In today’s digital era, passwords have become a fundamental aspect of our lives. We use them to access our email, social media, online banking, and many other online services. However, passwords are often not secure enough, as they can be easily guessed or hacked. The last “World Password Day” and the NordPass study( https://nordpass.com/fr/most-common-passwords-list/ ) showed that people still are still using easy-to-guess password such as “guest” , “123456”, “azerty1233” …
To address this issue, Google has introduced a new authentication system called “Passkeys.”
A Passkey is a cryptographic key that is unique to each user and replaces the traditional username and password combination. It is created using Elliptic Curve Cryptography (ECC), which is a type of public-key cryptography. This technology allows two parties to exchange information securely over an insecure channel.
To create a Passkey, the user’s device generates a public-private key pair using ECC. The private key is securely stored on the device and is never shared with anyone. The public key is then sent to Google’s servers, which uses it to create a unique Passkey for the user. This Passkey is then sent back to the user’s device, where it is stored securely.
When the user logs in to an online service, their device sends the Passkey to the service’s server. The server then verifies the Passkey’s authenticity by checking it against the user’s public key stored on Google’s servers. If the Passkey is valid, the user is granted access to the service.
Passkey is a much better authentication system than traditional passwords for several reasons. Firstly, it is much more secure since each Passkey is unique to the user and is never shared. Secondly, Passkey is much easier to use than passwords. Since the Passkey is stored on the user’s device, they don’t need to remember a complex password or enter it every time they log in to a service.
Future will tell us if Passkey is a “revolutionary” new authentication system, that will replace traditional username and password credentials, or not.