It’s time for banks to say ‘Goodbye, passwords; hello, passkeys’

If there is any justice in the world, the end of passwords is nigh. I can’t think of a service I’m more eager to see move on from passwords than my bank account. Bankers should start paying attention to their coming replacement: Passkeys. Their use is about to become ubiquitous. 

Financial institutions have been dealing with digital fraud for years now and know the downsides of passwords. Many people use passwords not complex enough to thwart software designed to guess them and — even worse — they will use the same password for multiple accounts. A bank takes security very seriously, much more than, perhaps, a local florist who takes orders online if you sign up for an account. Criminals know you might use the same login credentials for both, so they hack the florist and take a swing at using those credentials to log into other, more important accounts. 

If I may be flip, as someone with IT tech support experience, far too many people still use lousy passwords that employ the name of their favorite pet and maybe the year they were born. (You know who you are). That’s bad enough, but security experts started to conclude even complex unique passwords weren’t offering the safest online experience possible. Enter passkeys, coming to websites near you. 

Passkeys, in a nutshell, are a passwordless login solution. Apple, Google and Microsoft have recently all rolled out proprietary passkey systems that also, importantly, get along with one another. These major tech companies playing nice with passkeys will finally push passwords out of most of our lives, and once you wrap your mind around how they work it’s easy to see how they take away opportunities for criminals to acquire account information. 

An explanation for less technically inclined folks could go something like this: Passkeys are generated by an app, probably on your phone (although desktop/laptop password vaults as browser plugins do this as well). Unlike passwords, passkeys rely on a new, unique exchange of information every time you log into a website that offers passkeys for access. This is already a major leap beyond static passwords. 

Here’s a slightly more advanced explanation. The generic name for the type of app a user employs is called an “authenticator”, which uses public-key cryptography to authenticate access to websites and other applications. Instead of you having to create a password for your account, you enable an authenticator to generate a passkey, which is a pair of related cryptographic keys. 

When a user registers for an account on a website, the authenticator generates public and private keys. The public key is essentially a new username (remember those?) which is sent to the public web server for storage and has no value to a cyberattacker. There’s not much they can do with just a username except stare at it. 

The private key, however, stays with the user and is never seen by the webserver. The public server sends a math problem to the authenticator, the private key solves the challenge and sends the response back, signing off on the solution. 

Note: The authenticator itself will still require the user to identify themselves before each use. Now, unfortunately this might still have to be a password, but probably not. Biometrics (Face ID or Touch ID) may be used instead, which is more secure and easier to use. Most devices, particularly phones, use biometric identification, so a user won’t have to remember an authenticator’s password. 

If this sounds a little confusing, it is a little confusing. But this method’s security is superior to passwords for two big reasons. One, passkeys cannot be guessed or reused, so they are phishing-resistant. Because passkeys are unique to the app or website they’re created for, a malicious actor can’t trick you into using the passkey on a look-alike or fraudulent site. Two, since they’re only stored on your device, cybercriminals can’t steal your passkeys by hacking into a website.

No authentication system is perfect, but these two improvements make cyber criminals mighty upset. The FIDO Alliance (Fast IDentity Online) is a large group of tech developers that have been working on this system since 2013. Their efforts have matured enough to start seeing major websites like PayPal and Best Buy enabling the use of passkeys. When passkey use reaches a tipping point, community bankers won’t find this technology expensive or difficult to add to their systems, but they will see a decline in compromised customer accounts. It’s about time.