Passkeys: Microsoft, Google and Apple’s commitment to a secure passwordless future

A strong password is not easy to remember, and an easily remembered password is not a strong one. That is why every time we sign up for something, we are reminded of the standard practices for creating a strong and secure password.

We all know the drill: use at least eight characters containing both upper and lower case letters, numbers and special symbols to create a secure password. But a password like that would look something like "8Yk*0f%g" or "GkI56.@j" – not exactly something anyone would remember.

On the flip side, birth dates, phone numbers, names, obvious words or a phrase is not really strong for a password and can easily be exploited with social engineering or a brute force attack.

Two-step authentication may seem like a solution to the password problem, but it is not entirely hack-proof as SIM cloning is still a problem at large.

So, what is the solution?

Passkeys – a standardised passwordless biometric authentication that is adopted by all the companies associated with the Fido Alliance, which includes tech giants like Google, Microsoft, Apple, Intel, Meta and PayPal.

On World Password Day this year, Google announced that all their devices, web services and apps would support Passkeys. Around the same time, Microsoft also shared their vision to create this passwordless future by promising their support for Passkeys on their devices and programs.

Apple, at their annual World Wide Developers Conference (WWDC) this year, gave a detailed presentation on how their authentication will work with Passkeys to ensure a safer biometric authentication using Touch ID and Face ID.

Apart from the tech trinity, every other company associated with the Fido Alliance will support this 'Fido Credential' when it is launched across all operating systems and devices in the coming months. Passkeys are coming to all Android devices and Google services as early as late 2022. Apple is also bringing it to their devices and services later this year with iOS 16.

But how does it work?

A Passkey is a combined effort from Fido Alliance and Word Wide Web Consortium (W3C) that uses biometrics to verify the user or owner of an account to allow him/her access. It works similar to Apple's Face ID and Touch ID or Windows Hello, but with an important distinction.

While these authentications only enable users to unlock the phone or approve in-device activities like payment approval, Passkeys will allow access to everything on the web, including email, social and work accounts. Basically, anything that uses a password can be brought into the fold to take advantage of this biometric authentication.

When a website or app uses Passkeys, it creates an encrypted biometric signature on the device that exclusively works for that website or app from said device. Since it only works on the owner's devices, ideally his phone, no one can log into that account from anywhere else. 

Moreover, unlike passwords, Passkeys are stored on the device and not on a remote server. Since it is not stored on servers, hackers cannot get access to your account even if they have access to the server itself. Password breaches from servers are also not a threat, making Passkeys completely hack-proof.

As a cherry on top, Passkeys will be much faster than the traditional password-OTP combination since users wouldn't need to type anything. It will be as fast as unlocking your phone with a fingerprint or face scan. Since there is nothing to type, there is nothing for the user to remember as well. Gone are the days when people had to memorise a string of passwords for everyday logins. Accessing social accounts and apps would be like unlocking the phone – quick, easy, and convenient.