Passkeys - Password less authentication
Passwords-based authentication has been the most common method of authentication for most services on the internet. While implementing password-based authentication is uncomplicated process , it presents various challenges. With the users signing up for a significant number of online services, users tend to reuse and choose weaker passwords. As for service provider, a significant amount effort is required to secure the passwords stored in the database.
Passkeys use asymmetric cryptographic keys for authentication — a public and a private key. When a user register for a service, a the user device creates a pair of public-private key. The private key is stored on the user device, while the public key is sent to and stored on the server.
Each time the user tries to login to a service, the user device digitally signs a challenge from the server. The server then verifies the signature and authenticates the user to the service. Passkeys eliminates user burden of remembering passwords for multiple services.
Passkeys offers numerous security advantages.
Phishing is thwarted since the public-private key pair is associated with a particular service’s real domain. A change in domain, however subtle or unnoticeable will remain ineffective since the platform used to store the keys, only associated them with the real domain.
A breach of public keys stored on the servers is worthless since they can neither be used to authenticate nor derive the private key within a feasible period with the existing computational capabilities and mathematical understanding.
Eliminates developer effort required to develop and maintain complex security measures to safe public keys.
The authentication process does not involve the transmission of the private key to the server, the key is only used to sign a challenge response
Passkeys can be stored on a native or 3rd party services and synced across all devices used by the user.
Given the security enhancements and the ease of use passkeys (password-less) authentication will become the primary method for users to authenticate users to a service. Major companies have started the implementation of passkeys and smaller organizations soon following them
