What are passkeys & why are they better than passwords?

On June 6th 2022, Apple announced their transition to passkeys - a passwordless replacement for passwords - which they claimed to be a next generation authentication technology.

Apple worked closely with the FIDO alliance to make sure passkey implementations are cross platform and work on as many devices as possible.

Passkeys, also known as Public Key Credentials, are a World Wide Web Consortium (W3C) Standard for Web Authentication which W3C define as an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.

Why is this beneficial?

Passkeys work like passwords, without requiring a password. These passwordless account login's are created and validated by an encrypted process on your devices (mobile phone, tablet, laptop or desktop).

This removes the possibility of creating a weak password and as the part that is required for verification - also known as the private key - is not valuable to hackers. It makes them significantly more secure than passwords.

Passkeys carry an added layer of security, that makes a user only be able to access passkeys for a given domain.

In other words, a passkey created on Citibank.com cannot be accessed nor used on a domain that attempts to look like Citibank.com but is in fact, not Citibank.com, as it is indeed not Citibank.com.

This last process removes phishing from the equation - once again making passkeys significantly more secure than passwords.

Passkeys are complex to understand and require talking to an expert (like Nick Steele) to get a holistic understanding as to how they are created, verified and where things should be executed. We hope the posts offered in the links below helps clarify those questions.

We are actively looking for feedback on how to improve this resource. Please send us a note to inquiries@delasign.com with any thoughts or feedback you may have.