Passkey vs. Password

You heard of passkey from somewhere, or you start to see some websites or mobile apps using passkey, but you have no idea what it is. You are not alone! In a recent user research we conducted on our user base, we found that a very small number of people have heard of it, and an even smaller portion actually understands it.  That is why early adopters go out of their way to explain what is a passkey. For example, the following is a screenshot of the Shopify app, where they dedicate a whole page to educate the users.

If you want a more thorough understanding of passkey beyond that single page, read on. 

What is Passkey 

It is best to understand passkey and how it is different from password, through the lens of an analogy. 

Let us start with passwords. Password is a shared secret where both you and the server know about. If you can present the secret to the server, and the server can match it up with what it knows, you are in. This is similar to “Open Sesame” in Aladdin, where you open the cave by shouting out the secret.

“Open Sesame” in Aladdin

Password is easy to use, but it carries a well-known downside — it can be easily eavesdropped. 

Passkey fundamentally works differently. It consists of two keys, one is called a private Key, which is stored on your local device, and another is called a public Key, which is stored on the server. Passkey works as follows:

• Server sends a unique message to your local device
• Your device uses the private key to sign the message
• The server, who already has the corresponding public key, can testify the message is signed by your private key. If testified, you are in. 

This is analogous of how your bank verifies your signature on a check before letting you withdraw money in the physical world.

The analogy is not 100% matching. In the physical world, it is feasible to forge a signature to fool the bank teller. But, in passkey, there is no way to forge a signature, because it is based on the proven private/public key cryptography. Only the person with the private key can produce a signature that can be verified by the public key. 

Why adopt now

If password works perfectly, why try something else? For passkey, there are at least two good reasons to give it a try as soon as possible. 

1. Higher security

Working in a financial services company, I frequently see ATOs (Account Take Overs). Password is easy to fool through social engineering through a technique called phishing. For example, attackers can pretend to be a customer service agent, they will pretend to help you solve an issue, and trick you to give out your password. Passkey is strong because it is phishing-proof. There is no secret that you can be tricked to give out.

2. Easy to use

Passkey is an unique technology where it is both secure and easy-to-use at the same time, so there is not a tradeoff where you have to give up on usability. If implemented correctly, you can skip password and second factor authentication (e.g., a SMS code) altogether with one passkey verification. Passkey verification is also super simple. You can either do a biometric scan or use your phone’s passcode. 

Manage your passkeys

Now that you have started to use passkey in some apps, it is important to know how passkey differs from password, so that you can manage your passkeys differently. Passkey differs from password in a couple of areas:,

1. One vs. Two

In passkey, it is important to note that there are 2 keys, one private and one public. The private key is stored on your client device, and the public key is stored on the server. If you want to remove a passkey, keep in mind which key you are touching. 

• If you want to remove a passkey from accessing a website or app, remove the public key stored on the server. No matter where the corresponding private key is stored, it is no longer useable for login, because the server can no longer validate its signature. 
  
  (An app’s interface to help you manage the public key on the server)
  
• If you just want to remove passkey from one device from accessing a website or app, remove the private key on your device. If the private key is replicated on multiple devices, you can still login to the website/app through other devices. 
  
  (The iOS interface to manage the private key in your phone’s Settings app)
  
• If you are a clean freak, remove both keys on the client and server. But keep in mind that it is not necessary, removing one is sufficient to remove access. 

2. One vs. Many

Unlike password, where you only have one password active at any given time, there may be multiple passkeys due to the fragmentation in platform unification (see the technical details in an earlier post). It is important to remember that you may have a separate passkey per platform, or even a separate passkey per device. When you create passkeys, try to give them a different name to differentiate them, if it is offered by the website and app. 

Conclusion 

Passkey is the new kid on the block, but it has a huge potential to solve all problems associated with passwords. I hope this post gives you a good introduction to understand how it is different. Leave a comment if you are still confused, I would be happy to share more insights.

(This article is also posted at Medium Passkey vs. Password)