Passwords exist in various formats to store authentication information, and are a concept which has existed since ancient times.
This will change very soon. Microsoft, Apple, Google and a consortium of other companies have come together to create a single passkey standards controlled by the FIDO Alliance. Passkeys will not only be easier to use but will be much more secure than traditional passwords. They will also be fully resistant to credential phishing, credential stuffing and similar data theft attacks in general.
On Monday, PayPal announced that its US-based users will soon be able to sign in with FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers and WordPress that already offer the alternative sign-in method.
In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys. But support is still insufficient. Passkeys stored on iOS or macOS work on Windows, for example, but the reverse is still not possible. However, in the coming months, all this should be corrected.
Passkeys work almost identically to FIDO authentications allowing us to use Yubico or Feitian phones, laptops, PCs and security USBs for multi-factor authentication.
Just like the FIDO controllers stored in these MFA devices, the passwords are invisible and integrated into Face ID, Windows Hello, or other biometric readers offered by device manufacturers.
There is no way to recover the encrypted data stored in the authentications other than to jailbreak or root the device.
Even if an adversary is able to extract the encrypted data, he would have to provide a fingerprint, or undergo a facial scan, or – in the absence of biometric capabilities – provide a PIN.
“Οι χρήστες δεν χρειάζεται πλέον να έχουν μια συσκευή για κάθε υπηρεσία, κάτι που συμβαίνει εδώ και πολύ καιρό τους ελεγκτές της FIDO (και για οποιαδήποτε passkey)”, Reported Andrew Shikiar, executive director and head of marketing at FIDO.
"By enabling secure private key synchronization in a cloud, the user only needs to sign up once for a service, and will then be effectively pre-registered for that service on all their other devices."
In other words: Passkeys will simply exchange encrypted WebAuthn keys. We won't need to use a password manager to create, store and recall a password. All of this will happen automatically, with much better keys than the old text box used, and with enforced uniqueness.”
If you want to try passkeys, you can use this demo site created by security company Hanko.