At its annual developers conference this year, American tech giant Apple introduced Passkey – a new sign-in technology.
Passkeys give people a secure way to sign in to your apps and websites across platforms — with no passwords required that promises to be more secure than passwords. Though a step in the right direction, the technology is unlikely to replace password-based authentication systems, just yet. Password-based authentication systems, however, are rife with security concerns.
If you only use a password to authenticate, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could use it to gain access.
That said, passwords are the least secure method for authentication, if used as a standalone. The security increases if another form of authentication is added along with passwords – we’re talking of two-factor authentication.
Two-factor authentication is a process in which users are prompted during the sign-in for additional identification, beside passwords. This additional form of identification could be done through a one-time pin received on the phone via SMS, biometric scan, security key, nearby device etc.
The additional authentication adds a layer of security to the password-based sign-in process by enabling additional identity verification, such as scanning a fingerprint or entering a code received on the phone.
Two-factor authentication
One of the easiest ways to enable two-factor authentication is by linking the sign-in service with a phone number. This way, you would need to enter the password and additionally authenticate the sign-in by entering a code received on the phone number. For smartphone users, there are authenticator apps to approve sign-ins using push notifications, biometrics, or one-time passcodes.
For enterprises, there is a standard called FIDO2 issued by the Fast IDentity Online (FIDO) Alliance to promote open authentication standards and reduce the use of passwords as a form of authentication. It is typically a USB device, or a device with Bluetooth or near-field communication chip in some cases, configured with a security key.
These devices, when connected to the system, enable password-less authentication. With a hardware device that handles the authentication, the security of an account is increased as there is no password that could be exposed or guessed.