eWEEK's content and product recommendations are editorially independent. When you click on links to our partners, we may earn money. learn more.
We spoke to Anna Pobletts, Director of Engineering at 1Password, about the benefits of passkey technology and the potential for cybersecurity to evolve beyond the challenges of traditional passwords.
Watch the video of our discussion and read excerpts from the interview below.
Interview highlights
The comments below have been edited for length and clarity.
What exactly is passkey technology?
Passkeys are essentially a new way to log into apps and websites. It is intended to be more secure and user-friendly than passwords. What it looks and feels like to the user is actually things like Touch ID, Face ID, and biometrics that are already built into the device.
Behind the scenes, public key cryptography is used, which has been around for a very long time. This is the basis for many other technologies such as SSH.
When a user creates an account on a website, a unique key pair is created, the public key is sent to the website, and the private key remains on the user's device. Therefore, the private key never leaves the user's device and can be used to cryptographically sign challenges that websites can verify.
The important thing here is that that private key is completely randomly and securely generated and stored on your device, and the website only has the public key.
What's wrong with traditional password technology?
People wonder, right? I'm sure everyone doesn't like passwords, but there's currently no better alternative.
Putting all the burden of ensuring safety on the user, and putting the burden on you, the user, to think up good passwords, remember good passwords, avoid falling victim to phishing attacks, etc. It will be. [is challenging]. The purpose of a passkey is to eliminate human error from login. We're going to build security directly into the technology.
We're going to make it really easy and impossible to fail. People are busy and tired. You don't have to think so hard about logging into a website. That's actually the motivation behind passkey.
So, does passkey technology have a biometric element?
Interestingly, although it looks and feels like biometrics to the user, no biometric data is actually sent to the website or anything else. And I think it's very important to know that from a privacy standpoint.
Specifically, what you're doing is using biometrics built into your device to essentially unlock access to your private keys that are stored securely on your iPhone, for example. So you're getting all the benefits of biometrics, which is that it's super easy, but you're not really worried about the privacy or security aspects of someone cutting off your finger and using it for something, right? That doesn't make much sense. there is no.
From a security perspective, websites do not store sensitive information that could be stolen. A massive data breach has occurred involving millions of credentials. That attack doesn't really exist here. Passkeys are resistant to phishing attacks. Phishing attacks are also one of the attacks that are very common and easy to perform.and they [resistant] Any credential-based attack. So passkeys are resistant to all of them, including brute force and credential stuffing.
Yes, attacks against passkeys are possible. While nothing is completely foolproof, it significantly raises the bar above the very easy network-style attacks that currently exist against passwords.
What are the challenges with passkeys? With all these benefits, it seems like they should be everywhere. What are the barriers to adoption?
I hope that happens soon, but I think it's natural that there will be a lot of inertia in moving away from passwords. Authentication, especially for consumers, probably hasn't changed much in the last 50 years. So people don't really like passwords, but they know them and understand them. Also, when you see a new website, you know exactly how to register for it.
So I think there are two sides to this challenge. One is that passkeys are new to consumers. There is not always consistent support or interfaces across different platforms or different websites. If you use your passkey on several different websites, perhaps on different platforms, and even on Android and iPhone, you'll probably have some sort of different experience.
The flip side of this challenge is that for businesses, all of these platforms are a little bit different, so implementing this not only from an API perspective, but also from a user flow perspective, from a user flow perspective, how do you communicate to your users? That means it's difficult.
How do you communicate that this is the passkey, this is the fallback method, and this is the way to do it across different devices? This leads to incorrect implementation and confuses users.
So, from both sides, we just need to give people one clear, consistent experience that they understand is the same technology across all these different websites.