The End of Passwords: Heralding The Era of Passkeys
Dr. Hilary Okagbue & Mahfus Dauda, Sydani Institute for Research and Innovation; Reviewed by Dr. Stephen Asaolu.
The use of passwords to protect information, secrets, and restrict access is as ancient as the Roman Empire. The ancient Roman military employed a system where guards would pass a wooden tablet containing a daily secret word, referred to as a watchword, from one shift to the next, with each guard position marking the tablet upon receipt. This sophisticated procedure ensured the protection of the army and the Roman cities and prevented infiltration by the enemy camps.
The concept of password protection has evolved significantly, transitioning from ancient inscriptions on wooden tablets to the realm of digital security. Scientists from MIT, in 1961, introduced the first computer system to implement password login, called the Compatible Time-Sharing System (CTSS). CTSS was an operating system that had a LOGIN command that requested a user password. The world has since moved on to more sophisticated ways of digital protection due to advancements in technology and the internet, as well as the rise in cyber-attacks.
Despite being indispensable in the digital landscape, where accessing the internet necessitates identity verification, the password appears to have outlived its original purpose. Internet users occasionally encounter challenges recalling the multitude of passwords needed to access their online accounts and profiles – social media, internet banking, and delivery apps.
Another hurdle arises from the criteria defining a “strong password.” When creating an online profile, users often encounter the stringent requirement that a strong password should consist of a combination of alphabets, numbers, and special characters. Moreover, it must be structured in a way that avoids any resemblance to personal identifiers such as a pet’s name, favorite songs, etc. Generating such a password demands significant cognitive effort and can consume a considerable amount of time, especially when considering the numerous accounts we sign up for. The consequence is user frustration, leading individuals to formulate passwords that are quicker to create but meet the “peculiar combination requirement”, resulting in weak passwords that are susceptible to online breaches and phishing attacks.
Talking of online breaches, the digital space is always under constant threats and attacks from malicious actors. In 2023, about 3000 incidents of data breaches and more than 8 million exposed or stolen customer and corporate data were reported globally, according to IT Governance, a cybersecurity firm based in the United Kingdom [1].
The United States experienced the highest number of data breaches in 2023, with each breach costing US businesses $9.48 million [2]. Experts have pinned the major cause of these notorious breaches as human error, “with a human element present in 74% of breaches” [3]. The human element inferred includes the use of weak passwords, among others; and as reported, eight out of every ten confirmed breaches are related to weak, reused, or stolen passwords [4]. The myriad of challenges associated with passwords ushered in the new age of passkeys.
What is Passkey?
A passkey is an alternative method of user authentication that eliminates the need for usernames and passwords. Passkeys are a new, more secure, and convenient way to sign up for and access apps and websites. Passkeys rely on PINs, swipe patterns, or biometric information – like fingerprints or facial scans – to verify a user’s identity before granting them access to their devices and online profiles.
The concept of the passkey gained traction in 2009 when Validity Sensors and PayPal collaborated to pioneer the use of biometrics as a substitute for traditional passwords in online identification. Along with several other tech leaders, they founded the FIDO Alliance, a web security collective, in July 2012. FIDO publicly announced its initiatives in February 2013, and Google joined in April 2013 [5]. Since then, passkey has gradually found its way into our digital life, evidenced by the use of fingerprints and facial scans on smartphones.
In 2022, FIDO Alliance alongside tech giants like Google, Microsoft, and Apple, announced they would begin work to support passkeys on their platforms, as an easier and more secure alternative to passwords [6]. Passkey, the new kid on the block, is gradually becoming the go-to authentication method for Silicon Valley titans like Apple, Google, Microsoft, and Amazon.
How is Passkey better than Password?
Passkey is a single authentication method that replaces username and password combination. A form of multi-factor authentication, passkey uses factors such as;
- Something you know: a PIN used to unlock the device.
- Something you have: the authenticator, whether that’s a security key or something embedded in a personal device/phone.
- Something you are: could include a fingerprint, or a scan of your face.
Passkeys offer an elegant solution to the challenge of creating secure credentials that are easy to use. Passkeys utilize the WebAuthn standard for public-key cryptography, creating a public-private key pair directly on user devices. This ensures that they are immune to theft or being forgotten, in contrast to passwords.
It is common knowledge that passwords made of fewer than 10 characters and comprising only alphabets can easily be guessed and breached by hackers. Something unheard of for passkeys, as they utilize both biometric data and cryptographic methods that are impossible to forge. This prevents remote hackers from breaching your digital profile unless they possess physical access to your authenticator device and biometric information.
Passkeys offer convenience, unlike passwords. As earlier said, password setting is a time-consuming, tedious process that can sometimes be cognitively demanding. On the contrary, passkeys only require users to set up a private key just once during the initial setup, enabling them to authenticate themselves effortlessly and swiftly thereafter. This not only accelerates the sign-in procedure but also eliminates the need for users to recall multiple passwords.
In terms of speed, passkeys boast impressive efficiency, requiring as little as 1 second to authenticate a user. This stands in stark contrast to the average time of 14 seconds it typically takes to input a traditional password manually. This drastic reduction in verification time underscores the practical advantages of passkeys over conventional password-based systems, showcasing their potential to streamline user interactions and enhance security protocols.
Passkeys are phishing-resistant and protect against data breaches, two of the greatest threats passwords failed to adequately prevent.
What is next for passkeys?
As we move towards a future where digital security takes precedence, passkeys are poised to play a crucial role. Passkey is already being touted as the future of online authentication and the torchbearer for safe and convenient online experiences for internet users like you and me. It will reduce friction in the authentication process, and help to drive user engagement and satisfaction, leading to higher retention rates and more positive user experiences in the cybersphere.
Mainstream introduction and increased adoption depend largely on the possibility of all parties working together to facilitate the transition to password-less authentication. Several organizations are yet to incorporate passkey into their platforms, denying users the safety and convenience offered by passkey. Companies with an online presence need to set up a migration path for users so that a logged-in user can become a passkey user. They must also build an alternative procedure or pathway for cases where a device or browser does not yet support passkeys.
Little has been done to educate the masses about passkey. As of now, only a small segment of tech-savvy users are cognizant of the existence of passkeys and their myriad benefits. This leaves a considerable portion of non-technical users unaware of this innovative technology and the advantages it holds over traditional authentication methods. To bridge this awareness gap and foster widespread adoption, there is an urgent need for proactive initiatives aimed at educating internet users.
In conclusion, as the digital landscape continues to evolve, the transition from traditional passwords to passkeys represents a crucial step forward in ensuring robust security measures. The adoption and refinement of passkey technology by industry leaders signals a shift towards a more secure and user-friendly authentication paradigm, promising a future where the frustrations associated with passwords are a thing of the past.
Reference
[1] Neil, F. (2024, January 5). Blog. Retrieved from IT Governance: https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-2023#top-ten
[2] Jonathan, R. (2023, October 11). Articles. Retrieved from SecurityIntelligence: https://securityintelligence.com/articles/cost-of-a-data-breach-10-years-in-review/
[3] NordLayer. (2023, December 12). Blog. Retrieved from NordLayer: https://nordlayer.com/blog/data-breaches-in-2023/
[4] Chelsea, G. (2023, November 8). Blog. Retrieved from Bolt: https://www.bolt.com/blog/why-passkeys
[5] Amanda, S. (2023, May). WhatIs. Retrieved from TechTarget: https://www.techtarget.com/whatis/definition/passkey
[6] Christiaan, B., & Sriram, K. (2023, May 3). Technology. Retrieved from Google: https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/