Can DOGE Fix The Dollar? Join the online event with Prof. Peter St. Onge.
.png)
Usernames and passwords have been the classical method of logging into online accounts for decades. However, with support from institutions such as the FIDO Alliance and World Wide Web Consortium (W3C), passkeys are becoming an increasingly popular alternative. Not only do they provide stronger security, but they are also easier to manage for most people.
Keeping online accounts protected is a necessity for nearly everyone, and it’s only becoming more critical as the world transitions to a standard of internet-native money. Passkeys are an attempt to modernize account authentication, borrowing from similar cryptographic technologies as the bitcoin network. People with experience navigating bitcoin keys have an advantage when it comes to learning about passkeys, because the mechanisms will likely feel quite familiar.
In this article, we will review some of the problems associated with passwords, introduce passkeys and the improvements they offer, take a look at various types of passkeys, and touch on how to begin using them.
The basics of password authentication are quite easy to understand. When you set up a password as your credential for an account, all you need to do is choose a secret and register it with the account. The secret then serves as your key to access the account—whenever you need to authenticate yourself, you simply provide the secret password again.
While straightforward on the surface, passwords lead to a number of security and usability concerns:
There have been numerous attempts to address some of the concerns with passwords over the years. Password managers and two-factor authentication (2FA) have been among the most popular ideas, yet they are still imperfect solutions.
Password managers can help generate secure passwords, store those passwords so that they aren’t forgotten, and automatically enter them into websites that have been validated as legitimate. While this approach solves many of the conventional problems associated with passwords, it also introduces a dependency on the third-party password manager as a centralized single point of failure. If the password manager has a security breach, or your credentials to get into the password manager are compromised, all of your accounts could be at risk.
Two-factor authentication, as the name suggests, adds another factor to the authentication process beyond just a password. While a password represents something you know, this second factor demands additional information collected a different way, such as something you have (e.g., device with TOTP app, or phone with SMS code) or something you are (biometric). This creates more steps for users, and can lead to additional confusion and frustration, especially among less technical individuals.
Whether you use a password manager or 2FA, sensitive credential information is still required to pass between you and the account with which you are trying to authenticate yourself. This can lead to vulnerabilities such as interception or MITM (man in the middle) attacks.
Passkeys operate in a fundamentally different manner than passwords. Passkeys utilize asymmetric cryptography, very similar to how bitcoin keys work. When you set up a passkey as your credential for an account, a pair of cryptographic keys are generated—one secret private key, and one corresponding public key. This all happens behind the scenes, so that you don’t have to directly interface with the cryptographic keys yourself.
The public key is shared externally, with the account. Meanwhile, your secret private key can remain securely stored on the device that generated it. This highlights the main advantage of passkeys—you never need to share your secret, unlike passwords.
Even during subsequent authentication, your private key isn’t shared. Instead, your account presents a unique challenge, and your private key responds to the challenge with a unique cryptographic signature. The account can then use your public key to verify that the signature came from the correct private key. You can prove you possess the secret, without actually revealing the secret itself!
The standardized passkey protocol (FIDO2, consisting of WebAuthn and CTAP2) is built to be resistant to phishing, interception, and MITM attacks. When a website proposes a unique, one-time challenge for your private key, your browser ensures that the challenge includes a reference to the website itself. This means it’s impossible for a fake phishing website to issue a challenge in the same way as the legitimate website it is trying to impersonate. Furthermore, each challenge and signature is unique to each specific login attempt, meaning that intercepted signatures are useless to attackers.
Ultimately, passkeys offer you stronger protection from hackers and scammers, while also being easier to use—you aren’t tasked with remembering or entering complex secret information in order to authenticate yourself. This leap in progress is made possible by cryptography and more advanced everyday equipment than what was available a couple decades ago (such as smartphones).
While passkeys eliminate a lot of the frustrations associated with passwords, using them doesn’t absolve you of all responsibility. Your secret private keys still exist somewhere, and so you must secure that device or location.
Often, passkeys are generated and stored locally on a smartphone or laptop. Modern devices offer robust defenses against unauthorized remote access of locally-stored passkeys, and secure chips that guard against physical extraction. However, if someone gained physical possession of your phone or laptop and was able to unlock it, they may be able to use your passkeys and sign into your accounts. For this reason, it’s common to introduce a biometric identifier (e.g., fingerprint or facial recognition) or a singular memorized PIN to access your passkeys. This single request is substantially less cumbersome for most users in comparison to passwords.
The loss or destruction of a device holding a passkey can be another concern. Various passkey implementations have different ways of addressing this, such as recovery keys, encrypted cloud backups, and securely syncing passkeys across other devices. These various implementations can be categorized as either platform-specific, cross-platform, or hardware-based.
Hardware-based passkeys are quite comparable to bitcoin hardware wallets. The private keys are generated and stored in a dedicated device without an internet connection, a setup often referred to as “cold storage.” These private keys are protected from leaving the device, but the device can still receive outside authentication challenges and respond with signatures from the private key—similar to how bitcoin hardware wallets sign transactions. In fact, passkeys are a supported feature within several hardware wallet brands such as Trezor (learn more) and Ledger (learn more), allowing for passkey recovery via seed phrase backups.
Platform-specific and cross-platform passkeys involve private keys stored on internet-connected devices, similar to "hot wallets" in the bitcoin ecosystem. These solutions prioritize convenience through encrypted cloud backups and cross-device syncing. However, they require your trust in the hardware manufacturers and software providers implementing proper security without backdoors. These "hot key" setups are generally considered insufficient for independently securing large bitcoin balances, with cold storage being the preferred solution for significant funds. For account authentication with less critical, everyday apps and services, they remain a reasonable choice to protect against attackers.
Upon understanding the advantages of passkeys, it’s not unusual to be eager to start using them. Unfortunately, not all online accounts and apps offer support for passkeys yet. Industry adoption is steadily growing, but it may take some time before you can leave passwords behind permanently.
As online accounts move from passwords to passkeys, users also need to become comfortable with them, without feeling forced. Therefore, many online accounts are beginning to introduce passkeys as a 2FA mechanism, alongside the passwords users are familiar with. This can serve as a smoother transition, helping users get practice with passkeys while allowing for simple recovery options and backward compatibility. At Unchained, we’ve introduced passkey support as an optional but powerful 2FA feature.
Learn how to set up a passkey with your Unchained account, and give this technology a try! If you don’t have an Unchained account yet, and are looking for a way to secure bitcoin with no single points of failure, schedule a free consultation with our team to learn more.
