Owaki - Kulla/Getty Images
I've been writing a lot about passkeys recently -- and with good reason. This year, some of the world's largest technology companies are doubling down on efforts to convince their billions of global users to start using passkeys instead of passwords when signing into websites, apps, and other services.
Passwords versus passkeys
How passkeys work Do your favorite sites even support passkeys? Join us on a typical passkey journey from discovery to registration to authentication to deletion. Read now
Passkeys are often described as a passwordless technology. In order for passwords to work as a part of the authentication process, the website, app, or other service -- collectively referred to as the "relying party" -- must keep a record of that password in its end-user identity management system. This way, when you submit your password at login time, the relying party can check to see if the password you provided matches the one it has on record for you.
The process is the same, whether or not the password on record is encrypted. In other words, with passwords, before you can establish a login, you must first share your secret with the relying party. From that point forward, every time you go to login, you must send your secret to the relying party again. In the world of cybersecurity, passwords are considered shared secrets, and no matter who you share your secret with, shared secrets are considered risky.
Also: Biometrics vs. passcodes: What lawyers say if you're worried about warrantless phone searches
Many of the largest and most damaging data breaches in history might not have happened had a malicious actor not discovered a shared password.
In contrast, passkeys also involve a secret, but that secret is never shared with a relying party. Passkeys are a form of Zero Knowledge Authentication (ZKA). The relying party has zero knowledge of your secret, and in order to sign in to a relying party, all you have to do is prove to the relying party that you have the secret in your possession.
Here's the big idea behind passkeys: If you never have to share your secret with a legitimate relying party, then you'll never accidentally share your secret with a malicious actor like a phisher or smisher, either. But humans are so programmed to think that we need to share secret passwords that it's difficult for us to fathom how it could work any other way.
... continue reading