Passkeys

What are they? Can they really get rid of passwords?

Welcome to the first issue of my newsletter! Please bear with me as I navigate this new medium for delivering my columns to you - I may make missteps while figuring it all out and I hope you’ll understand when that happens.

Yes, my columns are still being published in the Hillsboro Times Gazette but, with this newsletter, you will generally see my columns before they’re published in the paper. This format gives me the ability to share more things with you on an as-needed basis including very short news items and quick updates to previous columns. I hope you’ll enjoy the extra bits that this newsletter will deliver to you

With that out of the way…

Passkeys have been in the news recently and are touted to replace passwords. Apple and Google were the first to announce support for them and they've just recently rolled out their support for it. Password managers 1Password and Bitwarden have also announced support. But what are passkeys? I've read that they can completely replace passwords - do they really? Are passkeys safe? How do passkeys work and how do I set them up? We'll answer these questions and more this week.

Passkeys build on some existing standards and use public key cryptography. We won't get into the details of public key cryptography here but if you're interested in a lot more detail, head over to https://en.wikipedia.org/wiki/Public-key_cryptography. The point is that there is no password to crack or steal. During sign up, your phone or device generates a public key and a private key. These keys are related mathematically so that a message that's encrypted with one can only be successfully decrypted with the other. When you sign up, your device sends your new public key to the website or app and stores your private key safely away in encrypted storage. You never need to see your private key because it's used behind the scenes. When a site or app wants you to log in, it sends a randomly generated message, called a challenge, to your device. Your device encrypts the challenge with the private key that was generated when you signed up to use a passkey on that website or app and sends the encrypted challenge back to the site/app. That site or app decrypts the message with your public key. If the decrypted message matches the original challenge then the site/app knows it's you who's trying to log in and grants you access. If it doesn't match then you don't get in. Sure, in reality it's a bit more complex than that but that's the basic flow.

So, any nasty person who manages to intercept your login process never sees anything resembling a password. All they see is the challenge and your encrypted response. Since the challenge is randomly generated each time you sign in, anything they intercept won't help them when they try to sign in - there will be a different challenge that requires a response that is generated with your private key, which they don't have!

Browsers have to support passkeys and, so far, only Safari, Chrome, and Edge support them but more will follow soon. Websites and apps also have to add support for passkeys and there aren't a lot of them that support them right now but more will be adding support all the time. https://www.digitaltrends.com/mobile/apple-passkeys-iphone-ipad-apps-websites-work-supported has a list of sites that support passkeys and there is a community-driven site that has more listed - see https://passkeys.directory/.

Apple stores your passkeys in your private keychain, an encrypted storage area in your iCloud that securely holds all of your passwords and keys. That keychain is shared amongst all of your Apple devices. So, if you sign up for a passkey at eBay, you can login with a passkey from your Macbook, your iPad, and your iPhone.

Right now Google operates a little differently. Your passkeys are only stored on the device that you used to generate them (there's talk about this changing and that Google will do something similar to what Apple does but right now, that's not the case). Does that mean that you need to generate a passkey on each of your devices? Well, no. If a site/app prompts you to log in and you've created a passkey for that app/site you will be given the opportunity to login using the passkey on the device that has the passkey. Note, the device with the passkey will have to have Bluetooth turned on and be in relatively close proximity to the device that's trying to log in. A good article that discusses all this is available at https://www.tomsguide.com/how-to/how-to-use-passkeys-with-your-google-account.

What's the downside to using a passkey? About the only one is that anyone who has access to a device that has access to passkeys potentially has access to all the sites and apps for which you use a passkey. And that is being countered by requiring you to authenticate to your device, via your face or fingerprint, when a passkey will be used. Another possible downside is if you lose your device or it is broken you can potentially lose access to all those sites and apps that you used your device's passkeys to get in to. Apple's keychain means that your passkeys are available on all your devices and Google will undoubtedly follow Apple in some way. And from what I hear, password managers will do the same. Note, though, that each passkey is unique. Sure, you can generate a different passkey on each and every device so one device does not depend on another to be in the vicinity to complete the challenge.

That's all for this week's column. I hope this helps you understand passkeys. Don't hesitate to write to me if you have questions!

As always, my intent with these columns is to spark your curiosity, give you enough information to get started, and arm you with the necessary keywords (or buzzwords) so you'll understand the basics and are equipped to search for more detailed information.

Please feel free to email me with questions, comments, suggestions, requests for future columns, to sign up for my newsletter, or whatever at [email protected] or just drop me a quick note and say HI!

With the advent of this newsletter, you’ve got more choices as to how you read my columns. First, of course, you can read all my columns and, if you’re not subscribed, sign up to have them delivered to your email when I publish them at https://go.ttot.link/TFTNT-Newsletter. And if you’re already subscribed, you can give your friends that link so they can sign up.

You’ve got choices as to how you read my columns! You can read all my columns and sign up for my newsletter to have them delivered to your email when I publish them at https://go.ttot.link/TFTNT-Newsletter. You can read the most recent column in the Hillsboro Times Gazette at https://go.ttot.link/TG-Column - it should be updated shortly after this column appears in the online version of the newspaper.