How Do Passkeys Work?

Passwords are familiar – everybody knows what they are and how they work – but due to poor password hygiene behaviors, they also come with some serious security issues . Sixty-two percent of people still reuse passwords, making themselves vulnerable to cyber attacks and data breaches. This is partly because, after a certain point, it becomes impossible to remember every password you have given that each password should be unique and complex for every account you have (most people have up to 50 online accounts!). Thankfully, passkeys are about to make this process a whole lot easier. Instead of relying on passwords alone to safeguard a rapidly growing number of online accounts, you will soon be able to use convenient passkeys as an alternative. Here’s what to know about passkeys, how they work, how they’re different from passwords, and how they will help protect your online accounts.

What is a passkey?

A passkey is a form of passwordless authentication that allows you to log into apps and websites more quickly, easily, and securely – in place of a password. A passkey also makes the process of signing up for a new account far smoother. If you’ve ever wished you could ditch passwords in favor of a more user-friendly approach that also strengthens your cybersecurity, this is likely welcome news. Technically speaking, a passkey is a cryptographic key pair that includes one public key (which is shared with the relying party website) and one private key (which is stored directly on the user’s device). Both of these keys are required for a user to successfully authenticate and then log into an account that has been protected with a passkey.

How do passkeys work?

When you set up a passkey to access an app or a website, you’re essentially getting rid of the password authentication mechanism you’ve used for years. This means that instead of having you log in with a regular username and password, the site will ask you if you’d like to log in using your passkey. LastPass will take it from there, automatically filling that passkey in for you so you can log in and be on your way.  Passkeys will work on most devices that people use at work and in their personal lives. You’ll be able to create, save, and manage passkeys right in your LastPass vault, meaning you’ll be able to access your passkeys everywhere you already use LastPass, regardless of the operating system or platform you’re currently on. Crucially, the experience will feel the same everywhere you go, reducing the learning curve when transitioning to a new system for authentication.

How are passkeys different from passwords?

If a cyber attacker was able to guess, crack, or steal a person’s password, they could usually log in as that person and, from there, get free rein to rummage through their data. If the user had re-used that same password across multiple accounts, then the attacker could leverage that password to get into those accounts, too – especially if multi-factor authentication (MFA) was not enabled on those accounts.  Passwords have made people vulnerable to phishing, and from there, damaging breaches –a whopping 80% of data breaches happen as a result of compromised credentials. Cyber criminals often buy and sell large collections of stolen passwords on the dark web, making it even easier for a password to be used without its owner's knowledge. Passwords could also be compromised if someone happened to see the password being entered (a phenomenon called shoulder surfing) – say, at an airport, a café, or a park.   Passkeys, by contrast, are much more secure by default. Because they’re unique and cannot be re-used across multiple websites and apps, bad actors cannot use passkeys to compromise multiple sites at the same time. And since only one half of a passkey – the public key – is saved on the website or app in question, a hacker will not be able to get into the account if they don’t have ready access to the user’s device, which stores the private key.  Passkeys also use strong encryption algorithms, making it much harder for attackers to crack them – there is no such thing as a weak passkey – in contrast to a password. All of these security improvements introduce new barriers for malicious actors that are trying to obtain unauthorized access to your online accounts.

Prepare for the passwordless future

Passkeys are coming soon, and with them, the dawn of our passwordless future. Although a passkey relies on sophisticated technology, it will ultimately usher in an easier and safer login experience for you. If you’ve wished that you could do away with passwords in favor of a better method, that moment is fast approaching – and the time to prepare is now. Discover how LastPass enables passwordless authentication.