Explainer: What are passkeys and how do they work

WhatsApp just became the latest service to introduce passkeys to its Android app. Previously, Google, Microsoft, and Apple have implemented passkeys into their services. But what are passkeys and why are tech giants moving to a passwordless future? Before I dig into the topic, let us first understand why passwords are no longer reliable and have become less safe over the years.

Passwords are a combination of the alphabet, numbers, and special characters that you use to authenticate a log-in to a website or a service. But because passwords are created mostly by humans, there is a fat chance someone will guess it or just take the help of technology to crack it. In other scenarios, machine-generated passwords are slightly more secure but there are several sophisticated tools available to crack even such passwords. The peril is serious, and the tech companies know that.

To make logins more secure and give customers peace of mind, the World Wide Web Consortium came up with a new web standard called Web Authentication, better known as WebAuthn. It uses an authenticator instead of a password for logins, making them more secure than ever. Since it is a standard for authentication, multiple tools and services can use it to ensure passwordless logins. Passkeys do the same.

What are passkeys?

Passkeys are a type of password used for authentication purposes. It is a digital credential that allows you to authenticate a log in to a website or a service without needing a password. Passkeys rely on your phone’s built-in authentication methods, such as face unlock or fingerprint unlock to give you access to your account on a particular website. For instance, if you set passkeys as the default authentication method for your WhatsApp account, you will not need the SMS-based two-factor authentication, which is not only prone to leak but also annoying. Just use your iPhone’s Face ID or your Android phone’s fingerprint sensor to authenticate the login and you are done. Passkeys are unique to an account and the device you are using to authenticate.

How do passkeys work?

When you authenticate an account using passkeys for the first time, two digital keys (read unique passwords) are generated simultaneously. One is stored by the website or the platform you are trying to sign in to and the other one is stored on the device you are using to sign in. Only when these passkeys will match, your log-in will be authenticated. In simple terms, you no longer need to remember passwords as long as you are using a personal device to sign in to a service or website.

What are the benefits of using passkeys?

Passkeys are commonly used to secure access to personal or sensitive information, such as bank accounts, email accounts, and social media profiles. One of the main benefits of using passkeys is that they are more secure than traditional passwords. Because passkeys are longer and more complex, they are less likely to be cracked by hackers. In addition, passkeys can be designed to be more resistant to brute-force attacks, which involve trying every possible combination of characters until the correct one is found.

Another benefit of using passkeys is that they can be easier to remember than traditional passwords. Because passkeys are often made up of a series of words or phrases, they can be more meaningful and memorable than a random string of characters. This can make it easier for users to remember their passkeys and avoid the need to write them down or store them in an insecure location.

Overall, passkeys represent a secure and convenient way to protect personal information online. By using a passkey instead of a traditional password, users can better protect their sensitive data from hackers and other malicious actors. Whether you are securing your email account, online banking, or social media profile, a passkey can provide the added layer of security you need to stay safe online.