Passwords exist in various formats to store authentication information, and are a concept which has existed since ancient times.
This will change very soon. Microsoft, Apple, Google and a consortium of other companies have come together to create a single passkey standards controlled by the FIDO Alliance. Passkeys will not only be easier to use but will be much more secure than traditional passwords. They will also be fully resistant to Phishing credential stuffing, credential stuffing and similar data theft attacks in general.
On Monday, PayPal announced that its US-based users will soon be able to sign in with FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers and WordPress that already offer the alternative sign-in method.
In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys. But support is still insufficient. Passkeys stored on iOS or macOS work on Windows, for example, but the reverse is still not possible. However, in the coming months, all this should be corrected.
Passkeys work almost identically to FIDO authentications allowing us to use Yubico or Feitian phones, laptops, PCs and security USBs for multi-factor authentication.
Just like the FIDO controllers stored in these MFA devices, the passwords are invisible and integrated into Face ID, Windows Hello, or other biometric readers offered by device manufacturers.
There is no way to recover the encrypted data stored in the authentications other than to disassemble the device or subject it to a jailbreak or rooting attack.
Even if an adversary is able to extract the encrypted data, he would have to provide a fingerprint, or undergo a facial scan, or – in the absence of biometric capabilities – provide a PIN.
"Users no longer need to have a device for each service, which has been the case for FIDO controllers for a long time (and for any passkey)," Reported Andrew Shikiar, executive director and head of marketing at FIDO.
"By enabling secure private key synchronization in a cloud, the user only needs to sign up once for a service, and will then be effectively pre-registered for that service on all their other devices."
In other words: Passkeys will simply exchange encrypted WebAuthn keys. We won't need to use a password manager to create, store and recall a password. All this will happen automatically, with a lot better keys than those using the old text box and with enforced uniqueness.”
If you want to try passkeys, you can use this demo site created by security company Hanko.
