Entering passwords are the biggest source of frustration when logging in online. According to a recent study comissioned by Okta, 65 percent of consumers feel overwhelmed by managing countless username-password combinations. The study also states, 75 percent of consumers want more control and self-management of their personal data. Requests to renew passwords and high demands on length and complexity add to the frustration. The most popular way out for users, according to the Okta survey, is to log in via social accounts.
On the one hand, there is the fear of large tech-providers expanding their quasi-monopoly on the internet. On the other hand, such an account becomes a kind of master key for a user's most diverse online applications. If criminals get hold of these credentials, they can cause great damage. Passkeys are an alternative option that is convenient for users and is very secure.
In general, a passkey is a method of passwordless authentication. Instead of a Shared Secret between service provider and user, which is what the password represents, passkeys use asymmetric cryptography. The user keeps a private key on his or her personal device and the service provider receives the corresponding public key as part of the registration process for a new account. The authentication works in way that the user receives a data packet, a so-called challenge, from the provider for signature. Then, the user signs this challenge with his or or private key. If the provider can decrypt it, the key pair belongs together and the user is authenticated.
These passkeys have many advantages. First, this solution is much easier and more convenient for users than passwords. All processes run automatically in the background and users do not have to become active themselves. They no longer have to enter passwords and user names, and consequently no longer have to remember passwords and regularly come up with new ones when they've forgotten them. Login processes are tremendously simpliyfied everywhere on the internet. Passkeys also have an advantage for online service providers. Up until now, many users have been put off by the constant creation of new user accounts with new passwords. For those who do not want to use password managers or log in with Google, Apple and others, passkeys are a simple and very secure alternative.
In addition, the lack of a shared secret also means that no valuable passwords can be captured in the event of an attack on the provider's server, but only worthless public keys. The connection between public and private key is established via complex mathematical questions that are difficult to reverse. The complexity is set so high that even with powerful computers it is not possible to calculate a private key from a public key in real time. Last but not least, passkeys are the best protection against phishing. Criminals have nothing to gain. After all, their attacks are aimed at capturing the shared secret, which is omitted when passkeys are used.
In theory, the process sounds very plausible. But when you think about its use in everyday life, a lot of questions arise. For example, with a user name and password, you can log into your own e-mail account from any internet café in the world. Whether this is recommended from a security point of view remains to be seen - but it is possible without any problems. This is not possible in the same way with a device-bound procedure such as passkeys. But there is a fairly simple workaround: you simply use a smartphone as a central repository for the keys. Of cousre, you must equip your smartphone with strong security mechanisms, such as a fingerprint sensor or other biometric features. Authentication on any device works only when user scan a QR code from the device's screen with their phone when logging in, unlocking it and thus triggering the passkey process.
Of course, you can lose, destroy, or get your mobile phone stolen. If that's the case, you need recovery procedures in place or a reset oppportunity for your account. This can work, for example, via another account, similar to when you forget a password today. Google and Apple have set up synchronisation mechanisms on their systems that keep all smartphones and tablets in sync with regard to the used passkeys, without Google or Apple getting hold of them. The private key always remains on the device.
Almost everywhere on the internet where new accounts are created today, a new digital identity is created that is not linked to the real identity of the user. Technically, it is of course possible to draw conclusions about who is behind a certain user name. However, an initial link between real and digital identity does not usually take place on the internet. In some cases, this is exactly a requirement, for example when opening an online banking account or using qualified electronic signatures. Could you also use passkeys for these applications?
The answer is yes, because the authentication means plays no role at the technical level for the link. In these cases, providers such as banks or trust service providers must check the identity of new users according to legally regulated procedures and create a secure digital record linked to it. Which procedure (password + multi-factor authentication or passkey) the users then use to log in to the service or approve an e-signature is irrelevant. Swisscom Trust Services has already approved the passkey procedure for the use of its e-signatures and is already using it with a partner solution. To activate the passkey, all that you need is a fingerprint, face recognition or a PIN, which you already use for unlocking your smartphone or laptop.
The use of passkeys very interesting, to trigger e-signatures in environments or IT-infrastructure where mobile phones are prohibited for data security reasons or SMS cannot be delivered. In today's common methods, the mobile phone is used as a second factor to trigger the signature. This method is accordingly problematic in critical areas such as highly secure data centres, shielded production facilities or similar environments. With passkeys that are either directly on devices or on separate data carriers (e.g. USB stick), users could also sign there with a qualified electronic signature.