Will passkeys ever replace passwords? Can they?

Think of passkeys as a replacement of passwords. They are defined in the Web Authentication (WebAuthn) specification of the W3C (World Wide Web Consortium). This work evolved from several prior efforts including those of the FIDO alliance (FIDO = Fast Identity Online).

My quick take on passkeys is that they are a good idea, and if we could convince the world to use them instead of passwords, we would all be much better off. Phishing in particular should take a big hit if they are widely adopted. But I fear that this isn’t likely to happen, for reasons that I will explain in a moment.

In the perennial quest to create more secure systems that are also user friendly, some significant implementation issues are apparent. My experience reinforces my belief that a systems view of security is necessary and user interactions with the system must be carefully thought through.

The basic idea behind passkeys is straightforward enough: A user (or more likely, a device owned by the user) creates a private/public key pair specifically for a single website and provides the public key to the site. The user proves their identity to the website using some other method such as a previously established user name and password, maybe some other factors as well. The website stores the public key for subsequent use. The next time the user wants to authenticate to the website, the site issues a challenge to the user, who uses the locally stored private key to sign their response to the challenge. The website uses the stored public key to authenticate the user.

Leave a Comment