Passkey: Secure alternative to a password? – 2024-05-02 16:00:15

Customer passwords are increasingly being stolen in data leaks and personal data is misused. A new technology promises more security.

Less than half of all Germans currently feel secure with their own passwords online. This emerges from a representative survey commissioned by GMX and web.de. On the one hand, this could be because almost 60 percent of people use the same password on several or all services.

On the other hand, the tried and tested authentication method of user name and password is very susceptible to data theft by criminals on the Internet. On the occasion of World Password Day on May 2nd, we are explaining a new alternative to the tried and tested password: passkeys.

Passkeys are digital keys that are generated to log in to an account. To do this, however, the service – for example the bank or a streaming provider – must support the function, which allows users to log in securely and without a password. The number of providers and websites that offer the procedure is currently still manageable – but it is constantly growing.

To use passkeys, a one-time setup with the respective service is required. This can usually be done with just a few clicks on the provider’s website or app. Once the passkey has been set up, an encrypted code is stored in the device’s internal memory – i.e. your smartphone or computer.

At the same time, a public key is stored as a counterpart by the service provider. Even if it were stolen in a hacker attack, it is useless to criminals without access to the private key on your device. Passkeys promise password-free, secure internet use. To ensure this, two-factor authentication is also used, for example with a fingerprint or Face ID (facial recognition).

According to the Federal Office for Information Security (BSI), it is unlikely that the code on your device can be stolen – even in phishing attacks by criminals. In addition, registration is always carried out using facial recognition, a fingerprint scanner or a PIN.

Since no password is used, the risk of hacker attacks in the event of data leaks is reduced. In addition, there is no risk that hackers can quickly guess simple password combinations like “123456.”

After authentication, the service generates a one-time password that is encrypted by the stored private code and sent to the service provider each time you log in to the website. The server decrypts this one-time password with the stored public key and checks whether it is valid.

If the key is valid, the user is granted access to the account. Accordingly, the service provider has no access to the private code; it is only stored on your device. Personal data is also not transferred.

A device or program is required to store the respective keys. This can be an app on the smartphone, a program on the computer or a special hardware stick. Cloud solutions on smartphones or computers offer more flexibility when used across multiple devices. However, the private keys are no longer stored locally, but on the provider’s servers.

According to the North Rhine-Westphalia consumer advice center, the FIDO2 stick, for example, is considered particularly secure because the passkeys are stored on the stick and can be used in conjunction with authentication using facial recognition, fingerprint or PIN. This eliminates the need to create and remember passwords.

However, this specific device is always required for registration. While you can use passwords to log in on a friend’s cell phone if necessary, you would be at a loss with passkeys without your own device. This also becomes a problem if the device breaks, is lost or stolen.

The lock with fingerprint or facial recognition prevents third parties from accessing the passkeys. However, if you lose the device, you would have to set up access to each individual online account again unless you have created a backup. “In the worst case, you could lose access to your accounts completely,” says a press release from the North Rhine-Westphalia Consumer Center.