With a wrench ready for prime time, passwords seem outdated. What are the main benefits of ditching one in favor of the other?
Chances are good that many of us are fed up with passwords. In a world where we have to manage access to number of online accounts, the password appears to be no longer suitable for a particular purpose. Many of us reuse the same easy-to-remember login credentials across these apps and websites and commit other password-related mistakes, which makes it easy for those of bad faith to guess or steal our login details. And once one password is hacked, our entire digital world can come crashing down.
It’s remarkable that passwords have stuck around for so long, and the reasoning largely boils down to a lack of effective alternatives. But this may change with the advent of pass-locks. Google recently announced support for new technologies in personal and work accounts (unlike Apple and Microsoft), so maybe a new era of passwordless login is just around the corner?
Previous attempts to improve or update the password and security experience were only partially successful. Two-factor authentication (2FA) significantly helps make passwords more secure, but its use is far from universal as some people find the two-step process onerous. Also, single-use codes sent to users via text messages, which are by far the most commonly used variation of 2FA, can still be intercepted.
Password managers, for their part, do a great job of generating, storing, and remembering long, complex, and unique passwords for each site. But they may not always cover all of your devices, operating systems, and web browsers and can create a single point of failure if you misplace your master password. In some cases, the user experience can also be a little clunky.
Enter passkeys, the industry standard that the biggest names in tech hope will one day replace passwords, 2FA, and the need for password management as we know it.
How does the pass lock work?
The cipher key leverages the power of public key cryptography. A passkey consists of a pair of cryptographic keys – a private key and a corresponding public key – that are generated to secure your account on a website, application or other online service.
The private key is stored on your device as a long string of encrypted characters while the matched public key is uploaded to the servers of the associated online service, for example Google or even Apple’s iCloud keychain password management system.
Then, when you try to sign in, you’ll be asked to authenticate with your device’s PIN, fingerprint, or other screen lock mechanism. There’s no need to enter or remember any passwords, which immediately makes the process safer and smoother to use.
On login attempt, server send cryptographic challenges to your device, requesting the private key to resolve it and passing it back to the server. This response is used to verify that the public and private key pairs match as they are required to authenticate you.
The biometric data will never leave the device, nor will the server know what the private key is. Granted, you never actually see the private key either – all the magic happens in the background and with very little effort on your part.
What are the benefits of a pass lock?
So can a pass lock offer a ‘Holy Grail’ for ease of use and stronger security? Here are some of the benefits in more detail:
- Resist phishing and social engineering: The pass lock eliminates the problem of people accidentally spilling their login credentials to cyber criminals by entering them on fake websites. Instead, you are asked to use your device to prove that you are the true owner of the account.
- Prevent fallout from third party infringement: If a website or application provider is breached, only the public key can be stolen – your private key is never shared with online services, and there’s no way to find out from the public key. By itself, the public key is useless to an attacker. Contrast this with today’s systems, where hackers can steal tons of ready-made username/password combinations.
- Avoid brute-force attacks: Passkeys rely on public key cryptography, meaning an attacker cannot guess them or use brute force techniques to open accounts.
- No 2FA interception: There is no second factor with pass locks, so users are not at risk of attack techniques designed to intercept SMS codes and the like. Indeed, think of the passkey itself as consisting of several authentication factors. in fact, the wrench is strong enough to replace even the most secure flavor of 2FA – hardware security locks.
- Built to industry standards: Passkeys are based on the FIDO Alliance and W3C WebAuthn working group standards, meaning they should work across all participating operating systems, browsers, websites, apps, and mobile ecosystems. Apple, Google, and Microsoft all support this technology, as do (or will soon) major password management companies like 1Password and Dashlane and platforms like WordPress, PayPal, eBay, and Shopify.
- Easy to restore: Passkeys can be stored in the cloud and returned to a new device if they are lost.
- Nothing to remember: For users, there is no need to generate, remember, and protect large numbers of passwords.
- Works on multiple devices: Once generated, the passkey can be used on new devices without having to re-register each time with traditional biometric authentication. However, there are caveats, as explained below.
Why might a pass lock not be such a good idea?
There may be a few hurdles along the way that could ultimately stop you from adopting passkeys, for now, however: industry adoption and the way passkeys sync.
- Passkey only syncs to devices running the same OS: As This article explains, the passkey is synchronized by the OS platform. That means if you have an iOS device but also use Windows, for example, it can make for a frustrating user experience. You will need to scan the QR code and enable Bluetooth for your passlock to work on different devices using different operating systems. It’s actually less user-friendly than the current password experience.
- Adoption away from industry-wide: While some big names are already using pass-locks, it’s still a start. As well as a massive platform, it will also be some time before we reach the critical mass of websites and applications that support them. See if your favorite platform supports the technology Here.
Could this be the beginning of the end of the password? Pass lock is the strongest competitor. But to gain near-universal acceptance among users, technology vendors may need to make it even easier to use them across different OS ecosystems.
If you’re ready to try a passlock, it only takes a little work to get started through the settings menu of your Google, Apple, or Microsoft account.