Passkeys: The future of login – secure, user-friendly and efficient

The challenge: insecure and cumbersome passwords

More and more services and applications are being digitised and moved to the cloud. Starting with end-user services such as online shopping, through to company portals that customers and employees can access from anywhere, and even submitting applications to the local citizens' office. All these services have one thing in common, however: they require registration, which is almost always done today using a username and password. Care must be taken to ensure that a particularly secure password is assigned when registering or setting up the account. Otherwise, the security of the account is not guaranteed from the outset.

Unfortunately, an analysis of a start-up at the University of Bonn from 2024 shows how many insecure passwords are among the top 20 most frequently used passwords in Germany. As a company, you can't necessarily rely on users to assign a strong password. On the one hand, it can ensure that no weak passwords are used by enforcing appropriately strict password guidelines. However, highly complex passwords are also difficult to remember. A good solution for this is to use a password manager, although this also requires a correspondingly strong master password. Bad solutions, on the other hand, are to write down the password unencrypted and, if necessary, to use it for multiple services. Security can be increased by using a second authentication factor, such as an app, but this also makes the login process more complex.

In addition to high security risks, the use of passwords can also be a real cost factor, causing high administrative costs for IT help desks due to frequent password resets and the resulting support.

In short, passwords have had their day. Companies need a solution that combines security, efficiency and user-friendliness.

The solution: password-free authentication with Passkeys

How do Passkeys work?

Passkeys are based on asymmetric cryptography, which works with two keys. This method was developed in the mid-1970s and has since been used in many areas of IT security.

When an account is first set up (registration), a public and a private key pair is automatically generated. The public key is stored on the service provider's server. The private key remains secure on the account's device. It is stored in isolated hardware components that have been specially developed for storing sensitive data. It doesn't matter whether it's a smartphone, laptop or tablet – as long as it's a device that supports a reasonably up-to-date operating system version. The next time they log in after registration, the account holder can then access the account by means of biometric verification in the form of a fingerprint or facial recognition, or by entering a device PIN, for example. During the login process, the private key remains on the local device and is not transferred to the service. The server sends a task to the device. The device ‘solves’ the task and sends it back to the service signed with the private key. Based on the signature, the service can now determine beyond doubt, with the help of the public key, that it must be the legitimate account holder, since only the account holder can possess the private key.

So far, so good. But why is this method more secure than the use of complex passwords that have been used for decades?

• Very low risk of phishing: Since the passkey is linked to a service and its account, the password cannot be entered by mistake on a phishing site. This also significantly reduces the risk of social engineering attacks.
• No reuse issues: As already described, passkeys are linked to a service. There is therefore no risk of the same passkey being used for multiple services.
• No data leakage possible: Since only the public key is known to the service, no sensitive information can be revealed by the login in the event of a hack or data leakage of the service.

Should it ever be possible to compromise an account in the future, the other accounts will remain secure because a Passkey only grants access to exactly one account at exactly one service.

The FIDO Alliance is behind Passkeys. FIDO is an acronym for Fast Identity Online. The alliance includes numerous international tech companies. The German Federal Office for Information Security is also a member and now recommends the use of Passkeys as a new standard for authentication on its website.

Security and device synchronisation

It has been mentioned several times that the private key remains on the device. This raises some legitimate questions: What happens if I lose my device or it breaks? What happens if I want to log into my account with a different device?

There are already solutions for this, too. Of course, as with a password, care must be taken to ensure that the private key is secured in some way so that it is not lost if the device is lost, whether through theft or defect. Established password managers such as KeePassXC already support the use and storage of passwords and can make them available across devices. If you don't want to take care of the backup yourself, the big providers such as Google, Apple etc. also offer backup and synchronisation via the cloud. However, you have to bear in mind that you have to trust the provider to store and protect the data securely. In addition, you may be tied to a provider, as migrating to a competitor may not be possible or may be difficult.

If you want to log in on your PC but only have the necessary passkey on your smartphone and there is no option to synchronise the devices, the service still allows you to log in. To do this, both devices must have an active Bluetooth connection. Then, when logging in on the PC, the smartphone can be selected as the login device. There, the login is released as usual by biometric verification or PIN entry and access to the PC is granted.

Where Passkeys are already in use

Large technology companies such as Google, Apple and Microsoft already offer the use of Passkeys. This means that the login procedure can already be used to log in to in-house services. Microsoft even offers to delete the passwords stored in the account, so that the insecure login method is removed directly from the account. Providers such as eBay and PayPal already support the use of passkeys. More and more companies and services are following this example and offering the use of passkeys in addition to the classic password.

How adesso supports you

As an IT service provider with extensive expertise in the field of digital identities and authentication, we are happy to support you on your way to a password-free future:

- Consulting & Strategy: Analysis of existing login processes and development of a password-free roadmap

- Security & Compliance: Ensuring that the solutions are secure, compliant with data protection regulations and future-proof

- Interoperability: We help to integrate passkeys into existing systems

Fazit

Passkeys bieten Unternehmen und Anwendern eine sichere, bequeme und kostengünstige Möglichkeit, Authentifizierung neu zu denken. Wer frühzeitig handelt, sichert sich einen möglicherweise entscheidenden Wettbewerbsvorteil und kann sowohl von höherer Sicherheit als auch von geringeren Kosten profitieren.