NICEVILLE, Fla. — Weak, reused, and guessable passwords like “12345” and “password” have plagued online security for years. That era may finally be ending. A new login system called Passkeys is already rolling out across major platforms, and it promises to replace usernames and passwords entirely.
In this week’s It’s Geek to Me by Jeff Werner, see how passkeys work, why they’re safer, and how they’ll make logging in both easier and more secure.
For years, you’ve heard pretty consistent nagging about how you should protect yourself by choosing hard-to-guess passwords, and not use the same password on multiple sites.
Despite the near constant onslaught of warnings, studies show that an alarming number of you still use the same password everywhere, and worse, you protect yourself with easily guessable passwords like 12345, 11111, and the venerable “password”.
Of course, there are the slightly more clever people who use a family member’s birthday, their pet’s name, or some other easily guessable cypher. The time is quickly approaching when people are going to be protected from their own carelessness.
Allow me to introduce you to the next wave in security, called Passkeys. This is a login system that replaces not only passwords, but usernames as well, with secure cryptographic authentication.
They work using a pair of unique keys, one public, and one private. The public key is stored on the site you’re trying to access, and the private key is stored securely on your device. Together, they identify individuals and provide access to the same sites and services currently protected by traditional usernames and passwords.
So, what’s the big deal? Doesn’t this kind of sound like what we’ve always done? That couldn’t be further from the truth.
When you use a password, you’re sharing a secret that only you and the site are supposed to know. But they are vulnerable to phishing attacks, data breaches, password theft, and more.
Passkeys are largely immune to all of those. They do away with the need for unique username/password pairs, which is the primary lure for people to reuse the same password on multiple sites.
Without having to remember a username and password for every site, using a computer on the Internet becomes smoother, more natural, and simply more convenient.
You’re probably wondering how this all will work for you. Well, passkeys can come in many forms, but you’ll most commonly interact with them on a device you already own, such as a smartphone.
For example, imagine you get a new device, and you want to sign in to your Google Account. Instead of entering a password, a passkey allows you to log in to your account with a device you’ve already verified.
You could use your phone as a passkey, which instantly grants access to your Google Account without ever entering a password. The best implementations of passkeys don’t even need a username – they identify you strictly from the passkey itself.
The above interaction assumes a couple of things. First, it assumes that you have previously created and registered a passkey on the phone.
Big name players like Google are already set up for this, and it’s possible you’ve already been prompted to create and register a passkey for your existing Google account. If that has happened and you didn’t fully understand why, this is what it is all about.
When you’re logging in, the server sends a unique challenge to the phone, which you must verify to unlock the private key.
Your verification can take many forms, such as a face scan, fingerprint, or pin. Once verified, the response gets sent back to the server, which uses the stored public key to verify a match.
If it’s successful, the user is securely logged in to the associated account. Take note that at no time is the private key ever transmitted over the internet. This makes it extremely resistant to hacking.
Passkeys address all the fundamental weaknesses of passwords. They make logins easier and more secure.
It is a virtual certainty that eventually every site and service will eliminate passwords in favor of Passkeys, at which time maybe the safety of the Internet will finally make surfing into a fun experience instead of one where you have to constantly look over your shoulder for fear of accidentally exposing your credentials.
Start looking for the option to “Sign in with a Passkey” on your favorite sites to upgrade to a simpler and safer future.
To view additional content, comment on articles, or submit a question, visit my website at ItsGeekToMe.co (not .com!)
Jeff Werner, a software engineer based in Niceville, Florida, has been writing his popular “It’s Geek to Me” tech column since 2007. He shares his expertise to help readers solve everyday tech challenges.
