In the ever-changing world of cybersecurity, traditional passwords just aren’t enough. You may have been asked lately to set up a passkey on sites that you’ve been accessing using a password. Passkeys are slowly replacing passwords, as passwords can be easily stolen, hacked, or even guessed. Unlike a password, passkeys can’t be shared, remembered or written down. That’s because passkeys are kept on the user’s device, including computers and smartphones. When the user tries to sign in using a passkey, the client will request a challenge from the server. The client then signs this challenge with its private key and sends it to the server. Once received, the server checks that the signature is valid using the public key it has. Provided the signature is valid, the user is then signed into the service without having to enter any information manually. Another benefit of having a passkey over a password is the inability to reuse it. With passkeys, each service automatically gets a unique key pair, preventing reuse and eliminating the work needed to recycle your passwords in the event of a breach. Passkeys also eliminate phishing attempts. Since passkeys generated on a device are specific to the domain for which they were created, the device will not offer the option to sign in if the original device is not sending the request.
