E-time | the software company
Passkey is the alternative to passwords and marks a definitive transition to a new chapter in cybersecurity, this time, Passwordless.
Despite authentication systems having relied on passwords until now, it has become clear over time that while they serve as a security key, they also represent the weak link in account security due to their susceptibility to Phishing attacks.
Passkey is a secure authentication method based on a recognition system (fingerprint, face, PIN, sequence), generated and stored locally on users’ devices.
During the registration process, two keys are created: a public key and a private key, which is encrypted and securely stored on the user’s device. Both keys are required for accessing the account. This mechanism is known as Asymmetric or Public Key Authentication.
Passkey adopts the WebAuthn Standard, or rather, adheres to and implements the technical specifications provided by FIDO2, which include WebAuthn and CTAP (Client to Authenticator Protocol).
WebAuthn Standard
WebAuthn or Web Authentication is the open standard (FIDO2 framework) established by the FIDO Alliance and the World Wide Web Consortium (W3C) with participation from Google, Mozilla, Microsoft, and other major players, upon which Passkey is based.
The WebAuthn API allows servers to register and authenticate users using public key cryptography instead of a password, ensuring that authentication works regardless of the device’s operating system, whether it be Android, iOS, Mac, or Windows.
In most cases, the WebAuthn client that implements the authentication API is a compatible browser (currently supported by all major browsers and Android and Apple devices).
Why is Passkey an effective measure against Phishing?
Passkey is effective against phishing attacks because the unique password is stored locally on the user’s device and is never transmitted over the network.
This means that even if a user is tricked into providing their passkey to a phishing site, cybercriminals will not be able to use it to access their accounts, as the passkey is not valid on other devices. This makes it much more difficult for hackers to compromise user access, thus protecting their personal and financial information.
Passkey and FIDO
The birth of Passkey is closely tied to FIDO (Fast Identity Online), an organization that promotes open standards for strong authentication. The FIDO Alliance comprises key players in the web industry such as Google, Microsoft, and Apple.
FIDO’s main objective is to enhance online security by using more advanced authentication methods, such as biometrics and asymmetric cryptography, aiming to reduce reliance on traditional (static) passwords, which are too vulnerable to theft regardless of their complexity.
The other MFA methods supported by Yookey | Keycloak SaaS
In addition to Passkey, the other MFA methods supported by our Yookey- Keycloak as A Service are:
- Sms and email
- Virtual Authenticator (Microsoft and Google authenticator)
- Physical tokens.
Would you like to know more?
