Big Tech Takes a Step Toward a Passwordless Future with Passkeys

Tech giants Google, Microsoft, and Meta, among others, recently announced their efforts to move toward passwordless authentication and eliminate the risks of weak and recycled passwords.

Passwords are hackers' most common entry point, as a 2021 Spycloud study reports that?64% of employees reuse the same password on multiple accounts. Passwords are also a risk factor due to users creating passwords, such as "12345" or "Password1," hackers can easily guess and exploit.

Passwordless logins remove the middleman as a safer alternative when signing into apps and websites. They also protect against phishing attacks, as they work only on registered websites and apps, so the user can't be tricked into revealing their password on a deceptive site.

How does it work?

Users are given a passkey, a digital credential that verifies a user's identity using a biometric sensor, PIN, or pattern. Passkeys allow end users to authenticate themselves without providing a username or password.

When signing in to a service that uses passkeys, the browser or operating system will help them select the correct passkey, similar to entering saved passwords. The system will ask them to unlock their phone, laptop, or tablet using a biometric sensor, PIN, or pattern to verify their identity.

To maintain passkey security, password managers Bitwarden, 1Password, and NordPass have announced their support by allowing passkeys instead of a master password to secure a user's vault.

How are passkeys safer than passwords?

Passkeys use end-to-end encryption, meaning no one, not the user or the company that created them, can see or change the encryption or key. They use public key cryptology, creating two keys: a public key stored on the website's server and a private key stored on the user's device, only accessible to the user.

In other words, the private keys generated in each passkey pair are only stored on the user's device, making it impossible for hackers to discover login credentials. The hacker can access the public key, but without the private key, it's useless. Even if someone were to click on a phishing link in an email or text message, the cyberattack would fail because the passkey on the user's device would only work with the website that created it.

If you're considering creating passkeys for your business, Google Identity offers a free demo to take you through the setup process. You can also learn more about creating secure passwords by checking out our blog.