What is a password?
What is a password?
A password key is an alternative method of user authentication that eliminates the need for usernames and passwords. Instead of relying on old login methods that are susceptible to phishing attacks, hacking attempts, keyloggers, data breaches and other security flaws, websites and apps can use passwords to verify a user’s login information. Access keys are stored only on the user’s device, so there is no password that can be intercepted by potential fraudsters.
Cybersecurity professionals have long stressed the importance of strong passwords to prevent security vulnerabilities. But because online users often create weak passwords or reuse passwords, two-factor authentication was developed, where registered accounts are verified with phone calls, text messages or emails. While this practice adds an extra layer of security, it still doesn’t solve the underlying problem: Passwords are inherently vulnerable to phishing and other attacks designed to steal or bypass credentials. Two-factor authentication just made things a bit more difficult for fraudsters.
The origin of passwords
The passkey idea first took hold in 2009, when Validity Sensors – acquired by Synaptics in 2013 – and PayPal jointly developed the concept of using biometrics instead of passwords for electronic identification. Along with several other technology leaders, they founded the FIDO Alliance, an online security collective, in July 2012. FIDO publicly announced its initiatives in February 2013. Google joined in April 2013. In February 2014, PayPal and Samsung launched the first public distribution of Fast Identity Online (FIDO ) authentication with Samsung’s Galaxy S5 smartphone. For the first time, users of the device could authenticate PayPal with the swipe of a finger and shop online without having to enter a password to complete the transaction payment.
The use of access keys is growing
Much of the underlying technology behind the password is already integrated into everyday technology, such as two-factor authentication and biometric systems that rely on a user’s face or fingerprint to unlock a device or otherwise provide authentication. However, passwords remain the default method of accessing websites and software – and therefore remain a potential security problem.
According to FIDO, traditional passwords create both security risks and friction in the user experience. The alliance claims that more than 80% of data breaches are the result of compromised passwords, a problem exacerbated by the fact that passwords are often reused — up to 51%. FIDO also claims that a third of all online purchases are lost due to customers forgetting an account password, preventing them from completing the payment process.
Apple promotes passkeys
Awareness of access key technology has been accelerated by Apple. At its June 2022 Worldwide Developers Conference, Apple publicly announced the Access Key feature, which is included in iOS 16 and macOS Ventura. Passkeys are also integrated into the iPhone 14.
Apple’s passcode feature uses existing iOS technology that powers the Touch ID and Face ID features. Websites that support passwords allow users to create accounts and log in with a fingerprint or facial image instead of a password to authenticate their credentials.
Apple Keys uses the iCloud Keychain password management system to back up passwords and sync them across all of a user’s Apple devices. This means that users will be able to create an access key for a website while on their phone, and then use that same key to log into that website later while using an iPad, for example.
How does a password work?
When you try to log in to a website that uses password technology, the website will send a push message to the smartphone you used to register the account. When you use your face, fingerprint, or personal identification number (PIN) to unlock your device, it will create a unique access key and communicate it to the website you’re trying to access. At that point, you’ll be logged in, all without your credentials or biometrics being transmitted over a potentially insecure Wi-Fi connection or needing to be printed.
Passkeys are similar to two-factor authentication, where users enter a password as usual on a website or app, and then a push notification is sent to their phone or email to authorize the website or app to grant the login request. Besides requiring a traditional password, two-factor authentication also differs from passwords in that it uses Wi-Fi. Passkeys, on the other hand, use Bluetooth because the physical limitations of the technology mean that a user must have the authentication device nearby. This further limits the chances of a fraudster or hacker gaining access to a user’s account.
Passkeys, which are based on the Web Authentication API, only work for the website they are created on. The access keys are then stored on the user’s device rather than on a physical or cloud-based server.
To date, Apple has the most thorough explanation of how passkeys work within its technology ecosystem. Apple’s iCloud Keychain service stores its cryptographic keys in a rate-limited manner to prevent brute-force attacks. The keys can be recovered even if all of a user’s devices are lost or compromised. If you’re new to the world of Apple and setting up your first iOS device, you’ll need to set up two-factor authentication first. To add a new device, you’ll need your Apple ID password and the six-digit code sent to another trusted device or phone number via a push notification.
For example, suppose you start with an iPhone. You will set up two-factor authentication the first time you use it and establish your Apple ID. When you want to make a purchase or complete another secured transaction, you’ll need to enter your Apple ID password and check your iPhone — or whatever device you used to set up two-factor authentication in the first place — for the six-digit code sent to you. When you enter the code, the new device will be added to what Apple calls the “circle of trust” formed by the iCloud Keychain. Think of this “circle” as a chain, and your units represent links that are added to the chain as you set them up.
When you need to log into a website on a computer you don’t normally use – whether you’re using an Apple, Microsoft or Google product – with password technology enabled, the website login screen will have a quick response code that you can scan with your phone . With Bluetooth enabled on your phone and your phone within the Bluetooth range of the device you’re trying to sign in with, you’ll receive a push notification to use biometric identification or a PIN on your phone. Once you’ve done that, your phone will give the website complete clarity and allow you to log in.
Companies that use passwords
Apple isn’t the only company in the passwordless login game. Google has not made an official announcement about the extent to which it has implemented the technology, but it has appeared in applications such as Gmail and Google Play Services on Android devices. The technology is also being integrated into Google’s Chrome browser.
Similarly, Microsoft has announced plans to include passwords on its Windows operating system, although it has not provided a specific timetable.
However, for the technology to be usable, websites must offer password support. Passwordless logins will undoubtedly be the way forward, but as with all new technology, the pace of implementation will vary.
FIDO maintains an up-to-date list of companies using their technology. Here are some of the biggest players that have adopted password technology so far:
- Amazon Web Services
- Bank of America
- Best buy
- CVS health
- Go dad
- ING Bank
- PNC Bank
Given how fiercely competitive the big three of Apple, Google and Microsoft are, there may be concerns about what will happen to existing passwords if a user switches from one vendor’s product to another. If a user’s passwords are all stored on an Apple device, for example, the user could run into problems if they replace the device with a Google product.
In the short term, Apple has methods to work around this problem. For example, an existing passkey for an iPhone can be used on another device with Google Chrome running either iOS 16 or later or on a Windows machine.
In the long term, security experts are advocating for standards to be implemented that will prevent or at least counter vendor lock-in. Whether these attempts will be successful remains to be seen, but even if they are not, the process for creating new passwords is so simple and almost completely automated that users should have no problems establishing credentials on a new device from a different vendor. The FIDO Alliance Design System and other methods published by the Alliance should help encourage standardization.
Is a password more secure than a password?
Because each access key is unique, passwords tend to be more secure than passwords. This means that passwords will no longer be reused across multiple sites and platforms. And because access keys are generated automatically, users don’t have to rely on passwords that are either easy to remember—and, unfortunately, easy for others to guess—or so complicated that they’re easily forgotten.
Because access keys use end-to-end encryption, not even the companies that create them can see or change them. Apple says its keys use public key encryption and actually create two keys. One key is public and stored on the site’s server, and the other is private and stored on a user’s device, so it is only available to that user.
What this means in practice is that the private keys generated in each password pair are only stored on your device, not on any website’s server, making it impossible for your credentials to be discovered through a data breach or hacking attempt. A hacker would only be able to access the public key, which would be useless to them because it would not allow access to your account information. Even if someone were to fall victim to a phishing link in an email or text message, the effort would fail because the password on the user’s device would only work with the website that created it.