Passkeys are a new, passwordless authentication method that offer a convenient authentication experience for sites and apps, using just a fingerprint, face scan or other screen lock. They are designed to enhance online security for users.
Because they are based on the public key cryptographic protocols that underpin security keys, they are resistant to phishing and other online attacks, making them more secure than SMS, app based one-time passwords and other forms of multi-factor authentication (MFA). And since passkeys are standardized, a single implementation enables a passwordless experience across browsers and operating systems.
A major advantage of using Passkeys is that they are easier to use than traditional passwords, as they do not require typing in complex combinations of letters and numbers. Instead, Passkeys can be as simple as a single tap or gesture on a device’s screen. Additionally, Passkeys are far more secure than passwords, as they can only be used on devices that have been authorized by the user and they do not transmit over the network, making them less vulnerable to most hacking and interception techniques.
Passkeys FIDO system aim to replace traditional passwords with a more secure and user-friendly authentication method due to their uniqueness by build and ability to identify a user and their account.
The technology behind the former (“same device passkey”) is not new: it was originally developed within the FIDO Alliance and first implemented by Google in August 2019 in select flows. Google and other FIDO members have been working together on enhancing the underlying technology of passkeys over the last few years to improve their usability and convenience.
This technology behind passkeys allows users to log in to their account using any form of device-based user verification, such as biometrics or a PIN code. A credential is only registered once on a user’s personal device, and then the device proves possession of the registered credential to the remote server by asking the user to use their device’s screen lock.
According to Google, the user’s biometric, or other screen lock data, is never sent to Google’s servers – it stays securely stored on the device, and only cryptographic proof that the user has correctly provided it is sent to Google. Passkeys are also created and stored on your devices and are not sent to websites or apps. If you create a passkey on one device the Google Password Manager can make it available on your other devices that are signed into the same system account. Passkeys are supported on devices that run Android 9 (API level 28) or higher and on iOS devices running iOS 15.
More Information ℹ
- Making authentication faster than ever: passkeys vs. passwords
- Passwordless Sign-in, what is it and how does it work
- How to setup Google Passkeys