May 30, 2023
They’ve been in the news recently and are touted to replace passwords. Apple and Google were the first to announce support for them and they’ve just recently rolled out their support for it. Password managers 1Password and Bitwarden have also announced support. But what are passkeys? I’ve read that they can completely replace passwords – do they really? Are passkeys safe? How do passkeys work and how do I set them up? We’ll answer these questions and more this week.
Passkeys build on some existing standards and use public key cryptography. We won’t get into the details of public key cryptography here but if you’re interested in a lot more detail, head over to https://en.wikipedia.org/wiki/Public-key_cryptography. The point is that there is no password to crack or steal. During sign up, your phone or device generates a public key and a private key. These keys are related mathematically so that a message that’s encrypted with one can only be successfully decrypted with the other. When you sign up, your device sends your new public key to the website or app and stores your private key safely away in encrypted storage. You never need to see your private key because it’s used behind the scenes. When a site or app wants you to log in, it sends a randomly generated message, called a challenge, to your device. Your device encrypts the challenge with the private key that was generated when you signed up to use a passkey on that website or app and sends the encrypted challenge back to the site/app. That site or app decrypts the message with your public key. If the decrypted message matches the original challenge then the site/app knows it’s you who’s trying to log in and grants you access. If it doesn’t match then you don’t get in. Sure, in reality it’s a bit more complex than that but that’s the basic flow.
So, any nasty person who manages to intercept your login process never sees anything resembling a password. All they see is the challenge and your encrypted response. Since the challenge is randomly generated each time you sign in, anything they intercept won’t help them when they try to sign in – there will be a different challenge that requires a response that is generated with your private key, which they don’t have!
Browsers have to support passkeys and, so far, only Safari, Chrome, and Edge support them but more will follow soon. Websites and apps also have to add support for passkeys and there aren’t a lot of them that support them right now but more will be adding support all the time. https://www.digitaltrends.com/mobile/apple-passkeys-iphone-ipad-apps-websites-work-supported has a list of sites that support passkeys and there is a community-driven site that has more listed – see https://passkeys.directory/.
Apple stores your passkeys in your private keychain, an encrypted storage area in your iCloud that securely holds all of your passwords and keys. That keychain is shared amongst all of your Apple devices. So, if you sign up for a passkey at eBay, you can login with a passkey from your Macbook, your iPad, and your iPhone.
Right now Google operates a little differently. Your passkeys are only stored on the device that you used to generate them (there’s talk about this changing and that Google will do something similar to what Apple does but right now, that’s not the case). Does that mean that you need to generate a passkey on each of your devices? Well, no. If a site/app prompts you to log in and you’ve created a passkey for that app/site you will be given the opportunity to login using the passkey on the device that has the passkey. Note, the device with the passkey will have to have Bluetooth turned on and be in relatively close proximity to the device that’s trying to log in. A good article that discusses all this is available at https://www.tomsguide.com/how-to/how-to-use-passkeys-with-your-google-account.
What’s the downside to using a passkey? About the only one is that anyone who has access to a device that has access to passkeys potentially has access to all the sites and apps for which you use a passkey. And that is being countered by requiring you to authenticate to your device, via your face or fingerprint, when a passkey will be used. Another possible downside is if you lose your device or it is broken you can potentially lose access to all those sites and apps that you used your device’s passkeys to get in to. Apple’s keychain means that your passkeys are available on all your devices and Google will undoubtedly follow Apple in some way. And from what I hear, password managers will do the same. Note, though, that each passkey is unique. Sure, you can generate a different passkey on each and every device so one device does not depend on another to be in the vicinity to complete the challenge.
That’s all for this week’s column. I hope this helps you understand passkeys. Don’t hesitate to write to me if you have questions!
As always, my intent with these columns is to spark your curiosity, give you enough information to get started, and arm you with the necessary keywords (or buzzwords) so you’ll understand the basics and are equipped to search for more detailed information.
I’ve just started a newsletter. Sign up and you’ll get these columns before they’re published elsewhere plus I’ll occasionally post short updates to previous columns, short news items, and various other such things. Sign up or see what it looks like at https://tonystakeontech.beehiiv.com.
Please feel free to email me with questions, comments, suggestions, requests for future columns, or whatever at tony@TonysTakeOnTech.com or just drop me a quick note and say HI! And don’t forget that I maintain links to the original columns with live, clickable links to all the references at https://go.ttot.link/TGColumns+Links or https://go.ttot.link/TGC+L – it should be updated shortly after this column appears online.