Could this be the last ovation for our passwords? For several months, Apple, Google, Microsoft and other giants of the web are trying again to authenticate the web using a new method: passkeys (or access keys in good French). Their goal is to help us rid ourselves of passwords and their terrible reputation for security.
Authenticating via a classic username + password combo has many risks. Internet users often reuse the same passwords on many sites and, as the ranking of the worst passwords proves every year, they are rarely safe. As a result, with the slightest data leak, many accounts become vulnerable to hacking. There are many managers who need to strengthen security, but today’s big web companies want to stick to passkeys.
What are passkeys?
Simply put, passkeys are cryptographic keys stored on your device (computer, phone, tablet) that allow you to identify yourself on a site. These files are apparently encrypted and only available once the user’s identity has been validated.
When you register on a site that offers authentication through passkeys, two keys are created: a public one, which remains on the servers of the site in question, and a private one stored on your device. When you connect again, the said site will put some kind of cryptographic “problem” on your device, which can only be solved thanks to its private key. To ensure that you are the one in front of the screen, your machine will ask you to identify yourself by PIN code, your fingerprint or facial recognition.
This is the entire intelligence of the system. Instead of remembering a long and complicated password, the same method you use to unlock your phone every day is enough to identify you. The operating system will then fix the “problem” and guarantee recognition. So the password disappears in favor of simplified (since it is managed by the operating system) and secure (since it is protected by encryption) identification. This makes hacking more complicated, because one must have access to the device in question and the identification validation method. Phishing by creating fake sites is also made almost impossible because each key is linked to a specific URL.
Note that, in the case of identification by biometric identification, the fingerprint (or facial) itself is clearly not sent to the site host. The server can only see the OS validation.
Where did it come from?
Passkeys are developed by the Fido association, which is responsible for standardizing authentication protocols. Behind the marketing term taken by Apple, Google and others, hides the real WebAuthn programming interface, which makes it possible to establish a link between the authentication run by the OS and the site where one connects.
And does it work on all devices?
Most attentive readers will notice that passkeys are by default stored locally on a machine. It’s unfortunate at a time when you have so many connections from your smartphone, tablet or computer. Fortunately, the system’s promoters have considered this scenario.
Passkeys can actually be synchronized between devices in the same ecosystem. In Apple, they can be stored in iCloud Keychain, for example, which allows them to be automatically used on your iPhone, iPad and/or Mac. Google currently operates the same with its password manager, which is available on Chrome and Android. If you try to connect from a machine without access to your accounts, there is nothing to worry about: the site will allow you to connect through your phone by sending it a notification or by scan it with a QR Code.
Unfortunately, there are still no ways to synchronize your keyring from one ecosystem to another. To transfer from an iPhone to an Android terminal, for example, you must use your old device to validate one by one the connections initiated by the new one.
Many operating systems support passkeys. iOS 16 and macOS 13 thus allow the creation and synchronization of a keyring. Google has started rolling out the Android feature and it should be available to all devices running version 9.0 (or better) of the OS in November. On Windows, passkeys are available in Google Chrome and Microsoft Edge. On the other hand, platforms that offer authentication through passkeys are not legion. On Reddit, there are lists of sites that use this new protocol, but it will probably take a few months (or even years) for the method to become widespread.
If you have a compatible device and browse a site that offers it, using passkeys can’t be easier.
Go to a site ad hoc (that of Nvidia, for example) and, when creating your account, do not enter a password and select the option Connect a security device. A pop-up window will open, asking you if you want to save an authentication key (iOS) or access key (Android) for the identifier you entered. A quick Face ID or fingerprint scan later, your account is created. If you want to connect again, all you have to do is select the same option, then validate the authentication through the chosen method.
If you already have an account (on Nvidia’s site or elsewhere), you can go to the options and add passkey authentication through the settings (if offered on the site). Usually, the latter is hidden in the security settings and is called Add a device / security device. The operating system will then take over and you can let yourself be guided.