by Charles Miller

This week I received several calls and emails, all from people asking the same question… and I know why. Everyone was asking "What is a passkey?" and the reason for everyone asking about this now is that Microsoft, Google, and others have stepped up efforts to encourage customers to use passkeys rather than passwords.

A passkey is a cryptographic credential that is tied to a user's account on a website or application, and intended to take the place of usernames, passwords, and two-factor-authentication (2FA). Instead, the user sets up their account to sign-in with essentially the same kinds of biometrics (fingerprint, facial/voice recognition) or other security they may already be using to unlock their smart phone or computer.

WARNING: What follows here is another of my super-simplified explanations that omits comprehensive detail for the sake of attempting to explain a complicated subject within the attention span of the average technology user.

One way to describe a passkey is that it is a super-secure password. Imagine creating a cryptographically-secure password of at least 1,000 random characters; that would be really secure. Now imagine engraving that passkey on the back of your smart phone or lid of your laptop such that only that phone or that computer could use that passkey; that would be really really secure. Now imagine that there would be a new and different passkey for every single place you needed to use a password; now we are talking insanely secure.

It is easy to see that passkeys overcome the worst problems with our existing username/password paradigm. Passkeys prevent users making up short and easy-to-guess passwords. Passkeys can only be used from YOUR computer or portable device, thus ending the problem of someone stealing your password (unless they also hack your computer or phone). And passkeys end the problem of people using the same password on multiple sites. And passkeys cannot be written down on a piece of paper stuck under your keyboard. Passkeys are not unhackable, just 1,000 times better than what we are doing now.

Passkeys are a creation of the FIDO Alliance, which is industry association launched in February 2013 whose stated mission is to develop and promote better authentication standards while working to find something easier to use than passwords. FIDO (Fast IDentity Online) supports a full range of authentication technologies seeking to overcome that annoying axiom that says "simple is the opposite of secure."

The list of FIDO member organizations reads like a Who's Who of software companies, hardware manufacturers, governments, banks, and online service providers. Starting last week anyone setting up a new Windows 11 computer is prompted to create a passkey. You can still setup the new computer the old username/password way (for now) but it is obvious that that Microsoft will push all Windows users to use passkeys. Apple is also actively encouraging the use of passkeys. Google is likewise already encouraging (note I did not say "coercing") Gmail users to start using passkeys over username/password authentication.

In the years to come, the replacement of username/password authentication with passkeys heavily depends on hardware security features like TPM (Trusted Platform Module) chips. A TPM chip is a secure, tamper-resistant location where your passkeys can be stored ("engraved" as in the earlier example) on a chip inside your computer or portable device. TPM chips are starting to be built into most new computers and mobile devices. There are also software-based options for using passkey authentication where up-to-date hardware is not available.

**************

Charles Miller is a freelance computer consultant with decades of IT experience and a Texan with a lifetime love for Mexico. The opinions expressed are his own. He may be contacted at 415-101-8528 or email FAQ8 (at) SMAguru.com.

Discover Lokkal:
Watch the two-minute video below.
Then, just below that, scroll down SMA's Community Wall.
Mission

Visit SMA's Social Network

Contact / Contactar