What Is Passkey?

In the coming months, we will start hearing something about passkey which will replace the use of passwords. Actually, to log on to any social media platform or any platform, we require a username and a password. But sometimes many users forget their password and face problems while logging. So by keeping this problem in mind a new concept is developed which is known as Passkey. So let us know exactly what they are at a conceptual level, how they differ from passwords and passphrases, and why?

Difference Between Password, Passphrase and Passkey

A password is a traditional word, phrase, or string of characters (usually combined with a username) used to authenticate a user. Passkey, on the other hand, uses the mathematical underpinnings between public and private cryptographic keys to authenticate. Now, we don't necessarily recommend you use actual words as your password.

Passwords And Passphrases

In fact, the ideal pass "word" is a series of random characters, but it's usually a combination of 8, 12, 16, 20, or more characters ( alphabets, numbers, or alphanumerics)  that serve as your authentication, depending on your need to provide your password. The platform you are trying to use uses your password to verify that you are the owner of the account created on their platform or the person who has the authority to use that account.

A pass "phrase" is basically a combination of words that make up a sentence and should typically be up to 40 characters in length (a longer password but is made up of multiple words ). The canonical example that we've used for years is the "correct horse battery staple", these are four random words used as a passphrase. There's a conceptual way of thinking about them that makes them easier to remember. But it's a very long, easy-to-remember password that anyone can then use in place of a regular password for services that support long passphrases.


On the other hand, the pass "key" is completely different from the password and passphrase. In this, you have nothing to do like in the case of a password or passphrase you have to type something and need to remember to log in next time. And to be honest, it's great. Now, we can preface all of this by saying that this is a conceptual overview.

A conceptual overview

This is based on Paskey's conceptual understanding so far. As it turns out, getting the details of how passkeys are implemented has proven a bit difficult. But luckily, you don't need to know those details. The conceptual high-level overview will help you understand what they are, why they are safe, and how you will use them in the future.

Passkeys are based on cryptography, specifically public key cryptography

Now, let us learn about the public cryptography part in a moment, but the fundamental concept behind this cryptography is that it's called Asymmetric Cryptography. Symmetric cryptography is what you're already used to. That's where you have a password that you use to encrypt something, and then you use that same password later when you want to decrypt it. Asymmetric cryptography uses two separate keys known as Public and Private keys. Basically, there are two large numbers, they are generated together and they have a very special and interesting relationship.

Public Key Cryptography

Let us assume there is a key pair & call them A and B, anything you encrypt using A can only be decrypted by B. Similarly, anything encrypted using B can only be decrypted using A. In fact, if you encrypt something with A, you can't even use A to decrypt it. You can only use B. So they are asymmetrical. You use one to encrypt and you decrypt with the other. So that's absolutely fascinating mathematical magic. So now we learned about public key cryptography.

The fact that these two keys, A and B, have this weird relationship means you can do something really, really interesting. You can make one of them public. You can just give it to anyone. So if you want to keep something secret then use A and B as keys. Keep A secret and make the B key public, two things can happen. One, as B is the public key, anybody can use the B key,  which is freely available. In this scenario, anybody who has a B key can get access to things encrypted in A. But as A is the private key, which you use to encrypt something that only you can decrypt because you have the matching A key. That A key is kept secret. That's why it's called private and only you have it.

Anybody can encrypt something using the B key because it's public, but only you can decrypt it. This is a very useful and fundamental technique for sharing encrypted documents with specific individuals. Now, the other interesting thing you could do with this is you can encrypt something using the A key, and anybody can decrypt it using the B key. So what's the point?

The point is that, if decryption using the B key is successful, it proves that only you could have encrypted it because only you have the A key that would encrypt it in a way that the B key would work. Anyone can encrypt something using the public key such that only a specific person with the private key can decrypt it, and anyone with the private key can encrypt something so that the B key can be used to prove it. It turns out that they are the ones who encrypted it in the first place.

Public key authentication

Now we've got some idea of the key pairs. Well, now to learn more let us create these key pairs again. In this method, we generate a public-private key pair, let's say, A and B. Let's say A is the Public key, it can be shared publically and the user can log in to access the data using the public key. However, they cannot access the data encrypted by private key. Let's say B is the private key, you give this key to the server administrator, and they put it in a special place associated with your username. So they store username and public key. This was the basic overview of public key authentication, Let us know in detail how it works?

SSH- Public key authentication

The secure shell protocol allows for a variety of methods that a connecting client can use to authenticate itself to the server. Authentication methods generally supported by secure shell clients and servers include Generic Security Services Application Program Interface (GSSAPI), public key, keyboard-interactive, and plain old password. Now let us have an overview of the public key authentication method within the context of the secure shell protocol.

To prepare an Overview for successful public key authentication a public/private key pair is generated on the secure shell client side. Sometimes this public/private key pair is referred to as an identity. The private key is kept secure and protected on the client side, the public key is well-public, it cannot be used to derive the private key. So the public key can be shared with others. For public key authentication to be possible, a secure shell server must first be configured to allow the public key authentication method. For public key authentication to be successful, the operator of the secure shell client will need to send their public key to the secure shell server administrator, who then configures the server to allow that public key for authentication associating that public key with a specific user account.


Now, let's finally talk about Passkeys (Passkeys and public key authentication). Passkeys are essentially exactly what we've just described but these have one very important difference. We learned about the public key authentication in which we create a key pair. Passkeys actually do all that automatically for us in the background. So they do set up a public-private key pair. The public key is kept on the server (say Google). The private key is kept on your machine. Let's learn about how that's done securely in a moment. 

When you try to sign in to your Google account, then Google does the same thing. Again, conceptually, Google says, Hey, I'm thinking of a number. I'm going to encrypt it with your public key. If you can successfully decrypt it, you must be holding the corresponding private key and therefore you must be you. It really is that simple.

Now, one of the things that Passkeys are extra unique and interesting is that passkeys are unique to each device and to each account. So for example, when you sign in to Google,
  • You might have a passkey set up for your Google account on your desktop machine.
  • You might have a different passkey set up for your Google account on your laptop.
  • You might have a different passkey for your Google account on your Android phone.
  • You might have a different passkey for your PayPal account on your desktop
  • and your PayPal account on your laptop, and so on, and so on. All passkeys will be different.
Yeah, there's a lot of passkeys. The good news here is that it's all transparent. It's all handled behind the scenes. It's nothing you will need to keep track of.

Passkey setup

Now questions arise, If we do not keep track of it, how is it getting set up and how is it getting set up securely? To understand it, there are a few scenarios that we have to walk through. 

First off, let us suppose you're creating a new Google account, and in this scenario, you want to use passkeys for authentication. Simply connect up, and you create your account. You are the person who is creating the account. Therefore, Google will create a key pair for you and store the private key on your device. Now, when you come back later to sign in, you have to authenticate through the passkey and verify that it is you who is trying to use the account. Then Google will verify the passkey through the key pair stored in your device. If you are verified then Google will allow you to use the account otherwise you will be disallowed. In this case, we understood, how to set up a secure passkey for a new Google account. Let's suppose you're adding passkeys to an existing account,  then the process is different.

First of all, you would sign in to that account some other way first. Like the sign-in using the password or if you have enabled two-factor authentication, then you have to verify through two-factor authentication and then I would instruct Google to say, Okay, let's set up pass keys for this account. Now Google will generate key pairs. The private key will be stored on your device and now you can use pass keys for that account on that device moving forward. Now, what if you have an account
set up to use Pass Key authentication, maybe only Pass Key authentication like in our first scenario, but you want to now use that account on another device?

In this scenario, you open that device and try to sign in to your Google account. There will be many different options depending on the service that you're using this with. You may be able to sign in using a password, which at that point would set up the key pair. But as we know this account can be signed in through Passkey only that's why you have to verify yourself. Well, in this case, you confirm the Google that you are the same user for which the passkey was generated on a previous device through your previous device that is already authenticated. Let us understand it step by step.

While signing in on the next phone for the first time, first enter your email ID and password.
Now you will get a prompt on your previous device that says, Hey, is that you? If you then say, Yes, that's me, then you will be able to log in to the next device also. the phone gets a key pair of its own generated at that point.

If you cannot confirm your sign-in using this technique there are some other techniques like clicking on a link in an email that is sent to you or an SMS text message that is sent to you that is based on the email address or phone number already associated with your account. But once you've gone through this bootstrapping process of securely identifying yourself on the new device, the key pair can get set up on that device and you're good to go. A lot of this seems almost too good to be true because there's a lot you don't have to do.

How Passkeys Are More Secure?

There are two parts of passkeys, and in fact, these two parts are the main reasons that make it honestly more secure than passwords. 

The first one is very, let's suppose there is a scenario of data breach. In this case, the service you're using with passkey-only authentication suffers some breach. In this case, the hackers will try to access your account with your name, email address, username, password, etc. If you were using passwords then hackers could get access to your account through these details. But as in this case, you have set up a passkey that's why there's no password for them to get. To sign in to your accounts the hackers must verify that it's you who is trying to sign, they can do this only through your passkey (key pairs). The only thing they can get is this public key. But the public key is public. We don't care who has it because there's nothing they can do with it that would cause us to do something to try and authenticate using our private key. We will only use that private key when we authenticate with the real service. Great, the hackers have a public key. There's nothing they can do with it. There are no passwords to be stolen if passkeys are the only authentication mechanism for the account.

Now, as we learned, the private key associated with the passkey is super important. That's the thing that proves you are you. Your possession of that private key is what proves you are you. So that needs to be stored securely. In almost every case, the private key is stored using your operating system's secure credential manager. This is what happens when you try to sign in to an account and it tries to go through this pass key authentication loop, you may be asked to authenticate yourself, Not with the service, but with the operating system. So Windows may ask you to...

Theoretically, they could ask you for your Windows password, they may ask for your login PIN if you set one up, your face ID, or your fingerprint. After you've provided that level of authentication to Windows, it then unlocks your credentials store and grabs the private key that is then used as part of this Pass Key authentication. You didn't have to do a thing other than maybe touch a fingerprint sensor, have a face, or enter your PIN. There was nothing for you to remember outside of your Windows login. So the bottom line here is that Pass-Keys honestly is really exciting and more secure.

Some services are currently implementing Passkeys. Google is also one of them. But it also requires operating system support and browser support. It's going to take some time, especially for the other accounts that you might be using online. They're not all going to switch to using Passkeys right away.
There's going to be a fairly lengthy transition. But now that you understand conceptually why passkeys are more secure than just passwords that you might lose, consider, switching to passkeys when available.