Passkeys instead of password frustration
"123456" was still the most popular password among Germans in 2022. With this level of ingenuity, no hacking skills or brute force attacks are needed. Nevertheless, it is understandable that people look for combinations that are as easy to remember as possible. Passkeys offer a simple solution.
Passwords are the biggest source of frustration when logging in online. 65 percent of consumers feel overwhelmed by managing countless username-password combinations, according to a recent study commissioned by Okta. 75 percent want more control and self-management of their personal data. Requests to renew passwords and high demands for length and complexity add to frustration. The most popular way out for users, according to the Okta survey, is to log in via social accounts.
On the one hand, this creates the danger that the large providers can further expand existing quasi-monopolies on the Internet; on the other hand, such an account becomes a kind of master key for a user's various online applications. If criminals get hold of these credentials, they can cause a lot of damage. Passkeys are an alternative option that is convenient for users but still very secure.
What are passkeys?
Generally speaking, this is a passwordless authentication method. Instead of a shared secret between the service and the user, as is the case with the password, asymmetric cryptography is used here. The user keeps a private key on his or her personal device, and the service provider receives the corresponding public key as part of the registration process for a new account. Authentication now proceeds in such a way that the user receives a data packet, a so-called challenge, from the provider for signature. This is then automatically signed with the user's private key. If the provider can decrypt it in turn, this means that the key pair belongs together and the user is thus authenticated.
Passkeys have many advantages
The most obvious advantage: for users, the solution is much simpler and more convenient than passwords. All processes run automatically in the background and users do not have to take any action themselves. They no longer have to type in passwords and user names, and consequently no longer have to remember passwords and regularly think them up again. This simplifies logon processes everywhere on the Internet immensely. Passkeys therefore also have an advantage for online providers. Until now, many users have been put off by the constant creation of new user accounts with new passwords. For those who don't want to use password managers or log in with Google and the like, Passkeys offer a simple and very secure alternative.
In addition, the lack of a shared secret also means that no valuable passwords can be captured in the event of an attack on the provider's server, but only worthless public keys. The connection between the public and private keys is established by means of complex mathematical problems that are difficult to reverse. The complexity is set so high that it is not possible to calculate a private key from a public key in real time, even with powerful computers. Last but not least, passkeys are the best protection against phishing. Criminals have nothing to gain here. After all, their attacks are aimed at capturing the shared secret, which is omitted when passkeys are used.
Questions of practicability
In theory, the process sounds very plausible. But when you think about its use in everyday life, questions quickly arise. With a username and password, for example, you can log into your e-mail account from any Internet café in the world. Whether this is recommended from a security point of view remains to be seen, but it is possible without any problems. With a device-bound method like the passkeys, this is not possible in the same form. But there is a fairly simple workaround: You simply use a smartphone as a central repository for the keys. Of course, this must then be equipped with strong security mechanisms, such as a fingerprint sensor or other biometric features. Authentication on any device then works by the user scanning a QR code from the device's screen with his phone when logging in, unlocking it, and thus triggering the passkey process.
Of course, cell phones can be lost, stolen or destroyed. In this case, recovery procedures are also needed, or it must be possible to reset the account. This can work via another account, for example, similar to when you forget a password today. Google and Apple have built synchronization mechanisms on their systems that keep all smartphones and tablets in sync with regard to the passkeys to be used, without Google or Apple getting hold of them. The private key always remains on the device.
The connection between real and digital identity
Almost everywhere on the Internet where new accounts are created today, a new digital identity is created that is not linked to the user's real identity. Technically, of course, it is possible to draw conclusions about who is behind a particular user name. However, an initial link between the real and digital identities does not usually take place on the Internet. In some cases, however, this is exactly what is required, for example, when opening an online banking account or using qualified electronic signatures. Can passkeys also be used here?
In principle, yes, because the authentication procedure plays no role at the technical level for this link. In these cases, providers such as banks or trust service providers must check the identity of new users according to certain legally regulated procedures and create a secure digital record linked to this. It is irrelevant which procedure (password + multi-factor authentication or passkey) users then use to log on to the service or release a signature. So much for the theory. Swisscom Trust Services has already approved this procedure for use with its signatures and is already using it with its first partner. To activate the passkey, all that is then needed is a fingerprint, face recognition, or a PIN that is also otherwise used to unlock a smartphone or PC.
It would be interesting to use passkeys, for example, to trigger signatures in environments where cell phones are prohibited for data security reasons or SMS cannot be delivered. In today's common methods, the cell phone is used as a second factor to trigger the signature. This method is accordingly problematic in critical areas such as highly secure data centers, shielded production facilities or similar environments. With passkeys located either directly on devices or on separate data carriers (e.g., USB stick), users could sign qualified signatures there as well.
Author: Ingolf Rauh, Head of Product and Innovation Management at Swisscom Trust Services
