What are passkeys?
When you think of logging into an app, account, or service, you probably think of usernames and passwords. After all, that's how we've logged in for decades. Unfortunately, these usernames and passwords have become the weak link in the security chain with 84% of people reusing passwords across multiple sites and more than half (52%) use common or easily guessed phrases.
Because most people use insecure usernames and passwords, the industry has attempted to mitigate those issues with things like two factor authentication (2FA), but even that has encountered challenges such as slow adoption and circumvention by phishing attacks. At its best, 2FA is still a multi-step process to log in – where passkeys streamline that into a single step while also increasing security.
Passkeys are a new way to log into websites and apps without using a password. They are digital credentials used for authentication, comprised of a private and public key pair. Passkeys have been developed as a new standard by the FIDO Alliance and World Wide Web Consortium.
Using a passkey allows you to quickly create and sign into accounts – with no password needed. This single-step, secure login method replaces traditional authentication (typically, weak or reused usernames and passwords) as well as the cumbersome 2FA process. With passkeys, you’ll never create a weak password again, because you’ll never need to create a password again.
Passkey login is widely supported across many platform authenticators, including Apple Keychain, Windows Hello, Android devices, YubiKeys, and also Bitwarden. This broad support means that most users will be able to leverage their current passwordless technologies, such as biometrics, on their existing devices and experience a seamless transition to passkeys while maintaining existing support for password-based websites.
Let’s dive into the powerful technology and architecture that makes passkeys secure.
Passkeys are powered by FIDO2 and WebAuthentication (WebAuthn), led by the World Wide Web Consortium (W3C) and the FIDO Alliance. W3C is an international group focused on web standards. The FIDO Alliance is an open industry association, with members that include Apple, Google, Microsoft, and Bitwarden that promotes the development of standards for passwordless authentication.
A passkey is a discoverable WebAuthn credential, meaning that a a passkey provider can find the right passkey when a website asks for it, enabling the passwordless login process. Each passkey consists of a pair of public-private cryptographic keys, which provides the authentication security of the protocol. When you sign up for an account on a website, instead of creating a traditional username and password in addition to two-step login enrollment (2FA), you will create a single passkey. When the passkey is created, either by your device or by Bitwarden, the public key is stored with the website while the encrypted private key is stored with the platform of your choice, and never stored with the website itself.
When you attempt to log into your account on that service, the only way to authenticate with the public key stored there is to have the matching private key.
Here's how it all works.
You’ll visit a website that supports passkey login and create a new account. During the account setup, the site will let you create a passkey and store it in your passkey provider of choice, e.g. Bitwarden or your device OS. Your passkey provider can also require that you use a separate form of authentication, such as biometrics or a master password, before your passkey can be used. For users, it's very similar to how you unlock your mobile device. Under the hood, powerful cryptography and mechanics protect your credentials and allow you to add 2FA layers to further protect your accounts.
Fortunately, many major websites are already on board with passkeys. Sites such as Google, eBay, BestBuy, and NVIDIA all allow passkey authentication. You can bet that list will grow very quickly. As far as the passkey login process, websites, mobile OSes, and password managers will make this as user-friendly as possible.
You can also expect an increase in synergy between websites, phone manufacturers, and developers to help bring everyone up to speed on passkeys quickly. This will begin in 2023, and throughout 2024 and the coming years, passkeys will start becoming the new normal.
Here’s how Bitwarden will help make using passkeys easy and familiar:
There are two major issues passkeys will finally put to rest — weak passwords and reused (or easily guessed) passwords. With passkeys, every encrypted key will be strong and unique, so there's no way users will be able to specify a weak password or use an existing passkey with a new account or app. Every passkey will be associated with only a single account, providing strong security by default.
Passkeys also protect users from phishing attacks, because if you don’t have your password memorized, you can’t accidentally divulge it to bad actors. Your passkey’s private key never leaves your password manager vault. Passkey login will have a profound impact on the security of your devices while simplifying the end user experience.
And it's not just a win for end users. Businesses will be able to enjoy better security, which means data breaches will be less likely. Since passkeys are phishing-resistant, those same businesses won't have to worry so much about users' accounts being compromised. If you are a developer and want to enable passkeys for your website or application, Bitwarden Passwordless.dev can get you going in minutes.
Passkey storage and generation, and logging into the Bitwarden web app with passkeys is available now.. If you’d like to get started today, set up a free account, or share with your team by starting a free business trial. For developers, Bitwarden Passwordless.dev provides API frameworks to help you build passkeys and FIDO2 WebAuthn features.
Editor's note, November 7, 2023: Updated to include details about availability of passkeys in Bitwarden and provided additional technical information