I spoke with Anna Pobletts, Engineering Director at 1Password, about the advantages of passkey technology, and the possibility that cybersecurity will evolve past the challenges of traditional passwords.
The issue, as Pobletts explains, is that legacy password technology relies too much on users for security – and we’ve seen the many problems with this. In contrast, passkey technology offers a far more secure and effective system, but it’s relatively new and so adoption is still in progress.
Read select highlights from the interview or jump to the video of the full interview below.
Interview Highlights: Anna Pobletts on Passkey Technology
The comments below have been edited for length and clarity.
What exactly is passkey technology?
Passkeys are essentially a new way to log into apps and websites. It’s meant to be more secure and more user-friendly than passwords. What it looks and feels like to users is really something like your touch ID, your face ID, whatever biometric is already built into your device.
Behind the scenes, it uses public key cryptography, which has been around for a really long time. It’s the basis for a lot of other technologies, like SSH and things like that.
When a user creates an account on a website, we’re going to create a unique key pair and the public key is sent to the website and the private key stays on the user’s device. So the private key never leaves the user’s device, and it can be used to cryptographically sign challenges that the website can then verify.
The important thing here is that that private key is totally random, securely generated and stays on your device, and the website only has the public key.
What’s wrong with traditional password technology?
People are wondering, right? I think we all don’t love passwords, but there’s no better alternative really until now.
Putting all of the burden on the user to be secure, on you as a user to think up a good password, remember a good password, not fall for a phishing attack, things along those lines [is challenging]. The goal with passkeys is to remove that human error from logging in. We’re going to build the security directly into the technology.
We’re going to make it really easy, make it something you can’t mess up. People are busy, they’re tired, you just shouldn’t have to think about logging into a website that hard. And so that is really the motivation behind passkey.
So there’s a biometric element to passkey technology?
So interestingly, it looks and feels like a biometric to a user, but there’s actually none of your biometric data getting sent to a website, or anything like that. And I think that’s really important to know from a privacy perspective.
In particular, what you’re doing is you’re using the biometrics that are built into your device to essentially unlock access to your private key that is stored securely on, say, your iPhone or something like that. So you’re getting all the benefits of biometrics, which is that it’s really easy, but you’re not really concerned about the privacy or security aspects where someone’s going to chop your finger off to use it on something, right? That doesn’t become quite as relevant.
From a security perspective, we’re saying, okay, there’s no secret stored on the website that could be stolen. We have these huge data breaches with millions of credentials. That attack doesn’t really exist here. Passkeys are resistant to phishing attacks, which is another huge swath of really common, easy to execute attacks. And they are [resistant] to anything that’s a credential-based attack. So brute forcing, credential stuffing, things like that, passkeys are resistant to all of those.
So yes, there will be attacks against passkey that come out. Nothing is going to be totally infallible, but you’re raising the bar so much from this baseline of really easy to execute attacks – across a network style – that exists now against passwords.
What are the challenges with passkeys? It seems like with all those advantages, they should be everywhere. What’s holding back adoption?
I’m hoping they will be soon, but I think it’s reasonable that there is a lot of inertia in moving away from passwords. Authentication, especially for consumers, probably hasn’t meaningfully changed in the last 50 years. And so people don’t really like passwords, but they know them and they understand them, and they know exactly how to register for a new website when they see one.
So I think there’s two sides of the challenge. One is, for consumers, passkeys are new. It doesn’t necessarily have consistent support or interfaces across different platforms and different websites. If you were to use a passkey on a couple different websites, maybe across different platforms, even on an Android and an iPhone, you’re probably going to have a kind of different experience.
And so the flip side of that challenge is, for businesses, this is hard to implement, not just from an API perspective because all these platforms are a little bit different, but also from a user flow perspective, how do you communicate to users?
How do you tell them this is a passkey and here’s your fallback method and here’s how to do it across different devices? There’s a lot of complexity there and that leads to these inconsistent implementations that then confuse users.
And so from both sides, we just need to give people one clear, consistent experience that they can understand is the same technology across all of these different websites.