Fintech industry’s one of the biggest problems has been identity theft. When bad actors steal your username/password to a financial account, it can put your money at risk. From banks to governments and from users to various other institutions this is one major pain point.

For many personal devices such as phones and browsers, they have an inbuilt mechanism to save passwords as well. While this simplifies the process of login, it also means anyone who has access to your device also might have access to your passwords.

Another problem with passwords is that when a password gets compromised, your entire account is compromised and you have to change your password. Since average user might own multiple devices, user has to go through the login process again everywhere.

Passwords also tend to get expired. They have to be changed regularly. Users tend to use same password everywhere. If your public library account password is compromised potentially it might also be your banking password.

Simplifying the password security story

Passkey is a asymmetric key cryptography solution to the problem of password. Asymmetric key cryptography works on the concept of public and private key. As a user your computer generates a par of public and private key which never leaves your computer and is protected by your operating system. The public key is then sent to the application during signup process.

The next time your try to login, your computer will use to private key (which is a secret) to encrypt a text and pass it to the application which will decrypt it using the public key. This process is called digital signature verification.

Use never has to use the password but the OS and the application figure this out on their own.

Passkeys are hard to steal.

Passkey is a private key which a large blob of bytes. No user can remember it. Which means a user can not also write it down or tell it to anyone. This reduces the possibility of user leaking their credentials to anyone.

This private key is a file stored locally on the device. So the only way to steal it is if hacker has access to that physical device. Even then the hacker will have to somehow be able to extract it from the operating system’s key store. This would require them to bypass the operating system’s security mechanism such as biometric login, pin code, password etc.

Many modern devices are using specialized TPM chips to store the keys. This ensures a private key never leaves the computer.

Passkeys can be invalidated individually.

If you have multiple devices you will have multiple passkeys across those devices and each of them will be different. This means if you phone gets stolen, you can simply wipe that device and don’t have to change anything else. Your other devices continue to work as before without interruption.

Passkeys are incredibly fast

Passkeys are incredibly fast as it does not involve user typing anything or sticking to some weird password validation rules. A user mostly has to only unlock their device often using some biometric authentication and they are authenticated seemlessly.

Faster logins mean better experience and more conversions.

Downside of Passkeys

While passkeys are incredibly safe and convenient, they are ultimately managed by operating system and are as safe as your device password/authentication mechanism. If you device itself is compromised then the passkeys and all passkeys on the device are accessible to the bad actors.

Conclusion

Without a doubt passkeys have proven to be extremely convenient and safer than passwords. This means increasingly everything is