Google recently announced that it is going to a passkey regime instead of passwords, making it easier for users to access their accounts on its various services. This has triggered a debate among the cybersecurity experts. While some of them say that it is going to be the way forward, some others caution that it comes with certain riders and can pose challenges.
“The world is moving towards a password-less ecosystem owing to increasing incidents of attackers using phishing techniques to steal user credentials. There would be nothing left to break if there were no passwords,” Harshil Doshi, Country Manager (India and SAARC) of cybersecurity firm Securonix, told businessline.
The world is moving towards a password-less ecosystem owing to increasing incidents of attackers using phishing techniques to steal user credentials. “Passkeys are one such step forward where we leverage the biometric sensors available on most devices today or a challenge phrase which authenticates a user uniquely,” he said.
Stating that it is a positive step, he, however, felt that interoperability across various form factors, web services and users would be a challenge. This calls for a standardisation in password-less authentication across consumer and business-to-business services.
While announcing the transition to the passkey regime last month, Google argued that “passkeys are a safer and easier alternative to passwords. With passkeys, users can sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, freeing them from having to remember and manage passwords,” it said.
A passkey can meet multifactor authentication requirements in a single step, replacing both a password and OTP (e.g. 6-digit SMS code) to deliver robust protection against phishing attacks and avoids the UX pain of SMS or app-based one-time passwords.
Kiran Vangaveti, Founder and CEO of BluSapphire, felt that using passkeys is a secure and effective method for logging into applications. The ease of use may drive faster adoption, especially at the enterprise level.
“However, the individual adoption rate may vary based on the availability of passkey-supporting devices. Overall, passkeys represent the future of authentication, moving away from the traditional utilisation of passwords,” he said.
What is a passkey?
Passwords, as we know, consist of a combination of words, alphabets, numbers, and special characters, which can be difficult to remember. Passwords are stored in the target system or application and are constantly validated each time you log in, making them somewhat like an open secret.
‘Cyber attackers are well aware of this and frequently resort to phishing and impersonation to gain access to your password. At an enterprise level, brute force attacks are commonly used, which, given today’s computing power, can easily crack passwords to grant unauthorised access,” he said.
“On the other hand, passkeys are cryptographic key pairs generated by your device. The application you wish to access holds the “public” side of the key, while your device (such as a laptop, mobile or a passkey device) holds the “private” key,” he explains.
When attempting to access an application, it sends you an encrypted message using your public key. The private key stored on your device can decrypt this message, thus verifying your identity and granting you access.
“The private key always remains confidential and is never revealed, even to the application relying on it for authentication,” he contends.
“The current state of computing power does not allow for easy cracking of the private side of cryptography. Therefore, passkeys do provide enhanced security and ease of use, until quantum computing becomes mainstream, which could potentially break such encryption effortlessly. However, we are still far from that point today,” he points out.
Misconception
There is a common belief that passkeys, especially the biometric information of a user, are collected and stored by an application. “However, in reality, the passkey is stored locally on the device itself and is not collected by any application. Therefore, using passkey-based authentication is safe and effective,” he says.
Chester Wisniewski, Field Chief Technology Officer of cybersecurity solutions firm Sophos, said that people would like it when they got used to it
“Who wants to remember a password? If I can unlock my world with my face that seems like a good thing. I think people will adopt it, but I think there is a certain amount of trust that’s necessary,” he feels.
“Because Apple, Google, and Microsoft are going to be storing the keys that enable passkeys to work. And some people are very, me included, I don’t like other people having my secrets, and I don’t necessarily trust Apple or Google or Microsoft. But for those people, they can still use a physical token,” he observes.
