DEV Community

MojoAuth for MojoAuth

Posted on • Originally published at mojoauth.com on

Passkeys: FIDO’s new mission to completely remove passwords

Passkeys - Explained!

Passkeys are cryptographic login credentials that replace the need for passwords by requiring either biometric verifications, like fingerprint scan or facial recognition or a PIN or pattern or plug-in authentications, like smart cards.

Know more about what is passkey.

Also, passkeys replace passwords and two-factor authentication in a single step, making the user experience seamless.

Compared to password-based authentication, passkeys make it more seamless and secure for users to connect to websites and apps. In conventional password-based authentications, a password is created during registration or signup, encrypted, and stored on a server. When logging in, the user enters their password, and the server verifies it by comparing it to a stored password hash.

However, the idea of keeping user credentials on a server no longer exists with passkeys. Passkeys establish a secure and reliable authentication channel by generating cryptographic key pairs (public key and private key) that can connect the user and the respective application. With passkeys, user credentials can be verified using either,

  • An in-built authenticator (eg: biometric device)
  • An external or roaming authenticator (eg: mobile phones)
  • An authenticator that is plugged in (eg: USB or smartcard)

The process of creating a passkey is not at all complicated. It just involves the same process as unlocking your mobile phone.

How Passkeys Work?

Passkeys, as previously discussed, replace passwords with cryptographic key pairs. These cryptographic key pairs are generated exclusively by the operating system during the registration or sign-up process in order to associate with the respective application or website.

With this secure configuration, during the authentication process, the application can verify user account login using the public key that is stored on the server as long as users have the matching private key on their device.

Also, the passkeys are not limited to any one specific operating system. Passkeys provide a seamless user experience and are compatible with a variety of operating systems and browsers, including Windows, macOS, iOS, and ChromeOS.

In other words, passkeys are designed to be used through every operating system infrastructure that enables passkey administrators to generate, store, and make passkeys accessible to any applications that run on the operating system. Passkeys make the process of creating new accounts much easier and authentications more frictionless.

Read the difference between Passkey and Password.

Are Passkeys Secure?

Passkeys work on the Public Key Cryptography, which makes it safer when compared to password-based authentication. To ensure that a hacked server won’t provide a hacker access to account credentials, the cryptographic key pairs are separated by a public key kept in the cloud server, and a private key kept locally on users’ devices; the private key is never revealed to the server or transmitted over the internet.

Passkeys are safe from phishing attacks since they remain linked to a website or app i.e. can only be used with the website or app for which passkeys were created.

In order to get rid of the threats and inconveniences that passwords cause, businesses are now taking proactive steps to enhance cybersecurity by implementing passkey technology, a credential protocol built on public/private key cryptography.

Which Apps use Passkeys?

Apple introduced password-free logins (Apple Passkeys) for Apple TV, Macs, iPads, and iPhones using passkey technology.

Google recently added the passkey feature to its popular Chrome web browser as well as the Android operating system.

PayPal has recently introduced passkeys for a seamless and secure login method for PayPal accounts.

The following sections explain how you can configure and use passkeys login for different operating systems (Android, Chrome, and Mac).

How to use Passkey in Android & Chrome

Before configuring passkeys into your Android device, make sure the respective application must be upgraded with passkey support.

  • Launch the passkey feature-updated application or website.

  • Now, try signing in or signing up. You might be prompted to switch from a regular password-based login. If asked, respond with a “yes”.

  • (This step is using a Mobile Phone to set up the Passkey) When prompted in the next step, confirm your identity using whatever biometric or unlocking feature your mobile phone has—typically— a fingerprint scan, face lock, or pattern lock.

  • At this stage, you’ve successfully created the passkey that authenticates the link between the respective application and your android device.

  • Similarly, further logins or authentication simply entail choosing the correct account and unlocking your mobile phone, which is fairly similar to the setup process.

One of the most crucial features of the passkey concept is its cross-platform interoperability, which enables the passkey on one device to be used to sign into any nearby device.

For instance, a passkey saved on an Android mobile can be used to authenticate the chrome application on your computer.

Remember that both devices should support Bluetooth connectivity when signing in to chrome via an Android device. Anyone having issues with passkeys should first check for Bluetooth connectivity errors.

How to use Passkey in Apple

  • Setting up the passkey for iOS is quite simple and straightforward. To log in using passkeys, you need to have: an iPhone running iOS 16 or later, passkey feature enabled in your iPhone, and an account with a passkey feature-supporting website or application.

  • To use passkeys on iPhone, you are required to enable iCloud Keychain. If you don’t have iCloud Keychain turned on your iPhone, navigate to Settings » Profile » iCloud » Passwords and Keychain » Sync this iPhone, and enable the toggle button.

  • Before setting up passkeys, you must ensure that the application supports passkeys. Also, passkeys must be generated on the application directly to be used during the login.

  • While configuring the new account, enter your preferred account name and follow the on-screen instructions to finish setting up your passkeys.

  • For existing accounts, you have to enable and set up the passkey feature. For that, first, sign in with your current password. Then, go to the account settings section and search for security options.

  • Each application will have a unique name for the menu where you can set up a passkey. However, these choices are typically referred to as passkey, FIDO2 or FIDO credential, CTAP, USB/NFC key, face or fingerprint sign-in, or WebAuthn.

  • With respect to the particular application, follow the on-screen instructions to set up the passkey. After setting up the passkey, you can then seamlessly log in to the application by using your passkey, which is saved under the username or accounts you specified.

  • Similar to a regular password, the passkey will also be saved in your iCloud Keychain so that you can use it to log in to this application whenever you want to.

Note: Just like a password, a passkey you create for iOS is unique to the application you used to create it. Therefore, you will need to generate a different passkey for each application you would like to use it with.

Benefit of Passkeys

Security

The passkey technology uses two cryptographic keys: the application server holds the public key, and the users’ device holds the private key. Even if a hacker gets access to the public key stored in the server, it alone won’t be of any use since the private key is stored in the user’s device.

In addition, like passwords, passkeys are not guessable, reused, or weak and are safe from server leaks, phishing, and other common password-based attacks.

User Experience

In order to seamlessly login into specific applications, passkeys enable users to quickly unlock cryptographic login credentials using straightforward built-in techniques like fingerprint scanning or face recognition, which users already practice on a regular basis to unlock their phones.

Even first-time setup of passkeys is quick and simple with one-step account creation. Following account creation, a user may immediately sign in using Face ID or Touch ID without involving any email/OTP verification procedures.

Cross-platform Compatibility

Passkey is built with WebAuthn API security, and it supports authentications for cross-platform applications. For instance, you can use your iPhone to log in to websites and apps on non-Apple devices, such as your Windows computer or an Android phone. Similarly, a macOS or Windows browser can be accessed using an Android phone.

Wrapping Up!

Nowadays, businesses are discovering that one of the initial steps in gaining a competitive advantage is the authentication process, which simply means to be the product’s first impression.

When authentication is properly sorted out, safe, and convenient, the product perception will undoubtedly be outstanding. However, passwords are still used for authentication despite having numerous flaws, such as being less secure and inconvenient.

In order to completely abandon passwords, global tech firms are gradually embracing passkey technology, making it one of the safest and most convenient authentication methods ever created. Passwordless authentication has more benefits than just security and user convenience, though. With the help of new internet standards, businesses can now provide omnipresent authentication enabling cross-platform interoperability and global expansion while also offering far improved security.

Top comments (0)