PKI-Based Passkeys Lead The Way For A Passwordless Future

Recently, on World Password Day (May 2nd), tech giant Google revealed that Google Passkeys are being used by more than 400 million user accounts worldwide, authenticating users more than 1 billion times in less than a year.

PKI-Based Passkeys

Google noted that passkeys are now used more often for authentication on Google Accounts than other legacy forms of two-factor authentication, such as SMS one-time passwords (OTPs) and app-based OTPs (such as Authenticator apps) combined.

As the next step, Google intends to broaden passkey support to high-risk users as part of its Advanced Protection Program (APP). This program safeguards individuals who are vulnerable to targeted cyberattacks, such as campaign workers and journalists. Google plans to provide users the option of enrolling into APP with passkeys in addition to hardware security keys.

The impressive adoption rate of passkeys is a significant milestone in the journey towards a passwordless future. It indicates the growing demand for more secure, faster, and easier-to-use authentication methods, as well as user acceptance of new forms of authentication.

A Quick Overview of Passkeys

Google introduced passkeys in March 2022 as part of its ongoing efforts to enhance online security and improve user experience in the authentication process. The passkey technology was developed as part of the FIDO (Fast IDentity Online) Alliance, with Apple, Google, and Microsoft working together to design a safer and simpler alternative to passwords.

Passkeys aim to provide users with a “simpler and more secure authentication experience” than traditional passwords. A passkey is a FIDO credential that allows users to sign into their online accounts with their fingerprint, face scan, or screen lock PINs. It eliminates the need for usernames and passwords, making the authentication process more secure and convenient.

How Passkeys Work

Passkeys operate on public key cryptography or asymmetric encryption. When a user creates a passkey on their smartphone, the device automatically generates a cryptographic key pair – a public key and a private key. The private key is the critical element of passkeys and is stored safely on the user’s device. The corresponding public key is stored on the website or app the passkey was created for. In the Google example, the public key is uploaded to the Google account.

When a user attempts to sign in to their Google account, Google prompts the user’s device to “sign a unique challenge” with the private key stored on it to validate the user’s identity. However, the device will create the signature only if the user approves it. The user can provide their approval by unlocking their device with their biometrics or screen lock PIN.

Unlocking the device and allowing it to create the signature using the private key proves to Google that the user is who they claim to be. In other words, the user is in possession of the device and is the rightful owner of the account they wish to access. The user is then allowed to access their account.

Certificate Lifecycle Management with Visibility, Control and Insights – All in One Place

Benefits of Passkeys Over Passwords

  • Passkeys offer more resilient security than passwords. Since the private key is stored on the user’s device and tied to the user’s biometrics, it cannot be easily guessed, stolen, or intercepted like passwords. The combination of passkeys and user biometrics effectively protect users against phishing and credential-based attacks.
  • As each passkey is unique to each online account, the passkeys only work on the website or apps they were created for, so there’s no risk of users being tricked into sharing their credentials and other personal information on look-alike websites, or one compromised account impacting other accounts.
  • Passkeys can completely replace traditional two-factor authentication. As they work with two distinct pieces of proof – a user device (something you have) and biometrics (something you are) or a security PIN (something you know), passkeys offer stronger security than traditional 2FA, like one-time passwords, making the whole login experience highly secure and frictionless for users.
  • Passkeys significantly speed up the authentication process by eliminating the need for users to remember and enter complex passwords. This not only saves time but also reduces the frustration for users managing multiple accounts. According to Google data, a user can successfully sign in within 14.9 seconds using passkeys, while it typically takes twice as long to sign in with passwords.
  • Passkeys streamline the login experience across multiple devices and platforms, making them versatile and widely applicable for different use cases. If a user owns multiple devices, e.g., a phone, a laptop, and a tablet, they can create a passkey for each device. Or they could securely sync their passkey to other devices they own (some platforms can securely back up passkeys and sync with other devices). For instance, when a user creates a passkey on their iPhone, that passkey automatically syncs to all other Apple devices logged in to the same iCloud account. This seamless integration empowers users to access their accounts securely across various devices without the hassle of repeatedly recalling and entering passwords. Additionally, it protects users against being locked out of their accounts in case they lose their device.
  • If a user wants to sign in on a new device or temporarily use someone else’s device, they can share their passkey with the new device for one-time use either by scanning a QR code or by using AirDrop for Apple devices. This does not transfer the passkey to the new device; it only uses the phone’s screen lock and proximity (determined by Bluetooth) to provide a one-time sign-in passkey signature. Neither the passkey nor the screen lock information is sent to the new device.

Passkeys Champion PKI for the Passwordless Era

Passwords have long been the first line of defense, protecting confidential data against unauthorized access. However, weak, reused, and compromised passwords have become the primary cause of a majority of data breaches in recent times. Failure to enforce password hygiene continues to expose organizations to the risk of phishing, credential stuffing, and brute force attacks.

With passwords increasingly becoming a weak link in the chain, the need for more secure and user-friendly authentication methods is constantly growing. More and more organizations are pivoting towards passwordless authentication methods. Public key infrastructure (PKI) is at the heart of this transition.

PKI has been the backbone of secure communication over the Internet for decades, facilitating authentication, encryption, and digital signatures. With the cybersecurity landscape constantly changing, PKI is continuously evolving to address the changing requirements. Today, PKI is used to secure a wide range of security use cases, including DevOps, IoT, SSH, VPN, WiFi, etc.

Set up a secure, scalable and compliant cloud-PKI with AppViewX PKI+

PKI operates on the principle of asymmetric encryption, where each device (or a system/machine/workload) is provided with an identity through a digital certificate and a unique pair of cryptographic keys: a public key (embedded within the certificate) and a private key (stored safely on the device). When two devices want to communicate with each other, they authenticate each other by verifying the respective digital certificates, and the cryptographic keys work in tandem to encrypt and decrypt data, ensuring secure communication. Unlike passwords, the private key cannot be shared or transferred, which significantly reduces the risk of unauthorized access and data breaches.

Another advantage of PKI-based digital certificates and keys is their ability to work seamlessly with other technologies, such as biometrics and multi-factor authentication (MFA). They can be combined with biometric data such as fingerprints, facial recognition, and PINs to establish a highly secure yet user-friendly authentication process, which is the case with passkeys.

The benefits of transitioning to a PKI-based passwordless approach are many. Not only does it enhance security and user experience, but it also helps organizations do away with the overhead of password management and support. With PKI, the burden of remembering and resetting passwords becomes a thing of the past, freeing up valuable resources and improving operational efficiency. PKI’s scalable and interoperable framework for managing machine identities can lay a strong foundation for a trusted and interconnected digital ecosystem.

Time’s Up for Passwords. Make Way for PKI-Based Passkeys

While passwords still remain the widely used authentication method, there is an evident and growing shift towards passwordless authentication methods. Google’s success with passkeys exemplifies this shift.

Google noted that more organizations, including Amazon, 1Password, Dashlane, DocuSign, and others, have started rolling out passkeys in the last year. As passkeys see more adoption, it is clear that PKI will be a crucial driver for change in how we approach authentication and digital security at large.

How AppViewX Enables Passwordless Authentication

AppViewX supports and facilitates passwordless authentication by simplifying PKI and certificate lifecycle management. AppViewX CERT+ is a ready-to-consume, scalable certificate lifecycle management (CLM) solution that automates all certificate processes end-to-end. You can discover, inventory, monitor, and automate the complete lifecycle for every certificate, all through a central console. AppViewX CERT+ brings together visibility, automation, and control across on-premises, multi-cloud, hybrid cloud, IoT, and containerized environments to simplify certificate lifecycle management, improve efficiency, build crypto-agility, and ensure continuous compliance.

Talk to an Expert To know more about AppViewX CERT+

Tags

  • asymmetric encryption
  • certificate lifecycle management
  • Certificate Management
  • crypto-agility
  • Cybersecurity
  • IoT
  • passkeys
  • PKI-Based Passkeys
  • Private Key
  • public key
  • Public Key Infrastructure
  • public-key cryptography
  • World Password Day

About the Author

Krupa Patil

Product Marketing Manager

A content creator focused on providing readers and prospective buyers with accurate, useful, and latest product information to help them make better informed decisions.

More From the Author →

Related Articles

The Impending Identity Crisis Of Machines: Why We Need To Secure All Non-Human Identities, From Genai To Microservices And IOT

| 4 Min Read

Stronger Private Key Protection For Code Signing: Are You Compliant With The Latest CA/B Forum Requirements?

| 5 Min Read

7 Reasons Why You Need To Replace Your Microsoft CA

| 6 Min Read