Passkeys: The Move to More Secure Computing

Written by Mark Evilsizor
From his column Tech


Usernames and passwords have been the primary means to accessing computers for decades. The system worked reasonably well when we drove to work, badged-in, and went to our personal, locked offices. Bad guys would have had a hard time gaining entrance to the machine on our desktop in those days.

Today, from home or on the beach, those two pieces of information still allow us to access work files, pay bills, check bank accounts, play games, and perform countless other tasks. Unfortunately, this means bad guys can too. Someone can send a malicious email, effortlessly and with little risk of being caught, to hundreds of thousands of people half a world away. Those who miss the signs and accidentally click a link to access the bogus website provide these miscreants open access to their lives.

Creating unique passwords of 12 or more characters, using a password manager, and enabling multi-factor authentication are robust ways to defend against being hacked, but with multiple passwords to manage, such precautions take time and can be a nuisance.

Now, there is a better way. Passkeys is part of an authentication standard poised to more conveniently take us to a better place that is simpler to use—and more secure. I want to introduce you to it today.

If you are fooled by a phishing email, the hacker will not be able to steal your password, because you no longer use one.

Passkeys was created in 2022 by the FIDO Alliance. FIDO (Fast Identity Online) is a group of technology, financial, healthcare and other organizations working together to standardize a more secure, convenient way to log in and access information. It is a relatively new standard, and is maturing rapidly. It is not ready to replace all passwords, but it is available to use with some websites, and may become the most common way to sign in to sites in the months and years ahead.

In essence, it works like this: when you log into a website that supports passkeys, you will be offered the ability to create a passkey for the site. This cryptographic key resides on the device you are using, and is protected by that device’s security system. For example, if I log into Gmail with my Windows laptop, I can create a passkey on it. As part of the process, I show my face to the laptop camera (using Windows Hello), which then securely stores the key. The next time I need to log in to Gmail (or other Google services) on the device, I can choose to do so with a passkey instead of a password. My laptop verifies it is me, and provides Gmail the approval needed for me to log in.

Most of us use multiple devices to access data and manage our lives. We may have a laptop at home, a desktop PC at work, a smartphone on the go, and a tablet on the couch. If all of your devices are from Apple, the passkey you set up will synchronize between them and work with no additional effort. If, like me, you have a Windows laptop and an Apple phone, it takes a little more effort. With Google sites you can choose to create a passkey on a different device. You can be using Gmail on your laptop, and it will show a QR code which you can scan on your smartphone to create a passkey. The next time you need to log in to Gmail, it will show a QR code which your phone can scan and you can tap to log in.

It sounds more complicated than it is, but the benefits are significant. Since you don’t use a password to log in, if you are fooled by a phishing email, the hacker will not be able to steal your password, because you no longer use one—and the passkey won’t work with the bad guy’s fake site. And, in the future, if a site is breached, your password can’t be stolen, because there is no password at the site to steal.

The FIDO Alliance and participating companies are continuing to improve passkeys and make it easier to work with password managers to synchronize across various devices, but already the thought of a future where passwords and phishing are no longer a daily concern is encouraging. If that sounds good to you and you’d like a taste of a more secure future, take five minutes, log into your Google account, go to the security settings area, and click to create a passkey.

Mark Evilsizor has worked in Information Technology for more than 30 years. He currently serves as head of IT for the Linda Hall Library in Kansas City, Mo. Opinions expressed are his own.