Mobiltelefon med fingeravtrycksläsare

Passkeys – secure login without hassle

Magnus JonssonUtveckling4 min läsning

Building a system to manage login is not entirely easy. Such high demands are placed on security, accessibility, and adherence to various standards that it is often justified to purchase an external service to avoid managing everything yourself. – But, with passkeys, it's no longer so complicated!

Contents

Passkeys are a type of cryptographic key that can be used to prove that the user is indeed who they claim to be. The technology is based on a combination of a private and a public key, similar to how HTTPS or SSH work. Instead of building an entire service for login, a website now only needs to save a copy of the public key and link it to a user.

So how will this affect users? Usernames and passwords have been around forever, do they have to learn new things now? – No, the fact is that almost everyone today already uses technology to be able to use passkeys without knowing it! Most operating systems and web browsers, even on mobile phones, already support passkeys and parts of the interactions are already being used. It's no more difficult than using your fingerprint or facial scan on your phone, which many already do today.

Passwords are difficult to remember and easy to hack. Passkeys are secure and don't need to be memorized.

In practice, when a user wants to create an account on a website, a request is sent according to a standardized protocol (WebAuthn) to the user's web browser. The user is then asked to create a new key by, for example, scanning their fingerprint. The public part of the key is sent to the web server, and the private part is saved on the user's device. When the user later wants to log in, essentially the same thing happens. A request is sent, the user approves in the same way (e.g., fingerprint), and the server can then see that the response has been encrypted with the correct key.

How secure are passkeys?

Cracking the encryption in passkeys is virtually impossible with today's technology. The only way to log in as another user is to gain access to both the user's device and trick its internal verification system (fingerprint, Face ID, etc.), which is not very likely. The storage and encryption of the keys are handled by the user's operating system, meaning companies like Microsoft, Apple, Google have built this. These are therefore thoroughly tested systems that are used here.

For each new website, a unique key pair is created that cannot be used for another website. The user does not need to remember any passwords, so no information is reused. This means that the website should allow a user to store several different keys if they want to log in with different devices (iOS and Android currently support syncing passkeys between devices).

Since the user never enters a password or similar, there is also no risk of so-called phishing attacks. Everything is handled automatically in the background, and the key pair is used only on a unique website and will not be activated on a fake site that looks identical.

Should the worst happen and hackers get hold of the web server's list of public keys, they cannot be used for anything. This is because logging into a user's account requires the private key, which only exists on the user's device.

Do we have to store fingerprints now?

To use passkeys, the user must authenticate themselves on their device. On many devices, such as laptops and mobile phones, biometric data like fingerprints or a facial image is used. However, all of this happens locally on the device. No sensitive information is sent to either the web server or to global IT giants. The only thing sent from the server is a random data set that is then encrypted using the user's private key and sent back to the server. The server can then, with the help of the public key, see that the data set has been encrypted by the correct user.

It is therefore secure from a privacy perspective to use passkeys, but it might be a good idea to be clear about this to users, as the technology is still relatively new to most.

The advantages of passkeys can be summarized as follows:

  • Passkeys are more secure than passwords.
  • Passkeys do not require users to remember complex passwords.
  • They are simpler and cheaper to implement than passwords.
  • Passkeys are already available to virtually all your users today.

It's time to stop building insecure systems that cost both time and money and start using the login services of the future. Simple and secure!