Passwords have been our first line of defense against hackers since the 1960s. But now they are showing their age and limitations in the 21st century data wars. Even password managers are not secure. Access keys are now here to help. Here’s why you should switch and enjoy a more secure digital future.
What is a passkey?
An access key is an authentication method that allows you to sign in to a website, service, or application without a password. Passcodes typically use biometric data, such as a facial scan or fingerprint, to verify the user’s identity before logging in.
How do passkeys work?
The access keys use what is known as “public key cryptography”. When you create a passkey for a website or service, two digital keys are generated: one for you and one for the site. Your key is stored on your chosen device, such as a smartphone, computer, or even a USB drive, and the site key is stored on their servers. Both keys are required to log in to the service.
Keys are similar to passwords in that they both involve entering text into a site or service to log in. However, access keys are essentially unbreakable compared to passwords. Also, you don’t need to remember them. The added benefit of storing your access key on a dedicated device, such as a smartphone or laptop, means they can use biometrics to verify your identity before handing your key over to the site to log in.
Once you’ve set up a passkey for a site or service, your phone basically becomes your authentication device. And since no one else has your face or fingerprints, it’s nearly impossible for criminals to hack or spoof your passkey, as it requires both physical control of the device and biometric data that’s extremely difficult to fake.
How is a passkey different from a password?
At this point, you might think that access keys are just longer passwords that computers make up for you. However, a few key distinctions separate the two authentication methods.
Access keys are mathematical formulas
Instead of having a single password stored on a company’s server and in its memory (or password manager), access keys have two components: public and private. The public key is kept by the service for which the passkey is generated, and the private key is stored on your device. The two keys are mathematical complements to each other and are unbreakable by conventional hacking techniques.
Access keys are more complex than passwords
Passwords rely on human brainpower to make them strong and memorable. Unfortunately, that’s a difficult task for people to accomplish, often leading to tradeoffs in one aspect or another of a good password. Because access keys are computer generated, they can be much more random and unhackable than their human-made counterparts.
Access keys use hardware as part of the authentication process
Passwords rely only on human memory to be effective, and anyone, anywhere can try to hack a password for a website. But, because private access keys are stored locally on your device, only people with access to that device can attempt to sign in to a service with an access key. Think of your smartphone as the physical embodiment of your passkey.
Only you have access to your private key
Once a passkey is stored on a device, it’s never really left (unless you transfer it to another device). Instead, trying to sign in to a site, app, or service sends your authenticating device a math challenge based on your public key. Your authentication device then solves that challenge using your private access key and logs you in. Therefore, your passkey is never entered anywhere, making it much more difficult (nearly impossible) to steal, guess, or forge.
Why are passkeys better than passwords?
You may be thinking, “This is all very well, but I like my password strategy the way it is.” Here are some key reasons why you should consider making the switch now.
Access codes are more secure than passwords
Access keys are much more secure than passwords for several reasons. Chief among these is that each passkey is unique. One of the biggest problems with human-generated passwords is that users often reuse or modify them for multiple sites and services, which could put anyone’s entire Internet account at risk if a password is hacked, phished, or guessed.
In most cases, users don’t even see an unencrypted passkey on the device it’s stored on. In preparation for this article, I created an access key for Kayak.com and stored it on my Apple Keychain. When I looked at it in my keychain, it showed me that there is a passkey for this service, with no option to view it the way you can view an unencrypted password. So even if a scammer manages to pressure me into handing over my unencrypted passkey verbally, it’s just not possible.
The other thing that makes access keys much more secure than passwords is that they use biometric verification before transmitting the access key on demand. If I were to log into Kayak.com right now on my iPhone, I would use FaceID to confirm that it was indeed me who logged into the service and not someone else who was holding my phone.
Access keys are more convenient than passwords
One of the best things about access keys is that you no longer need to type anything when you log into a website with your authentication device. Since your keys are stored locally on your device, that’s all you need. Sure, many programs will autofill your passwords when they’re stored in a browser or password manager, but you’ll still have to type a password if you’re logging in from a new machine. If you try to log into a service with a passkey on a machine that is not your authenticator, the service will display a QR code that you can scan. Your authenticator performs a biometric can and sends the access key to the service.
you don’t have to remember them
Most people know that having a strong and unique password for each Internet service they use is vital to keeping their digital identity secure. But the limits of human creativity, memory, and ingenuity often get in the way of this effort. Many people use a mnemonic system to remember passwords or use a password manager. Access keys solve this problem by storing the keys on your device so you don’t have to rely on your memory or an external service to keep your accounts as secure as possible. And don’t worry about losing your device. Companies that support access keys have developed recovery options to restore your accounts if you ever lose access to your chosen authenticator.
Where can access keys be used today?
Although the FIDO Alliance has been preparing access keys for a while, companies only started rolling them out in 2022. So they’re not ubiquitous yet. But they will be. Password manager 1Password has published a list of services that support the new technology. The main names include:
- Best Buy
- DocuSign
- ebay
- KAYAK
- Microsoft
- nvidia
- okta
- PayPal
- Robin Hood
- Shopify
- zoho
Also, if you’re already using a password manager, chances are they can store your access keys for you. 1Password, Dashlane, LastPass and more have announced support for passcodes.
Final Thoughts: Master Keys Are the Future of Digital Security
As we move further and further into the 21st century, many aspects of the 20th century will need to be left behind. Passwords fall into that category. They are simply too old-fashioned and vulnerable to trust to move on. Access keys solve almost all the problems that passwords create. And while they’re not perfect, they’re the best security innovation to come along in decades. So it pays to get on board now and secure your digital life.
