Author: Ingolf Rauh

The password is dead, long live the passkey

Passwords pose a significant risk for companies. If too trivial, they can be deciphered by brute force, appear on breach lists online, or be tapped by phishing. Yet they’re still used daily in 2024. It's time for security experts to rethink. Unlock the potential of passkeys!


”123456” – six digits to this day present an alarming security risk, being the most popular password used globally. While simplicity continues to be a widespread habit among users, it also presents an opportunity for malicious actors who can exploit weak passwords without sophisticated hacking techniques. In addition, creating strong and complex passwords can lead to frustration and insecure behavior as users struggle with credentials that are hard to remember and often consist of at least eight characters, numbers, and special symbols.

So, how can organizations ensure high levels of security for digital systems without compromising convenience? The answer is passkeys. Here are the most essential facts.

What are passkeys?

Passkeys are a transformative approach to passwordless authentication that uses asymmetric cryptography. This method automatically creates two matching keys during account registration: a private key on the user's device and a public key that the service provider receives. Whenever the user wants to access their account, the provider sends a data packet, a so-called challenge, automatically signed with the user's private key. If the service provider can decrypt this signature, it confirms that the key pair matches, thereby authenticating the user.

The three major benefits of Passkeys

Passkeys offer several compelling advantages over traditional password-based systems:

  • Simplicity and convenience: Users no longer need to remember complex passwords or usernames. Authentication processes run seamlessly in the background, dramatically simplifying web logins.

  • Improved security: The lack of a shared secret means there are no valuable passwords for hackers to steal in the event of a breach. Instead, the public keys could be captured and worthless without their private counterparts. The encryption used to link public and private keys involves complex mathematical problems that are extremely difficult to break, even with powerful computers.

  • Phishing resistance: Passkeys eliminate the common phishing attacks designed to capture passwords. Since no shared secret is required, criminals can steal nothing substantial through social engineering in small talk. A passkey is not based on the birthday of your first pet or the street you grew up on.

Linking physical and digital identities

Passkeys also facilitate linking physical and digital identities, a key requirement for services such as online banking or using qualified electronic signatures. Swisscom Trust Services, for example, has approved this method for its e-signatures, which are now in use with its first partner. In secure environments where mobile phones are prohibited or impractical, passkeys stored on separate media, such as USB sticks, provide a reliable alternative for authentication.

Practical implementation

While the theory behind passkeys is sound, their practical application in everyday life raises some questions. For example, traditional username and password systems allow users to log into their email from any device in the world. Passkeys, however, rely on a device-based process. A practical workaround is to use a smartphone as a central repository for these keys, secured with strong mechanisms such as fingerprint sensors or other biometric features. Authentication can then be performed by scanning a QR code from the screen of any device, which triggers the passkey process.

Despite potential challenges such as loss or theft of the mobile device, recovery procedures similar to password resets are in place to allow account recovery via alternative authenticated devices.

As digital threats evolve, passkeys provide a robust solution to protect individual and corporate data integrity. The method is easy yet secure and removes frustrating passwords from employees’ everyday lives. Swisscom Trust Services can integrate passkey as a further e-signature approval method, amongst many others, via its Multiple Authentication Broker, offering the highest flexibility for many users.



Explore the detailed architecture of our remote signature solution in this free product whitepaper.