlock their linked device, for example using a fingerprint sensor or facial recognition. This proves that they have access to the relevant passkey.
Passkeys vs passwords: a comparison in numbers
Side note: the problem with passwords
If used correctly, passwords are also a secure login method. The problem here, however, is that users often have to remember countless passwords. As a result, they usually set overly simple passwords or use the same password to access different online services. Password managers help with this, because they store the user’s credentials and fill them in automatically when the corresponding online service is accessed – if desired. Often, however, the login request has to be confirmed with a second factor. In addition, passwords are often stored on the servers of the online services, which again makes them an attractive attack target for hackers.
Passkeys: quicker, simpler and more secure
Passkeys are considered a simpler and more secure login method than passwords. But why is this the case?
Logging in using a passkey is simpler and more convenient for users, as there is no need for an additional second factor. Instead, they can authenticate themselves using a fingerprint sensor, facial recognition or a PIN. The private key is therefore the first factor and the fingerprint, for example, the second. Passkeys are also standardised. This means that they only have to be set up once and can then be used on all devices.
Passkeys are also a better alternative when it comes to security: instead of a password, only a public key is stored on the server. This makes it a much less interesting proposition for attackers who might want to hack into such servers. In addition, passkeys only work for registered websites and apps. The browser or operating system performs the check and thus protects users from phishing attacks.
A passkey is a secure, user-friendly digital verification that uses public key cryptography to replace passwords and additional second factors.
.png){kind=icon}
How exactly do passkeys work?
Passkeys are based on the principle of asymmetric encryption. A private key is stored on your mobile phone. You can think of this as a long, randomly generated string. Unlike a password, it is never shared with the linked online service.
If you then want to log in to an online service, a login request will be sent to your device. The device then signs the request with your private key and sends the request back to the online service for inspection. Access to the private key is secured, for example, by means of a fingerprint. The server then uses the public key to check whether the correct private key has been used and in this case confirms the login request.
The benefits of passkeys in a nutshell
-
Protects against phishing
-
Reduces data security breaches
-
More user-friendly login
Side note: Device vs cloud
Passkeys that are only stored on the device are not synchronised across devices and can therefore only be used for logins on this specific device. However, if you store them in your cloud key ring, you can use them on any device that is signed into your account, such as Google or iCloud.
If you usually log in to an online service via your mobile phone, chances are that you also created and saved your passkey on this device. If you now access the same online service on your computer, you can still use your mobile phone for authentication. In most cases, you will receive a push notification on your device when you log in. You then confirm the login request using biometrics or a PIN.
However, problems can arise if you use devices with different operating systems. To deal with this, you can use password managers from external passkey providers or cloud-based solutions from Google, Apple, etc. and store all passkeys – regardless of the operating system – in one place.
Conclusion
Entering passwords is a thing of the past! Passkeys not only make the login process simpler and more convenient for users, they also provide greater security. The password-free login process is already supported by major providers such as Amazon and Google. In the near future, they will be joined by many more online services and passkeys will slowly but surely become the login standard.
