Passwords, which are often tied to a username, create a high-friction experience for users. They must remember the username/password combo in order to log into a website. Password managers can help, but users eventually create a long trail of username/password combos for a growing list of websites. Adding to this friction are supplemental security measures such as knowledge-based questions, CAPTCHAs, and 2FA (two-factor authentication).
Enter Passkeys
Passkeys are helping to slowly replace the username/password combination. Passkeys do not require passwords. Instead, they work with the user's existing devices, including laptops, desktops, and mobile phones. The user is authenticated through their device using biometrics. Unlike passwords, passkeys are encrypted and not shared across the Internet. Passkeys are basically phishing-resistant credentials.
The move to passkeys eliminates the vulnerability of the username/password combo but also all of the supplemental security measures, such as 2FA. For merchants, passkeys reduce operational costs while enhancing the user experience.
Here's a brief overview of the technology behind passkeys. Passkeys use asymmetric encryption, which has both private and public keys. When the user initiates their first passkey transaction (i.e., registration), the private key stays on their device while the public key is transmitted to the server, which stores the public key in a database.
The next time the user wants to use their passkey to authenticate, such as making a purchase or logging into a website, a series of transactions occur with the above server and the user's device. The user starts this series of transactions by authenticating biometrically on their device. Once the series of transactions between the device and server, using the private/public keys confirms this is the correct user, the purchase or login can be completed. The user's biometric information is never transmitted across the Internet.
What is FIDO?
The FIDO (Fast Identity Online) Alliance is a global security standard. The alliance was founded in 2012. It uses passkeys as a means of authentication. Because FIDO is a standard, it has gained traction as the go-to passkey authentication mechanism. There are currently over 240 organizations that have joined the FIDO Alliance, including Mastercard.
“Roughly 80% of confirmed data breaches are related to weak or stolen passwords,” says Dennis Gamiello, an executive vice president who leads Identity Products and Innovation at Mastercard.
The transition to passkeys will be slow initially since every website must implement the FIDO standard. But as more sites do this, the pace is likely to accelerate.
Let Us Know What You Thought about this Post.
Put your Comment Below.