THE MAGAZINE FOR THE FUTURE BY TÜV SÜD

THE ERA OF THE PASSWORD IS COMING TO AN END

—— Apple, Google and Microsoft have teamed up to get rid of passwords. With FIDO Alliance’s passkey authentication, a sensible alternative is ready for use. On the end of an era and new opportunities for cybersecurity. 

TEXT LARS-THROBEN NIGGEHOFF
PHOTO PHILOTHEUS NISCH, JAVIER ZAYAS PHOTOGRAPHY

The ancient Romans used passwords, and even Shakespeare opens his first scene of Hamlet with a password: “Long live the king!” Nowadays, passwords govern nearly every aspect of our technological lives. According to the Deutschland sicher im Netz (Germany safe on the internet) initiative, every person in Germany has an average of 78 online accounts. Are they all well secured? Not if you can believe that the most popular password is still the infamous 123456, with a close second being… 234567. “There is no reason why an administrative account needs a password alone,” says Pamela Dingle in a video released by FIDO Alliance. Dingle is the director of identity standards at Microsoft, one of the co-founders of the group promoting the new passkey process. The alliance’s message: Passwords are no longer up to date. “It’s dangerous and you’ve got to quit it.” 

When Fernando José Corbato at the Massachusetts Institute of Technology invented the computer password in the 1960s, his goal was not to create a high degree of security. He and his team were developing a timesharing system (incidentally, the predecessor of today’s cloud computing) for the research center’s computer, which at the time filled an entire room. The personal passwords were simply a way that different users could easily identify themselves. Innovations like password managers and two-factor authentication are really just tiny tweaks to the original password concept. 

Corbato died in 2019 at the age of 93. It seems his invention may only outlive him by a few years. A coalition of the biggest tech companies is already delivering eulogies for the password—and is offering a promising and viable successor to it, in the form of a cryptographic passkey. 

A passkey? The new authentication method was developed by FIDO Alliance—an association of various companies from the tech industry, including Apple, Microsoft and Google. FIDO stands for Fast Identity Online. The FIDO standard was presented for the first time in May 2022 and works across devices and brands. “If we get it right, authentication becomes a much, much smaller part of everyone’s day,” Dingle says. 

The key words for this are secure encryption. Passkeys are password keys that cannot be stolen through phishing. In contrast to password managers, passkeys do not have a master key for all doors—a separate passkey is generated each time an account is accessed. 

As Andrew Shikiar, executive director of FIDO Alliance explains, “FIDO has fundamentally changed the nature of user authentication—from an outdated model that’s based on knowledge-based authentication or shared secrets, such as passwords, to a model that’s more possession-based.” 

“If we get it right, authentication becomes a much, much smaller part of everyone’s day”

Pamela Dingle, Director of Identity Standards at Microsoft

Until now, a password has been used to identify an individual as the owner of a particular account. A secret in exchange for access, a bit like: “Open sesame!” The problem with secrets, however, is that they don’t always remain so. Using the passkey principle, the secret is replaced by a cryptographic key—a long, randomly generated string of characters. The crux of the matter is that this key is never shared with an online service or the account. Just one single device, a smartphone for instance, knows it. When logging in, there is an exchange between the account and the device. With the private crypto key, the device can prove its authenticity beyond a shadow of a doubt, without actually revealing anything. 

To use passkeys, no program needs to be downloaded and there’s no membership to purchase. The most popular browsers and operating systems from Apple, Google and Microsoft have all integrated the procedure already. Everything points to passkeys becoming the new standard in the digital realm. This will also give companies the opportunity to set new benchmarks for cybersecurity and to close security gaps. So, for nostalgia’s sake, think up one last password. Just please don’t use your birthday—or “password”! 

PASSKEYS: THE ADVANTAGES AT A GLANCE

  •  

  • Hackers cannot guess them. 

  •  

  • Users do not have to remember them. 

  •  

  • They can be used across manufacturers and providers. 

  •  

  • They are generated specifically for the linked website or app—so no dangerous duplicate use is possible. 

  •  

  • The smartphone saves the passkeys in its cloud keychain and thus has them available at all times. They are encrypted end to end, and also cannot be read by the hardware manufacturer. 

  •  

  • Passkeys cannot leave the devices on which they are stored, thereby protecting them from being leaked. 

MORE ARTICLES