In May this year, Google announced that it was possible to log into Google accounts using passkeys. This innovation offers many advantages for users. That’s because the procedure with passkeys is not only convenient but also secure. With this innovation, Google is heralding the end of the password. Passkeys were developed by the FIDO Alliance (Fast Identity Online) and are therefore considered vendor-neutral and highly secure. Passkeys are based on an asymmetric encryption method. A private key based on a random string of characters is kept on your device. When you want to log in to a web service, it sends a task (challenge) to your device. The private key solves and signs this challenge and sends it back to the service. This process does not reveal the information behind the private key but simply proves to the provider of the web service that you are in possession of the private key. In this blog post, you can find out what advantages this offers.
A brief history of the password
The password is older than you think. Combinations of letters or characters and security phrases were used long before the introduction of computers and IT security systems. Even the Ancient Romans used slogans or sayings to verify and authorise themselves. This made it possible to determine whether the person seeking entry was a friend or a foe. This procedure was recorded by the Greek historian Polybius, famous for the Polybius cypher.
Even then, watchwords and slogans were changed regularly to make it as difficult for the enemy to gain access.
However, character strings were not the only method of authentication used. For example, the material pattern used to make a kilt indicated who belonged to which clan. This meant that distant relatives could be identified. Combined with a password, this constituted an early form of two-factor authentication.
However, it soon became apparent that watchwords or slogans were not secure. They could be overheard by the enemy, who could gain unauthorised access to secure areas.
We now fast-forward to the 1960s, when the Compatible Time-Sharing System (CTSS) was developed at MIT. This system allowed several people geographically separated from each other to access a mainframe computer simultaneously. Passwords were used to prevent third parties from gaining access.
Passwords are no longer enough
By now, word has spread that passwords are not secure. Our Security Barometer 2022 revealed that more than half of the respondents use the same password for different online accounts in their private lives. Paradoxically, at the same time, almost 40 per cent of the study participants are worried that their private data is not sufficiently protected.
The following example shows how devastating this password fatigue can be: In 2021, hackers put a collection of 3.2 billion passwords online. Users were able to check whether their data was among them. If we assume that half of this collection is used for at least three accounts, this means that cybercriminals have access to 4.8 billion accounts. This figure alone should be alarming, even if it is a simplified example.
Use passkeys to eliminate password fatigue
The use of multi-factor authentication (MFA) makes Internet accounts more secure. This is because, besides an authentication feature, users need other factors to gain access to an account. These factors are knowledge (a password or PIN), possession (a device) and inherence (biometric features such as a fingerprint or iris scan).
The ‘knowledge’ factor can pose a risk under certain circumstances because knowledge can be passed on intentionally or unintentionally.
This is where passkeys come into play. These are based on FIDO2 and are compatible with most websites that have implemented the procedure and the WebAuthn API. The procedure uses multiple factors, focusing on the device, such as a smartphone. The character string on which the private crypto key – or passkey – is based never leaves the smartphone. This means it cannot be passed on. If biometric methods are added to the mix as a second authentication method, your account is secure.
Towards a passwordless future
Passkeys are now offered by many large companies such as Apple, Google, Microsoft and soon PayPal. We anticipate that other services will also follow suit and offer this authentication option, which not only makes their customers' accounts more secure but also provides a more user-friendly login procedure.