| Cyber risk

Passkeys: the solution that reconciles simplicity and security?

Passkeys are a practical and secure alternative to password authentication. To better understand passkeys, find out what they're used for, how they work and how these access keys can change the way you protect your personal data online!

How does it work? What are the advantages over passwords?

Passkeys are a password replacement device developed by the FIDO alliance (Alliance Fast Identity Online), a group of companies aiming to reduce password dependency in the digital world. Indeed, it's common knowledge that passwords pose major security problems, and are not totally reliable. As recently as 2022, 89% of companies reported having fallen victim to phishing campaigns (password theft).

Passwords are often considered a key element of online security, but they have a number of shortcomings. Firstly, users tend to choose passwords that are too simple and can easily be guessed or cracked, using social engineering techniques or computer programs. Users also often use identical passwords for several accounts. And finally, even if a password is complex and unique, it can be stolen through a phishing campaign.
Even a user who has set up strong, unique passwords can see one of his accounts compromised. The first advantage of passkeys is their association with a web domain at registration. Even if a fraudulent site perfectly replicates a login page, passkey authentication will not be carried out, because the login site will not be the original registration site.

IS security

Our experts at
Digital Identity answer your questions

Enrolment phaseThe security of passkeys is based on asymmetrical cryptography. This system makes it possible to secure an exchange, without any secrets being shared between the parties involved. So, if an application you're using is compromised, only your public key will be divulged. It will then be unusable as is, as the attacker will not be able to recover your private key from your public key. By virtue of its construction, a passkey cannot be guessed, cracked or re-used on several sites. The main weaknesses of passwords are thus avoided, without any action on the part of the user. What's more, the protocols and mathematical concepts used meet the latest security standards.

authentication phaseA passkey is made up of two keys: one public, the other private. It is this pair of digital keys that ensures secure authentication. When creating an online account, the user generates a private key and transfers the public key associated with the website. These keys are unique and specific to each of the user's online services.

At each connection, the application will ask the user to solve a challenge, the answer to which can only be produced from a private key. Obviously, all these actions are transparent to the user, the only prerequisite being possession of the private key at the time of connection. All the user has to do is enter his or her login and then authorize authentication via biometric validation (FaceID, fingerprint, etc.) or PIN code.

Enhanced user experience

Let's see how passkeys translate into user experience. Below is an example of how to create an account on passkeys.io with a phone:

Let's take a look at how passkeys allow us to connect to passkeys.io on the PC. Note that in this example, the passkey is stored in an iCloud keychain:
authentication interface
As you can see, the login experience is simplified to the max, requiring only the login used for the online account. However, the storage of passkeys is an area of considerable debate, with few options available to users.

Passkey adoption and its limits

Despite their application benefits, the widespread use of passkeys will still require a great deal of development and fine-tuning. One of the biggest obstacles to the widespread use of passkeys is the storage of private keys. Currently, Google and Apple offer to store these private keys on their respective password managers (Google Password Manager, iCloud Keychain), but there is no system for transferring them between the two ecosystems. The FIDO alliance is therefore actively working on this issue, and is making every effort to offer a transfer solution that is both secure and user-friendly.

By design, passkeys are not tied to a single device. For example, private keys can be stored on iCloud and synchronized across multiple devices. This poses a real security problem for companies. Indeed, users could access them on devices not managed by their company's security policies. An unmanaged device could therefore be synchronized with the user's business passkeys, while still being vulnerable due to a lack of security patches. A company wishing to deploy passkey authentication for all itsendpoints needs to think carefully about this type of problem, to avoid potential security breaches. 

The FIDO alliance still has many hurdles ahead of it in democratizing this technology, but the future will most certainly be passwordless. Passkeys are a secure, user-friendly and dematerialized means of logging on that offer nothing but advantages over traditional methods. There's no doubt that this technology will be adopted in the long term.

Article written by Thomas Halouis, Access Management Consultant at Synetis.

Camille Jean-Baptiste

Communications Manager