Passkeys versus passwords: Will we soon use biometrics for all logins?
May 16, 2023

Passkeys versus passwords: Will we soon use biometrics for all logins?

Passwords are an enormous security risk, and big tech companies are looking at passkeys as a tentative solution to the perils of password breaches and lost phones. Chester Wisniewski of Sophos unlocks the secrets of the technology.

In the beginning was the password.

A dog’s name or a significant date, stuck on a Post-it note. Then came special characters, random capitalization, two-factor authentication and encrypted password managers.

Still, passwords have been vulnerable to breach. That’s why a number of big tech companies — starting with Google — are pivoting to an alternative: passkeys.

Marketplace’s Meghan McCarty Carino spoke with Chester Wisniewski, a principal research scientist at Sophos, about the pros and cons of passkey-based cybersecurity.

The following is an edited transcript of their conversation.

Chester Wisniewski: Ideally, what it looks like is you’re kind of replacing your password with your device. And in this case, most of the time, that’s going to be an iPhone or an iPad or an Android telephone, phone or tablet of some sort. And if I’m on my desktop computer, I’m logging into Gmail, instead of a password, there’ll be an option: Use a passkey. And I say, use a passkey. And it’s like, oh, right, your phone is registered as your identity on Google. Scan this QR code with your phone and then use your face ID or touch ID or fingerprint ID to, you know, to prove your identity. So in essence, it’s using the biometric thing in your phone that you currently probably use to unlock your phone, either your face or your fingerprint, in combination with your computer, to log in. So you don’t enter any kind of codes, there’s no PINs, there’s no passwords. You simply scan a QR code and then use your fingerprint or your face to log into your account.

Meghan McCarty Carino: So when we talk about passwords, there are kind of multiple points of weakness, I guess. If you’re using a password manager, you know, you have to worry about vulnerability of their data. If you’re keeping it all in your head, you can forget, you can be phished, you can be prone to social engineering, things like that. What are the points of weakness when it comes to passkeys?

Wisniewski: There’s a trend in the criminal networks these days of doing what we determine as cookie theft. So when you log into Gmail or iCloud or anything else, you end up getting a session cookie, which is just sort of like a pass when you enter your building at work. It’s like you proved your identity to get the pass, and now that you have the pass, you can just run around the building, tapping the sensors to open the doors. And the session cookies, that’s how they work on a website. Once you have that cookie, it says OK, this person gave us the right password or, in this case, they used their passkey and they proved that they were Chester. Now that I’ve proved that I’m Chester, this pass, anybody can take that pass and impersonate me. And that’s the one weakness that passkeys have is criminals can steal that cookie. And if they do steal that cookie, then they’re already logged in as you, and the site doesn’t know the difference, that it’s not you. And if passkey adoption goes up, we can expect criminals to make more efforts to steal cookies because it’s the primary way of bypassing this technology.

McCarty Carino: And what about the actual physical device? What if you lose it or, you know, someone can use your biometric information, you know, with you held hostage or something?

Wisniewski: Well, anytime that you’re in a situation where somebody is holding a lead pipe and threatening to beat you with it, there is definitely a problem that all technology is going to fail at that point. The lost phone is one of the things that passkeys actually solves compared to earlier types of hardware authentication. Like as a security professional, I carry a USB token that has some cryptographic keys on it that I use to authenticate. But of course, if I lose that thing, I’m locked out of everything that is tied to that key. And what passkeys does is it stores the cryptographic identity protected in the cloud of the provider that you created the passkey. And so this is why it requires Google or iCloud or Microsoft OneDrive, all three of those current passkey solutions keep a copy of your passkeys in their cloud. That way, if you lose your iPhone, you just go to the Apple store, you buy a new one. And when you connect to iCloud, your keys will come back. And so that’s one of the, that’s one of the advantages of passkeys.

McCarty Carino: And what about on the privacy side? Are there any concerns there?

Wisniewski: I think the privacy on this is pretty good. There’s a lot of rumors if you go, you know, wandering around on Reddit and stuff where people talk about concerns about these keys being held by Google or Apple on your behalf that somehow they could surrender them. But the more I’ve looked into this, they’re protected end to end with encryption before they’re stored in those companies’ clouds, so they can’t hand over your identity to someone else. And from a privacy perspective, they’re certainly no worse than the existing technologies.

McCarty Carino: If you are kind of a cautious adopter and you want to stick with passwords, or there are obviously some use cases that you have to stick with passwords for, what are the best practices with passwords right now?

Wisniewski: Well, you covered a lot of them early in the interview, right? Password managers are kind of the standard, gold standard that we all recommend these days. I certainly use one, and when you’re using a password manager, you can secure that password manager with more than just a master password. So if you’re on the more security-conscious side, you can buy a USB token, called a U2F or FIDO token, and use that in addition to a password to unlock your password vault, and I think that’s probably the gold standard these days is use a password manager. If you want to secure it with a hardware token, you can buy those hardware tokens for between $20 and $60. And that is probably your best bet.

You can now set up your Google account with a passkey.

Wisniewski mentioned that the passkey will be stored on Google’s cloud, which might sound less than ideal for those with a healthy distrust of Big Tech. But the alternative — a passkey that’s stored only on a device — can also cause problems.

It’s something that’s become a familiar trope in the world of cryptocurrency, where the key to a crypto wallet is generally stored on a device, causing people to lose access to all their crypto funds if they lose that device.

There was a widely reported story of a man in the United Kingdom who accidentally threw away a drive containing the key to a wallet that could access half a billion dollars in bitcoin.

It’s probably lost some of its value since then, but that’s still a tough pill to swallow.

The future of this podcast starts with you.

Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.

As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.

Support “Marketplace Tech” in any amount today and become a partner in our mission.

The team

Daisy Palacios Senior Producer
Daniel Shin Producer
Jesús Alvarado Associate Producer