Select Page

February 2024

Passkeys: Simpler and More Complicated Than You Thought

Somehow Passkeys flew over my head. Maybe it’s because I was checked out of password tech given my recent binge in replacing all of my emails with proxies and migrating my primary email address. Which, was totally worth it and a lot of work. However, once you hear the pitch, it’s impossible to ignore.

Passkeys promises: to replace passwords completely, be more secure than passwords, be less susceptible to phishing, and provide a much more simple user-experience.

Imagine a world where you don’t have to remember a password. Scratch that – the password doesn’t exist in the first place. Quite the sales pitch. It’s hard to believe given we live in a world of tech companies lying to our faces and using manual labor to obfuscate AI promises. I will give a brief history of when Passkey technology came about, conceptually how it works, the state we are in right now, and reflections on converting a few of my hundreds of passwords to Passkeys.

How Long Have Passkeys Been Around?

About a decade is the somewhat surprising answer. At least for me. Passkeys are based on WebAuthn, which is a web standard created in 2016. WebAuthn is part of the FIDO2 Project housed under the FIDO Alliance. What happened with FIDO1? Well, it was used to enhance traditional username/password flows by adding USB and Near-Field-Communication (NFC) to the mix. So, your Yubikeys.

How Does it Work?

In short: Passkeys use “something you know” like a PIN, passcode, or swipe pattern or “something your are” like a face scan, fingerprint, or voice sample to use to log you in. Essentially the same as if you use an iPhone, but now you can do it online. There are no passwords and it is all encrypted. Below is the longer version.

A Passkey is based on “public key cryptography.” Not a helpful intro, I know. It may be easiest to compare this to encryption.

Imagine a safe. The safe requires two keys to unlock. It can’t unlock with one or none, it has to be two – and it has to be exactly these two unique keys. At some point, you need a friend to also be able to unlock your safe. So, you give away one key to them. Over the years, you get a litany of people who need to access your safe. So, you make a bunch of copies of one key and keep exactly one copy of the other – which you keep. We can image the former as a “public” key and the latter as your “private” key. Essentially, you always have to have yourself and another party (who has been given a key) agree to open the safe.

This is all encryption is. Whether this is Whats App or Signal, we put our messages in a safe and only those who have our keys can open them. Anyone can access our public key, but you have to consent to providing your private key for the safe to be unlocked at all. A Passkey works in a similar way.

Instead of having a “thing” that you are protecting, like a text message or bank account number, you are instead verifying your identity. You are proving that you are you and therefore should be allowed into your BestBuy or Home Depot account. This verification can derive from the ownership of a device, having already logged in to a platform (like a password manager), or biometrics (FaceID or fingerprints). In the security world, this is referred to as “something you know” or “something you are”. If I have my private key and each website can verify one of those things, then they can let me in without any entering of credentials. It’s just a different kind of password.

How this works in practice is:

  1. Open a website that supports Passkeys (make sure to check compatibility with browser/OS/etc) – the FIDO Alliance has a list of companies who use Passkey
  2. If you have an account, log-in as usual. If you haven’t created an account, then you may be able to start with a Passkey.
  3. Once in, navigate to your account security options and click the prompt which will allow you to create a Passkey.
    1. Your mileage will vary here. Some website have the Passkey prompt while you are logging on, others are under your account settings or under security/log-in. There may be nesting under 2FA/MFA settings or be called security keys rather than Passkeys. Good luck!
  4. You should have the option to select where you are storing your Passkeys. For me, I use Bitwarden, so that is where they live. However, Google, Microsoft, and Apple all have Passkey infrastructure, so you can use those too. Bitwarden makes this quite easy by popping up a prompt and allows you to save the Passkey in one-click.
  5. Done!

Now, when you log-in to these sites you should be prompted for a Passkey – not a username or password. You will instead verify depending on your settings: Face-ID, Windows Hello, fingerprint scan, pin, or Password manager verification.

Easy!

So, at this point we know that Passkeys are more secure (encryption versus plain text username and passwords and two-factor by design) and easier to use (no entering of anything). But how do they help from social engineering and phishing? Simple: no passwords. When there is no password or authenticator code, then there is nothing for a malicious third-party to intercept or talk you into telling them.

So, what happens when you lose your phone? As someone who smashed their phone screen and realized that my life fell apart because of all the 2FA I had done, this was top of mind. Well, Passkeys are stored on platforms not devices. In other words, they are in Bitwarden, not my phone. They are on my iCloud keychain, not my macbook.

Maybe Not So Easy: Lessons From Using Passkeys

As I mentioned, this Verge podcast was really the tipping point for me trying out Passkeys. I get anxious any time biometrics are seen as more secure option for… anything. We really only have one shot to use our biometrics and if they get leaked there isn’t much we can do. So, the only way I feel comfortable opting in is if the platform is encrypted at every step and/or localized to my device. It always needs to be encrypted and the only one with access should be me. So, it took some reading to convince me that Passkeys were really an investment I would be willing to make. Bit note: if you are comfortable using biometrics it makes this process much more flexible.

I spent an afternoon scrolling through the FIDO Alliance’s Passkey Directory and found 16 matches for accounts I already have. I went through each website and attempted to add a Passkey. If successful, I then logged out and tried to log-in using a Passkey. Here is how it went. I am using a Windows 11 PC, Firefox browser, and Bitwarden as my Passkey manager. At this time, Bitwarden doesn’t offer Passkeys on their mobile app.

Of the 16 websites I tried, 10 were successful. Not a great ratio. However, 2 of those were due to compatibility which is likely to be fixed in the near-term. Passkey support isn’t consistent across operating systems and browsers, so for now things might feel a bit fragmented. The last 4 I honestly don’t know what went wrong. The Passkey option literally didn’t show up. The only website where I could find a Passkey option and it flat out didn’t work was CVS. The other 3 fails simply didn’t show the option. One interesting glitch was with X (unsurprisingly). I setup my Passkey, logged out, and attempted to log back on, but it forced me to go through username/password and then prompted a Passkey. Ew.

However, once I got the Passkeys working, wow, what a breathe of fresh air.

As a glutton for punishment, I begrudgingly use unique passwords, proxy emails, and 2FA/MFA wherever I can. With a password manager, most of the usability issues are taken care of. However, 2FA/MFA always sucks. I have to enter my long-ass pin and then open the authenticator, then click the app, then copy the code. It feels like such a waste even though I know it massively increase my security.

With Passkeys, it takes a fraction of the time for that process and requires no memory. I don’t have anything to remember. It honestly feels like cheating. I get all of the convenience of biometric, instant-sign on tech without any of the worry. I agree with the Verge podcast host that redirecting society to a security world where there isn’t the user-experience trade-off post 2FA/MFA is going to take a lot of time. However, I hope this article helped peak behind the curtain and provide some relief that the tech is solid (and has been for a long time) and we will be safer and more secure with Passkeys.