Passwords versus Passkeys: Encryption in the Palm of Your Hand
In the movie Spaceballs, by famous comedian Mel Brooks, there is a scene where Dark Helmet (a Darth Vader spoof) kidnaps the Princess of the planet Vespa in an effort to get her father, the king, to give him the password to the shield protecting the planet. After much back and forth, the king finally relents. With great remorse, he intones the password slowly and deliberately.
“The password is…1….2….3……4……5.”
Dark Helmet removes his visor revealing actor Rick Moranis who exclaims,
“1,2,3,4,5?! That’s the kind of combination an idiot would have on his luggage!”
As ridiculous and hilarious as this scene is, it contains more than a kernel of relevance in today’s endless world of login screens. It turns out that there are hundreds of thousands of people who use absolutely terrible passwords that are guessable by most 8-year-olds. In fact, the most common passwords used today are (and I am not making a joke here):
So it should come as no surprise that there is either something inherently wrong with people’s sense of security or something inherently unrealistic with the way the login/password system is designed. Perhaps, it’s a little bit of both. Either way, the powers that be across the internet have done everything they can to protect these soon-to-be luggage-less digital travelers. From 2 factor authentication (the bane of our existence that forces us from our login screen, to our email or phone, back to our login screen just to enter a website) to Google itself creating a wild string of letters, numbers, and punctuation that no human being could possibly remember and storing them for you in a password locker.
There must be a better way.
Well it turns out, there is. And it has been around for a while. Soon, however, the veritable mountain of passwords that we essentially keep in the junk drawer of our Chrome browser will be obsolete. Move over Password and hello Passkey!
What exactly is a Passkey and why is it better than a Password?
Most coders and web developers are already familiar with Passkeys. You see, when building a website from scratch it is common to protect the codebase so that evil hackers from around the globe can’t just walk in the front door of the file containing the code and steal data. One of the ways developers used to protect their client’s data was by storing a key (i.e. a long, long string of ridiculous symbols) on the device they are using to access and update the codebase. The keyhole, on the other hand, lives closer to the files where all the code is stored. Additionally, there is an actual password involved to initiate this process. So, if you wanted to developer access to the code base you would need both the password and the device itself where the key is stored. Together, this unlocks the codebase so that you can make updates, changes, and more.
Granted, that is a simplified explanation of the process, and since the advent of that system others have been implemented to further enhance the security of a codebase.
The point is that Passkeys are not new but they are inherently safer. Unless the thief had the device and the password, they would be stuck. What is new, however, is the fact that some companies today, are using biometric technology in our devices in order to trigger this process.
Passkeys are already in use today
Think about using your Chase banking app on your cell phone. You may have noticed that it asks you to place your finger on the finger scanner that lives on the back of your phone in order to open your account information. This acts as the ‘password’ that, when combined with the long key that lives on your device, unlocks the door to your data. While this is all well and good, and a number of companies from banking to travel websites have begun to employ this system, it didn’t really change how we use the internet. Website owners are slow to adopt new systems which is why it is a big deal that the all-mighty Google has decided to step in and speed up the adoption rate.
Sometimes Google wears a cape
Google has long tried to solve the problem of security on the internet. We are all painfully aware of the Captcha system on forms that once forced us to type the words of barely discernable letters on a screen in order to submit information. Or you may recall the next iteration where you had to select all the images that contained a crosswalk or a lamp post. Not very user-friendly, but hey, at least they were trying.
Passwords have been another pet project. As I mentioned earlier, Google conveniently stores passwords to all of your sites in your browser so that when you go to your favorite place on the internet, the username/email and password are auto-filled on your behalf. But in a world of people who literally use the word “password” as their password, this is not enough.
So Google intends to implement the Passkey system. It finally makes sense because all of our devices have technology that allows us to scan our fingers, our faces, enter a strange pattern across a spectrum of dots, etc. Combined with a key, the day is soon upon us when all of our individual passwords will be unnecessary. In a move that will rival the coming singularity between people and machines, we, ourselves, will become our own password. Think about that for a moment.
What do Passkeys have to do with insurance?
Well, it might not seem obvious at first but all of the precious data stored by many of Apis’s clients is protected by passwords. Our resident, credentialed security expert, Sharon, probably has night terrors when she realizes how few people have implemented 2-factor authentication. If the entire internet, however, switches over to using Passkeys, not only will Sharon sleep like a baby but all of your clients’ data will be incredibly less vulnerable. Entire industries centered around security will have to pivot and, of course, social hackers who phish for passwords will have to invent a far more sophisticated approach if they don’t quit altogether.
The coming password apocalypse will be a welcome day in the world of cyber security. And sure, while DDOS attacks and other hacks will still threaten our delicate digital ecosystem, phishing scams and social engineering to gain access to passwords will ostensibly be a thing of the past. And this can only be a net positive for our clients, their clients, and the world.