What is a passkey - and is it the future of online security? | BBC News

It’s not just about security vs privacy. It’s also about choice and freedom — what if I WANT to share my password with a trusted spouse or parent in a specific situation? What if a parent WANTS to log in a previously unknown app used by his/her children to monitor their activity?

Locking out and tying down access only a given biometric signature is also limitation on freedom as well.

juanitotucupei

Good god, the amount of comments on here from people wearing tinfoil hats. Clearly don't understand the basics of biometrics and encryption, now wonder IT security jobs are so well paid. 😆

jacko

Not even a whisper about the privacy implications of this technology? Just give us your unique biometric data, what could go wrong? We promise we won't sell it to foreign or even local government, won't use it to track your online behaviour with absolute certainty about who you are, even if you really are a victim of fraud and we promise not to apply weird and nuances laws against you to keep you in line. We need compliant citizens. Thank you and good night.

dipunm

Trust some other entity besides youself to keep your password "Safe?"
Yea no thanks.

ibm_businessman

That's all fine until you don't have your phone with you or it stops working or gets lost or stolen, then you're proper foooked

chriser

I am completely against this. I travel a lot, I change my phone number very often and I'm so fed up being locked out of my accounts because they want a SMS verification or want me to confirm via my mobile device. I should have the right to make it password only. I dont got to sketchy sites and havn't had data breaches. Its ridiculous that many sites don't allow this.

stuart

Nonsense. Everything that is stored /managed digitally can be hacked. Passwords are good if they're well put together and stored only in one's head - and you use completely different pw for different service.

I have very complicated system. I create a password with an app (* digits - also special characters). Then I will add four digit to it which aren't stored anywhere. The same goes with the pw app itself 😂. True I cannot memorize them - like at all - except the four extra digits. So my passwords are very complicated... Not a single meaningful words. Not worth for hacking 😊

cheebacheeobusiness

The biometrics are just a string of data, data you cannot change. You can change your passwords.

inquaanate

Wow, there are so many things wrong in this entire piece that I don't even know where to start.

Ok, here goes something. First and foremost, passkeys in the form of hardware keys have been around for at least a decade now, if we're only talking about the tech that is being used in this newer implementation of it. If we consider other forms it's even older than that.
So it's not "the future" of anything, it's an alternative to options that already exist.

The only thing really new here is that it's being integrated into smartphone OSs as a core function, by the OS developers - Google and Apple mostly.

Second, and this is part of an old discussion that already happened back when people were proclaiming biometrics were going to kill passwords - NOTHING will ever "kill passwords", because these alternative methods of authentication are NOT to be seen as replacements for something like passwords, but complimentary or alternatives to it. It's like general press and tech press cannot learn from past mistakes.

The thing people have to understand is that all of those different things - passwords, biometrics, passkeys, ToTP and other things all have different characteristics, different applications, different strong and weak points, different scenarios where they work better or worse. Security is not a monolithic thing, nor a black and white thing, you have different situations, different levels of security, different scenarios, and thus different methods to address the issue.

For this very specific application of passkeys, which is the use of a smartphone to hold the capability to authenticate into accounts, it's fairly obvious what the problem is. What if your phone gets stolen, broken, or is not with you when you need to authenticate into an account in a separate device?
It's obvious even in the door lock analogy given - if you lose your access card, you are SoL. For the keycode lock, it's a problem if you forget the code, but you don't have anything physical to lose there.

There is an intractable and unchangeable fact about passwords which is how you can just store it in your memory. Nothing can ever replace that, ergo all claims of something "killing" passwords are moot. It's the only method of authentication that relies on memory alone, or you writing something on a piece of paper and safely storing it. Almost everything else relies on you having a piece of software in an electronic device. Biometrics don't, but the difference with biometrics is that it's unchangeable. So if anyone finds a method to fool the system into thinking you have matching biometrics, the entire system is done. You cannot replace your fingerprint, your iris, your palm for another in case it gets replicated by someone else. You can replace a password though.

Now, let's talk about the portrayal of using password managers. First of all, it's not that complicated, you don't need all the maneuvering shown in the piece, and not all forms of a type of authentication method can be generalized as the piece makes it seem. I see the guy using a password manager is using two factor authentication with ToTP. That's his particular case, but it does not have to be like that. Broad strokes generalizations don't help here. This is arguably part of the problem for non-adoption - it's not the actual complexity of it, it's how it's portrayed.

But different to passkeys, you can have password managers in multiple devices of different types all synchronized, and they are not only useful for authentication, they are also useful to store all sorts of sensitive information, several of them have the ability to auto complete forms, a few of them have the ToTP part integrated into it, and important to some, some of them can be used offline and the entire data can be put into personal control - meaning you do not depend on proprietary stuff from a business for it to work. Most of those things are stuff a passkey cannot offer.

That is one of the potential big issues with the current idea of passkeys. It is considered very safe and very secure in general, because the underlying technology has been around for a long time and it has been audited several times over the years, but if you are going to use it in your phone, in the end there is some level of trust that you need to put in the phone's implementation of it, security around the function, plus whoever implements that in the phone which will usually be the OS developer - Google in case of Android phones, Apple in case of iPhones. So you are one way or another delegating the security of it to those.

Some security situations and some privacy and security focused people don't like that, they can't just trust big tech companies to do it right, so you need alternatives for that, which usually means passwords or password managers.

So, does this mean that passkeys are bad? No, they are not. Much like several other authentication methods, it's a balancing act. Passkeys are more CONVENIENT than passwords, but it's not a replacement. If it's well implemented following all the security standards that it has to follow, it can be a more convenient widespread way of authentication for the masses.
But all of this depends on the case, and it has, like any other authentication methods, strengths and weaknesses compared to other methods.

By the way, let me add this for people worried about security to consider. This passkey idea is derived from hardware keys that like I already said, have been in the market for well over a decade now. Most popular brand I know of is Yubikey. They launched their first FIDO Alliance compliant USB key in 2014. That compliance is what also guarantees the security of this new smartphone based passkey authentication method.
So, if you don't want to wait for the smartphone based solution, or want a separate device with the same level of security but potentially less convenient, you can buy a hardware key from that company and configure your accounts to be authenticated with that, for the services that allows it's usage of course.

That's also a limitation of passkeys. All the places you have accounts in needs to accept it as a form of authentication, or else you will be forced to rely on whatever they accept. That's another point in the problem of considering it a replacement. It's not only up to you, it's also up to the services and whatnot to accept and implement it's usage or not.
Of course with companies like Google and Apple adopting it natively more businesses will accept it as a form of authentication, but again, hardware keys basically use the same method, it's been around for a decade, and adoption still isn't widespread. It's not only because of some simple choice, but because there are costs involved in implementing and maintaining it.

So there you go. For those who want to be better informed about this, and not only swallow the hype.

XSpImmaLion

God forbid your phone gets stolen or you change your phone number.

pepeowen

Did the WEF/WHO make this or is it enough just to say the BBC?

shutincharlie

The future. And when they invalidate you on *that* network .... when your name isn't down on *that* list ....

Nautilus

Pin code or patterns should not be accepted as a means of unlocking the phone as those are inherently weak.

Passkeys also comes with a lot of but and if's so there is a lot to be done there for this passwordless future.

AlphaSphere

Uh oh This could turn out sinister They are working their way toward marking us. Adding just a few non letter or number keys, like @ £ $ % ^ & * + etc can make your passcode far stronger.

Jesusandbible

I'm not sure I'm comfortable with my biometrics being out there either, though.

bajes

Dublin went from one of the safest cities in Europe to one of the most dangerous.

What changed?

JamesSmith-qshx

once quantum computers commercialized... any password can be hacked in fraction of seconds

moon

I don't think giving your password to a third party is secure.

Dungshoveleux

Hardware encryption keys (ie Yubikeys). No biometrics required. Biometrics are _someone else's_ vision of the future, not Ours.

FlameForgedSoul

BBC: Make sure you use a wooden developer,

yes boss

Paul-kmox