A more secure, more convenient alternative to passwords.
Everyone knows the frustrations of creating, using, managing, and forgetting passwords. But what if there was a way that once you signed in to your device, all the subsequent signing in happened securely and automatically without your needing to remember — or even enter — a thing?
In the coming months, you’re likely to hear more and more about passkeys.
Not passwords. Not passphrases. Passkeys.
You might already be using them without realizing it.
Become a Patron of Ask Leo! and go ad-free!
Passkeys use cryptography instead of passwords to authenticate your identity and allow you access to an account. Passkeys are more convenient and more secure than traditional passwords. There’s nothing to remember and nothing for a hacker to steal.
Pass what now?
Let’s differentiate between these three authentication methods: passwords, passphrases, and passkeys.
As the name implies, passwords at their simplest are an authentication method where, in addition to your user ID, you prove you are you by entering a “word” — a collection of characters you previously defined as the password — to your account. As examples: “password” is a very bad password because it’s short, simple, and easy to guess, but “jy9zdQbNsWQmuyciC2xw” is a pretty good one because it’s long, random, and basically unguessable.
Passphrases are, again, as the name implies, passwords made up of multiple words. “I Love Lucy” is a bad passphrase because it’s a famous phrase all on its own. Until it was used as a popular example of a passphrase, “Correct Horse Battery Staple” was a good passphrase because it’s lengthy and the words are unrelated. “John Snow You know nothing” is a decent passphrase because it’s an erroneous1 mix-up of an easy-to-remember phrase.
Passkeys are something else entirely. They use what’s called public key cryptography. They might be the safest and easiest to use but the most difficult to explain, so bear with me.
This is a high-level conceptual overview, not meant to be accurate at a detailed level. Actual passkey implementation details are difficult to get. I believe the concepts here to be accurate enough to understand the basics of how the technology works. If I later discover inaccuracies in my assumptions, I’ll update the article, of course.
Public-key cryptography is the workhorse of most online encryption. It’s what’s used, for example, to secure https connections, the “SSL/TLS” connections configured in your email program, and much, much more.
The concept is simple.
Two large numbers, A and B, are created using a special mathematical formula. Among many other things, they have the following relationship to one another:
- You cannot calculate one from the other.
- Anything you encrypt using one can only be decrypted using the other.
That last point is very important. If you encrypt some data using the number A as the encryption key, then only B can be used to decrypt it. Similarly, anything encrypted using B as the encryption key can only be decrypted by A.
A cannot decrypt A, and B cannot decrypt B. Only B can decrypt something encrypted using A, and only A can be used to decrypt something encrypted using B.
Think of it as two locks, A and B, both on the same box.
If you lock the box using key A, it can only be opened using key B.
If you lock the box using key B, it can only be opened using key A.
It’s digital and mathematical magic, as far as I’m concerned. Beautiful magic, at that.
Public and private
I did mention this is typically called “public key” cryptography. Here’s why.
“Public key” encryption or authentication refers to the use of both keys in these magical key pairs. One of the two is referred to as the “public key” and the other the “secret” or “private” key.
If I keep A secret and make B public, then two really interesting things are possible.
- Anyone can encrypt something using the public key B that only I can decrypt using my secret, private key A.
- If I encrypt something using my private, secret key A, anyone can confirm that only I could have encrypted it if they’re able to decrypt it using the public key B.
Indeed, I have a publicly available public key that anyone can use to encrypt a message to me. Given that only I have the corresponding private key, only I can decrypt it.
Public key authentication
Before we can get to how passkeys work, we have to understand public key authentication. Public key encryption can be used to enable authentication that doesn’t use passwords (something that’s been used on Linux systems for decades).
First, you use a tool to create a key pair (two really large numbers, remember): a public key and a private key.
You keep the private key safe and secure, and you don’t share it with anyone.
You give the public key to the owner of the server you want to connect to.
Now you try to sign in to the server.
The server says, in effect,2 “I’m thinking of a number. I’ll encrypt this number using your public key and give you the encrypted result. Now tell me what number I’m thinking of.”
Since you are in possession of the corresponding private key (which you kept safe and secure), the tool you’re using to sign in can use it to decrypt the encrypted data the server sent you. It can then respond to the server, “No problem, the number is…” and provide whatever the number is.
Because you had the matching private key, only you could have decrypted the information, and only you could have responded with the correct number.
You must be you. And it all happened behind the scenes without you doing a thing.
I’ve been using this type of authentication to connect to my Linux servers for nearly two decades.
Passkeys and public key authentication
Passkeys are public/private key pairs that are automatically generated for you. The public key is kept on the service that supports passkeys — like Google — and the private key is stored securely on your computer.
When you sign in, the service responds with a challenge of some sort that is encrypted using your public key. Because your computer has your private key, it can correctly decrypt that challenge, proving that you are who you say you are.
And all of that is completely transparent to you, other than perhaps needing to unlock your computer’s securely stored repository of private keys. We’ll talk about that below.
Passkeys are unique to each device
Note that in its basic form, the passkey keypair is different for each machine you use. So, for example, I might have:
- A keypair for my Google account accessed from my desktop.
- A keypair for my Google account accessed from my laptop.
- A keypair for my Google account accessed from my phone.
- A keypair for my PayPal account accessed from my desktop.
- A keypair for my PayPal account accessed from my laptop.
- and so on…
Once again, all of this is managed behind the scenes for you; it’s nothing you need to keep track of yourself. The service keeps track of all the public keys associated with your account, and each device holds the private keys for the accounts that have been set up on that device.3
How passkeys are set up depends on when and where you’re doing it. Let’s look at three possibilities: creating a new account from scratch, adding passkeys to an existing account, and signing in to an account using passkeys on a new device.
- If you’re creating an account from scratch using only passkeys for authentication, the setup process will create the key pair used for that service. The service will keep a copy of the public key, and the private key is securely stored only on your machine. You’re signed in on that machine automatically as needed.
- If you’re adding passkeys to an existing account, first you sign in to the account normally, proving you are you in the usual way, like a password. Then the process creates a keypair to use for that service and stores the private key on your machine. You’re signed in from that machine automatically as needed thereafter.
- If you have passkeys set up for an account but are signing into that account for the first time from a new device, one of a few things can happen.
- You’ll need to sign in some other way, perhaps using a password.
- You’ll confirm your sign-in by acknowledging a prompt on a different device where you’re already signed in.
- You’ll confirm your sign-in by clicking on a link or entering a code sent to the email address of record for that account.
You may already have encountered one or more of these. If, for example, you’ve signed in to Google on your PC and been instructed to confirm the sign-in on your mobile device, that’s probably a passkey at work.
The process will again create a keypair to use for that service and store the private key on this new device. You’re signed in on that device automatically as needed thereafter.
If someone gets your public key in a data breach, it’s useless. There’s nothing they can do with it. It certainly does not allow them to access the account. Unlike password hashes commonly found in breaches, there’s nothing to hack, nothing to guess, and nothing to recover.
You could post your public key on a wall somewhere and be totally safe. It’s called “public” for a reason.
It’s your possession of the corresponding private key that allows you to confirm you are you. It’s an important bit of information, a secret that needs to be kept safe and secure. It is kept safe and secure in the credential storage mechanisms on your machine. These are typically locked by default, so when a passkey is needed, you first authenticate yourself with your device. That could mean confirming your sign-in password for the device (say your Windows password on a computer), but more commonly it uses fingerprint or facial recognition, a log-in PIN, or something else easier for you to provide — yet still something only you can provide.
Get ready for passkeys. It’ll take time — a lot of time (think years) — as more and more services add passkey support, but this does seem to be the direction authentication is headed. I know I’ll be enabling it whenever it’s offered as an option, as recently happened on Google.
The good news is that it’s entirely possible the transition will be largely transparent, as you simply start using passwords less often as passkeys are set up behind the scenes.
I try to demystify technology every week. Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: The correct spelling in this context is “Jon”, I’m told.
2: Totally making this up, but it gets the concept across.
3: Password managers are getting into the game as well, and may act as the secure repository for your private keys, allowing them to be automatically synchronized across your devices if you so desire.