Vitalii Gulenok/Getty Images
For the last five years, the FIDO Alliance -- led by Apple, Microsoft, and Google (with other companies in tow) -- has been blazing a trail toward a future where passwords are no longer necessary in order to login to our favorite websites and apps.
This so-called passwordless future is based on a new form of login credential known as the passkey, which itself is largely based on another technology -- public key cryptography -- that's been around for decades.
Why the big push to ditch passwords? And why now? Bottom line: We humans are partly to blame.
Much as we try to protect ourselves, we somehow keep getting fooled into divulging our passwords to malicious actors. This can happen in various ways, including phishing and smishing. But malvertising has been creeping back into the conversation as a technique that hackers use to seduce us into visiting legitimate-looking websites.
For 20 years, tech vendors and IT departments everywhere have tried in vain to educate end-users about the various threats (and the threat actors behind them) and the best practices -- many of them common sense -- that are necessary to protect ourselves. Yet here we are in the 2020s, and rarely does a week go by without the announcement of some major breach that started with sloppy credential management.
Passkeys are a bit like passwords in that there's a secret involved. But unlike with passwords, where you have to submit that secret to a site or app each time you sign in, with passkeys, your passkey secret never gets shared with these websites and apps (collectively referred to as "relying parties"). In fact, given the way passkey secrets are automatically created and stored, most users don't even know what their secrets are or where to find them. And if you don't know what your secrets are or where to find them, not only won't you be sharing them with your relying parties, you won't be inadvertently sharing them with malicious actors either.
In other words, the tech industry found a way to keep us from being our own worst enemies.
The registration ceremony
So far, in this six-part ZDNET series on how passkeys work, I've offered a brief explanation of public key cryptography, walked you through the process of how to discover if a relying party supports passkeys and what an authenticator is, and how it gets complicated once you trigger the creation of a passkey. In this installment, we'll go behind the scenes of the passkey creation process (aka, "the registration ceremony") where the magic really happens.
... continue reading