In the digital world, passwords are like the keys to your personal treasure chest, but letās face it, theyāre more like a bunch of sticky notes you canāt find when you need them but someone else somehow can. Can we eliminate passwords by some degree? Yes, with Passkeys.
Passkey is a type of authentication method used to secure access to various online services and accounts. It is a unique key pair consisting of a public key and a private key that is generated specifically for an individual user
ā¦ in short, use your phone or fingerprint device with biometric to authenticate your login.
Before adopting Passkeys you can have a trial on https://www.passkeys.io/. Remember to read instructions from https://www.passkeys.io/#How-to-use-a-passkey. You can create a passkey on multiple devices for the same account.
How Passkey works for dummies
Below demo runs on a Windows with fingerprint sensor and Windows Hello. You can have the same experience on mobile.
Creating an account on website
Like many applications, you need to create an account first. Most websites would ask you for a password setup to keep you comfortable.
Create an account with email you like,
<img src=/_post_images/2023/12/passkeys-your-gateway-to-seamless-security/create1.png class=āborderā>
Registration is skipped as this is just a demo
<img src=/_post_images/2023/12/passkeys-your-gateway-to-seamless-security/create2.png class=āborderā>
Create first passkey
Once you click the create button, the website would ask your browser to setup passkey.
<img src=/_post_images/2023/12/passkeys-your-gateway-to-seamless-security/create3.png class=āborderā>
Your browser directs your request to a module which has passkey capability. Bitwarden in this case.
<img src=/_post_images/2023/12/passkeys-your-gateway-to-seamless-security/create4.png class=āborderā>
Authenticate with biometric.
<img src=/_post_images/2023/12/passkeys-your-gateway-to-seamless-security/create5.png class=āborderā>
Create a public/private key pair. Private key stays in the module. Only public key send back to browser and the website.
<img src=/_post_images/2023/12/passkeys-your-gateway-to-seamless-security/create6.png class=āborderā>
Thatās it! The website associates your account with your passkey. You can logout/sign out.
<img src=/_post_images/2023/12/passkeys-your-gateway-to-seamless-security/create8.png class=āborderā>
Login
Login is very similar to creating an account. Sign in with a passkey. You donāt need to provide your email address.
<img src=/_post_images/2023/12/passkeys-your-gateway-to-seamless-security/login1.png class=āborderā>
The process is the same.
<img src=/_post_images/2023/12/passkeys-your-gateway-to-seamless-security/login2.png class=āborderā>
You may notice that you can use more than one device to login.
<img src=/_post_images/2023/12/passkeys-your-gateway-to-seamless-security/create9.png class=āborderā>
Setting up second passkey for your account
Letās try āUse another deviceā
<img src=/_post_images/2023/12/passkeys-your-gateway-to-seamless-security/create10.png class=āborderā>
āiPhone, iPad, or Android deviceā
<img src=/_post_images/2023/12/passkeys-your-gateway-to-seamless-security/create11.png class=āborderā>
Scan QR code from your device.
<img src=/_post_images/2023/12/passkeys-your-gateway-to-seamless-security/create12.png class=āborderā>
Your device tells the website that the QR code is scanned from your account.
<img src=/_post_images/2023/12/passkeys-your-gateway-to-seamless-security/create13.png class=āborderā>
After authentication, your device generates its own public/private key pair, and then sends the public key to the website.
<img src=/_post_images/2023/12/passkeys-your-gateway-to-seamless-security/create14.png class=āborderā>
You can now use the second passkey to login!
What if my mobile device is lost
Remember to setup recovery method for your account! Second passkey can be a recovery but please pick a reliable one to yourself. Otherwise you will end up like below.
Where can I use passkey
The following list will assist you in identifying services that are compatible with passkey adoption.
Services/OS that support Passkey:
- Bitwarden
- Windows (Windows Hello)
- iOS
- Android
Websites/Apps that support Passkey:
- Amazon
- Apple ID iOS only
- GitHub
- Google Account
- Internet Identity
- npmjs.com
- WhatsApp (Android & iOS)
- Yahoo
Websites that do not yet support Passkey but support Multi-Factor Authentication (MFA):
- Atlassian and its product family such as Bitbucket
- Docker
- Gitlab
- terraform.io
- Wellfound.com
You are encouraged to adopt Passkeys for enhanced security, as they are not susceptible to traditional phishing attacks and do not require memorizing complex passwords.
With the support of industry giants and the convenience they offer, Passkeys are set to become the new standard in digital security.