50 years ago, at the dawn of the Internet, people logged on to systems using passwords. Today, we are still doing the same. Despite the astonishing growth and development of technology over the past 50 years, user authentication is still stuck in the technological stone age. The problem is, as I explained in “If you don’t use a password manager, you will EVENTUALLY be hacked”, hackers are using machines to crack passwords, which the human brain simply cannot overcome.
According to Karspersky,
The vast majority of data breaches are caused by stolen or weak credentials.
How Data Breaches Happen
According to CloudNine,
81% of hacking-related breaches used stolen passwords and/or weak passwords.
Over 80 Percent of Hacking Related Breaches Were Related to Password Issues: Cybersecurity Trends
Troy Hunt’s Have I been Pwned website shows that password-related data breaches are happening at such alarming frequency and magnitude that it should be clear that password authentication should not be trusted anymore.
Fortunately, there is good news.
Yesterday marked a turning point in the history of passwords. Apple released iOS 16 and introduced a new password-killer technology called Passkey. The premise of Passkey is simple. Instead of relying on the human brain to remember secrets to authenticate, it relies on using powerful machines to do the authentication instead.
What are the advantages of the passkeys over passwords?
No shared secrets
First, unlike passwords, there is no shared secret between the user and the system in passkeys.
A passkey is a pair of public and private cryptographic keys. These two keys are mathematically related to one another, but you cannot derive one from the other. The system will keep the public key while the user’s device will keep the private key. To authenticate, the system will initiate a challenge-response protocol using the public key. The user can only answer the challenge-response protocol successfully if he has the corresponding private key. This challenge-response protocol cannot be conducted manually. It requires machines with substantial computing power (e.g. smartphones, tablets, computers) to do it.
That means even if the system is hacked and public keys are stolen, there will be no impact on the security of passkey authentication. That is because its security relies on the secrecy of the user’s private key. If the whole world switches to passkeys, it will eliminate an entire class of data breach attacks (that is, 81% of data breaches!).
Eliminates phishing
Passwords are vulnerable to phishing attacks. Here, I listed all the advanced techniques used by hackers to fool the human to fall for phishing attacks. Even two-factor authentication (2FA) cannot protect you from phishing attacks.
Unlike passwords, passkeys are resistant to phishing attacks. Built into the passkey’s cryptographic protocol, the domain of the website you are logging into will be checked. You cannot be phished with passkeys.
What is the problem with passkeys?
Although passkeys are far superior to passwords, there are still cybersecurity and user experience issues with them. That is why I prefer a better authentication technology that solves these problems too.
What is the problem with passkeys and what is that better technology?
Subscribe to continue reading
Subscribe to get access to the rest of this post and other subscriber-only content.