acm-header
Sign In

Communications of the ACM

ACM News

Passkeys Unlock a New Era for Authentication


View as: Print Mobile App Share:

Passkeys, an industry standard based on WebAuthn, can serve as a complete replacement for the problematic password system.

Credit: Simakova Mariia/Shutterstock.com

Few things evoke a level of disdain on par with computer passwords. They are inconvenient and incredibly insecure. Cybergangs attack them, hack them, and constantly wreak havoc with them. According to industry statistics, upwards of 80% of all breaches involve passwords in one form or another.

Even more advanced multifactor authentication (MFA), whether in the form of text codes or rolling numbers on an authentication app, does not address the underlying problem. Crafty thieves have learned how to use social engineering to find their way into accounts.

"We've had discussions about moving to passwordless for years. Finally, through more advanced passkey technology we have an opportunity to move forward," says Chester Wisniewski, CTO of Applied Research at security firm Sophos.

Passkeys completely eliminate passwords. And while they won't end cyberattacks, they represent a far more convenient and secure framework to navigate the digital world. "Passkey technology looks like the best way to achieve the goal of making computing safer," says Rik Turner, principal analyst in the IT and Security Practice at research firm Omdia.

Passing on Passwords

Until recently, replacing passwords has ranked somewhere between tricky and impossible. Layers of Web infrastructure—everything from banks and merchants to email accounts and cloud services—are built atop password technology. While MFA makes it harder for crooks to steal a password, it, too, is prone to social engineering, site breaches, and other types of attacks.

"Legacy frameworks, including some forms of two-factor authentication, depend on a human-readable and shared secret. This makes them highly susceptible to attack and relatively easy to bypass," explains Andrew Shikiar, executive director of the FIDO Alliance, which developed the widely used FIDO 2 standard that supports passkey technology.

Enter passkeys. These authentication tools replace passwords with tokens and cryptographic signatures invisible to the user. When a person signs in at a website or in an app, they use a biometric scan or PIN to unlock the device and activate the security key, which is stored on the mobile phone, computer, or other device within an encrypted cloud.

This makes it possible for passkeys to work across multiple devices, even new ones, without having to enroll each device on every account. Passkeys are inherently strong, and they are never visible to the human eye. For the user, there's nothing to create, remember, or change.

And there's no way to get tricked or scammed into revealing it.

"The use of asymmetric public key cryptography fundamentally changes security," Wisniewski says. In fact, the private key never leaves the device, making phishing or a website data leak a moot point. "It almost entirely negates the ability for a credential to be stolen and reused. It also makes it incredibly easy for the typical consumer to adopt and use because it's incredibly easy to use."

Apple and Google already support passkeys in their operating systems, and Microsoft will roll out support this year. In addition, the Chrome, Edge, and Safari browsers work with passkeys, and various websites and services are beginning to adopt the technology, including eBay, BestBuy, Kayak, and PayPal.

An individual enrolls by scanning a QR code with a phone. After that, logging in is as simple as a Face ID or Touch ID scan. "It's a huge step forward," Shikiar says.

Passwordless Takes Hold

Passkey adoption will likely spike upward over the next few years. Turner believes passkeys are likely to become the de facto standard for both enterprises and consumers. While it may finally solve the longstanding problem of creating, maintaining, and changing passwords that are inherently insecure, the technology could lead to changes in the overall cybersecurity environment.

For example, Turner says that as passkeys become increasingly pervasive, cybercriminals may turn their focus to finding ways to extract data from browsers and devices after the authentication process is complete. "There may also be a focus on post-authorization," he says. Wisniewski says cookie theft, a growing problem that allows thieves to impersonate a user, might also become more frequent.

A potential downside to passkeys, Turner points out, is the fact that at least for now, passkeys cannot be automatically transferred across devices on different platforms. However, merchants, banks, and other service providers that present users with a QR code at a sign-in screen make it relatively easy to set up a new device with the passkey, even across different operating systems such as Android and macOS or iOS, Shikiar says.

Another issue is that passkeys, unlike hardware devices such as the YubiKey, forfeit airtight identity security in favor of high security with a level of convenience. "A copy exists in the cloud and not on the person," Wisniewski says. "The tradeoff is that if your device is lost or stolen, you can still get into accounts."

Still, an enormous revolution in authentication is about to unfold—and passwords are likely to fade into the dustbin of history. Says Wisniewski: "For years, we've been seeing people breathlessly predict the end of passwords and it hasn't happened. It appears that we're finally at the point where a far more simple, convenient, and secure framework will exist."

 

Samuel Greengard is an author and journalist based in West Linn, OR, USA


 

No entries found