It’s hard to remember strong, unique passwords for everything. The result is that we use bad passwords en masse and often use the same password. Or store passwords in an unsecured place or write them down on a piece of paper. This isn’t safe, which is why a group of tech giants – including Apple, Google and Microsoft – have come up with new technology.
Simple method
Passkeys are a simple and secure way to sign in to websites and apps. They are a type of digital key that is kept securely on your device, and you can only access these keys using your fingerprint, facial recognition, or simply a PIN.
Quite simply: how you unlock your smartphone will also help you log in to your apps and websites from now on. We explain how this works in the video below.
The big advantage of passkeys is that you no longer have to remember a new password for every website or app, which is much more secure. But there are two other important advantages.
First and foremost, passkeys ensure that phishing scams (fake websites) are almost impossible. This digital key is generated for each website and only works for that website. If you accidentally end up on a dangerous fake website for your bank, your passkey won’t work there and you won’t be logged in. This way you know you are on a fake site.
It’s hard to hack
Then the second big advantage: passkeys are much harder to hack. It works like this: Criminal hackers usually steal your password by hacking websites and apps where you have a profile.
With passkeys, they are no longer stealing passwords, but rather part of your digital key. And they can’t do anything with this piece. It’s like a small piece of your house key breaks: you can’t open your door with that piece.
How does a passkey work?
Passkeys work with asymmetric encryption. It may sound complicated, but it’s not that bad: it means you have two keys, a private key and a public key. The public key is not sensitive and is stored with the application or website in question – so it can be easily hacked and stolen. The private key is stored securely on your device.
When you want to log in to a website, the website asks if you want to show that you have the private key that belongs to the public key. This process is also called handshake. If that works, you can log in. Without a private key you cannot perform such a handshake.
In general, you can’t access your passkey unless you identify yourself using your fingerprint, facial scan, or PIN — the same way we unlock our phone. This is a bit safer.
A bunch of sites
You can now use passkeys on devices running at least iOS 16 or Android 9. Once you sign in to a website or app that supports passkeys, you’ll receive a message asking if you want to create a passkey and save it on your smartphone. This is usually stored securely in your iCloud or Google account, so you can access this passkey on all your devices.
When logging in with a passkey, some form of authentication is often needed, in the form of a fingerprint, facial scan, or PIN. Naturally, the site must know that you are the one actually using the passkey.
This makes sense on your smartphone — where scanners are, of course — but not on many laptops yet. If you try to log in there with a passkey, you’ll usually have to scan a QR code with your phone to verify your identity — just like with DigiD.
There are only a few websites and apps that support passkeys, including… apple, Google, Amazon, PayPal, WhatsApp in Tik Tok. This means that the technology is still in its infancy.
What if a thief steals your phone? Then he has your phone, but can’t access your passkeys. To use it, it also needs your fingerprint, facial scan, or PIN. As long as he can’t unlock your phone, he won’t be able to do anything with it.
Hacking risk?
But of course you also have criminal hackers who might break into your phone and steal your passkeys. This is possible, but very rare. It is very difficult to hack Android devices and iPhones that have the latest updates. Many criminal hackers can’t even remotely hack a phone, let alone access well-secured passkeys.
The big risk that most people face is that their password is stolen or hacked and they fall into a phishing trap. These new passkeys protect well against both dangers. And since your passkeys are often synced between your devices, just like your photos, there’s no problem if your smartphone suddenly gets broken or lost.
Is a fingerprint like this secure?
Using a fingerprint or face scan is secure because your face can’t be copied or stolen, like a PIN or password. Your finger or face is also not stored as a real fingerprint, as many people think, but as a very long unique code that varies from device to device and never leaves your device. Even if this code is stolen, the attacker will not be able to use it.
It is especially important to protect your smartphone’s PIN in the best possible way, because in some cases the PIN gives full access to your cloud (photos, passwords, etc.). Using a fingerprint or facial scan whenever possible ensures that as few people as possible can read your PIN.
Fix all kinds of vulnerabilities
Experts agree that this new way of logging in is more secure than using a password. It’s faster, easier and more secure, says Herbert Bos, professor of cybersecurity at Vrije Universiteit: “It solves all kinds of vulnerabilities in existing logins, like using weak passwords, remembering all those passwords and databases with passwords that can be hacked.”
Boss believes people will have to get used to this new login format. “Passkeys work very differently from passwords, and I imagine the speed and convenience might make them ‘feel’ less secure to some – but they don’t.”
It will take years before passkeys actually replace passwords. Until then, the technology will stick with the old trusted password.