TORONTO — Anna Pobletts has spent the last few years on a mission to make passwords a thing of the past, but passkeys — the technology that could replace them — have never truly been on the brink of widespread consumer adoption until this year.
"We're seeing some really big-name sites like EBay, Best Buy and (in early May) Google announced that they're supporting passkeys on your Gmail account," said Pobletts, head of passwordless at 1Password, a Toronto-based password management company.
"It's really a tipping point all of a sudden, when one billion users could add (Gmail) passkeys, if they want."
The move followed Apple, Shopify, Microsoft, DocuSign and PayPal, which were already supporting passkeys — a digital credential based on cryptography that can unlock accounts with a mere flash of your face or fingerprint scan on your phone.
Passkeys are thought to be more secure than passwords because there is no string of characters, numbers and symbols to memorize, making them harder to hack. They don't need to be changed, can't be stolen by someone guessing or peeking over your shoulder and there's no way to accidentally use one on the wrong website.
"Passkeys are so exciting because ... it's actually more efficient and more secure," said Claudette McGowan.
After 19 years at the Bank of Montreal and almost three at TD Bank, she recently founded Protexxa, a Toronto-based platform that leverages artificial intelligence to rapidly identify and resolve cyber issues for employees.
During her years in banking, passwords were the top vulnerability.
"When things went off the right path, it was never because the encryption wasn't working or the firewalls wasn't working," she said. "There was always a human in the middle."
Passkeys, however, are a defence against phishing attacks, where people are duped into giving their passwords to hackers who send them emails or texts with login pages posing as legitimate businesses.
All 2,000 respondents in an online survey conducted for 1Password in January said they either received a phishing message in the past year or know someone who did.
Passkeys make phishing attacks obsolete largely because of their structure. Passkeys, 1Password says, have two mathematically linked parts — a public key shared on a website or an app you have an account with and a private key that always stays on your device.
When you log into an account, the website or app's server sends a scrambled "riddle" that can only be solved by the private key, which is then authorized to be solved by a user’s biometrics. Once the riddle is solved, the service knows the public and private key match and will sign the user in.
It's impossible to reverse-engineer one key from the other. Without physical access to your devices and a way to unlock them like your fingerprint or face, no one can log in to your passkey-protected accounts.
So why hasn't the world gravitated to passkeys sooner?
"Passwords are a 60-year-old technology," said Andrew Shikiar, executive director and chief marketing officer of the Fast IDentity Online (FIDO) Alliance.
"It's hard to replace them because they're so ingrained in everything we do and passwords have the advantage of ubiquity. You can enter a password anywhere and you know how to do it."
Passwords became the norm in part because of the late Fernando Corbató, a computer scientist at the Massachusetts Institute of Technology.
In the 1960s, MIT researchers like Corbató were using a Compatible Time-Sharing System, where users in different locations could simultaneously access a single computer system through telephone lines.
The model didn't offer much privacy for files, so Corbató developed the password, which was eventually adopted by just about every company looking to safeguard access to files and systems.
But the FIDO Alliance, a global group aimed at reducing data breaches, is keen on disrupting that reliance on passwords.
"The vast majority of data breaches are caused by passwords, so really by solving the password problem, you're solving the data breach problem," Shikiar said.
And the FIDO Alliance has plenty of allies in the fight.
Its members include 1Password, Google, Apple, EBay, Amazon, Twitter, Facebook owner Meta and PayPal, American Express, Sony and TikTok. (1Password will start supporting passkeys on June 6 and let users unlock their 1Password account with a passkey in July.)
Some have joined because they see people abandoning online shopping carts when they don't remember their passwords, while others just want to make their products safer or easier for customers.
But adapting websites, apps, servers and more to accept passkeys "can be tricky," Pobletts said.
"It's definitely more complex than passwords, partially because it's new."
The FIDO Alliance has created standards to help companies make the move and Shikiar is confident household names shifting toward the technology will spur others to adopt passkeys.
But for the technology to really be a hit, the public will need education, he and Pobletts said.
1Password's survey found only one quarter of respondents had even heard of passwordless technology and 42 per cent are not using biometric logins yet.
Some have misconceptions about how either technology works, Pobletts said.
"Sometimes people don't realize that your biometrics are not getting sent to the website. They're not getting stored by Apple and no one's really holding onto your fingerprint data or your retina scan," she said.
"But once people know and understand that your biometrics are safe ... they're really comfortable with it."
Shikiar also expects people to adapt to passkeys because they won't be implemented all at once.
Many companies will encourage customers to try them while keeping a password, which they will find themselves relying on less and less over time before the technology is phased out entirely.
"There's a happy inevitability about it," he said, adding that he thinks within the next three years most services will be offering passkey support.
"No one's like, 'oh my gosh, give me more passwords,' whether it's a consumer or a company. Everyone's ready to move past them."
This report by The Canadian Press was first published May 19, 2023.
Tara Deschamps, The Canadian Press
