Why passwords may soon be a thing of the past

We’re no strangers to the fact that creating unique passwords for every e-commerce platform, bank account, or social media account has always been an advisable practice. Whether on your smartphones or laptops. 

At the same time though, remembering each of these unique passwords is incredibly frustrating. Not to mention, not entirely foolproof either, because they still exist in the public domain and are relatively easy to steal. As is demonstrated by the selling of passwords along with several other user data on the dark web. And it’s perhaps why many say that passwords are on their way out, and to be replaced by the much more simple and secure passkey mechanism. Read on. 

How do passwords work and why are they not entirely secure?

Traditional passwords rely on strings of characters known both, to a user as well as a server. Bearing in mind how they’re the same, there’s no mechanism to check whether it really is you trying to access your account, or someone else who may know your password. This makes them much more vulnerable to fraudulent transactions, identity theft, and more. 

ALSO READ: ‘123456’ to ‘admin’: 10 most common passwords used by Indians

Two-factor authentication is one way to keep a check. Two-factor authentication essentially lets you approve or reject any sign-ins on your account, through another pre-registered device. However, this may not be entirely convenient either, since you may not always have access to it. This is where passkeys step in. 

What are passkeys and how do they work?

A passkey lets you log in to any given app or website with just your username, on a pre-authenticated device. 

The origins of the passkey usage can be traced back to the development of Web Authentication – a standard created by the World Wide Web Consortium (W3C) and the FIDO Alliance. WebAuthn, as it is called, was launched to create an authentication standard that was both secure, as well as convenient. 

In contrast to passwords, passkeys use a public and a private key. While the public key is stored on a server, the private key, which is different from the former, is stored on users’ devices and is known only to them. 

So, when you attempt to access a server, it sends a message to your device. The device then generates a response to it, called a ‘signature.’ It then sends it back to the server, which verifies if this matches the public key. This helps prove that the signature did indeed come from you, and not a malicious third party. It is only at this stage, that you are given access to the server. 

Think of it this way. If someone knew your Google account password, they could theoretically access it from their devices, without you ever knowing. But a passkey will ensure your Google account is accessible only though certain pre-registered devices, which you have access to, and no one else. And if you were to be accessing your Google account from another, new device, Google will automatically trigger a two-factor authentication mechanism to verify if it really is you trying to access it.  

ALSO READ: Two-factor authentication (2FA): Why is it important, and how to enable it

 In simpler words, think of it as a lock and a key. Passkeys generate a unique lock for your count, on a server, and said you are given a key with which you can open the same.

What makes passkeys a favourable alternative to passwords

Passkeys are nearly impossible to steal, since they never actually leave a user’s device. While it may be easy to steal public keys on servers, private keys are nearly inaccessible, making the passkey mechanism much more secure. 

Say you misplace your device though, or it is stolen. Well, your passkeys stay secure even then. Why? Because to access a passkey, one requires biometric or pin-based authentication as well. This makes them virtually impossible to steal. 

What’s more, with passkeys, you don’t have to manually enter a password either, making them all the more convenient and secure. 

Is it truly the end of the line for passwords?

Most major tech companies today, including  Apple, Google, Microsoft, and Meta are adding passkey support across their entire suite of programs. An example that comes to mind is WhatsApp for Android smartphones as well as iPhones. Additionally, Sony also recently introduced passkey support for the PlayStation 5 console, which allows users to bypass the current login page for their Sony account, and access the same quickly and easily. 

ALSO READ: WhatsApp for iOS goes passwordless; here’s what passkey support means for you

Passwords haven’t been entirely done away with. Not yet, at least. That being said though, bearing in mind how passkeys are exponentially more secure and not to mention, more convenient, it would be hardly surprising if we see the aforementioned companies, and others, beginning to sound the death knell on passwords soon.