🧠Knowledge Series #23: Passkeys explained
Why passkeys are the future and how product teams can implement them
🔒The Knowledge Series is a collection of easy to read guides designed to help you plug the gaps in your tech knowledge so that you feel more confident when chatting to colleagues. Clearly explained in plain English. One topic at a time.
If you’re a free subscriber and you’d like to upgrade to unlock them you can do so below. Or you can find out more about paid access here.
Hi product people 👋,
Let’s be honest. Of all of the different topics that product teams get to explore, security is not one of the most riveting. It’s often something that’s seen as the responsibility of others outside of the product team through SecOps or DevOps but the rise of generative AI has created more opportunities for criminals to create sophisticated phishing attacks or fake identities which has put security back near the top of many companies’ agendas. As a result, product teams are increasingly coming under pressure to learn more about cybersecurity so that they can preemptively bake protective measures into their products.
One development that is getting a lot of traction in recent months that is particularly important is the introduction of passkeys. Not only are passkeys an important development from a security perspective, but if a team chooses to adopt them, they also have a significant impact on the UX of critical journeys like registration and login.
Companies like Uber, Apple, Amazon and Microsoft have all declared their support for passkeys in recent months and now is the time for product teams to explore how this new technology might fit into their stack.
In this Knowledge Series, we’ll explore passkeys from a product perspective so that if you and your company is considering implementing them, you’re fully up to speed with everything you need to know.
Coming up:
What are passkeys and why should you care?
Why companies like Uber, Apple, Microsoft and others are implementing themÂ
How you can implement them into your product - a step by step guide
Other security trends and threats you need to know about in brief
A full list of 100+ companies who support passkeys
What are passkeys?
Passkeys are the name that’s given to digital keys used to access products which are designed to replace traditional passwords. They’re reasonably confusing to understand at first, but once you get your head around them, the concept is straightforward - and it’s easy to see why they’re an excellent contender to replace passwords once and for all.
To help you understand, here’s a diagram which explains how passkeys work using a super simple example.
The diagram includes 3 important things:
Your devices
Private keysÂ
Public keys
Your devices are the things you’ll use to authenticate yourself - like your mobile phone or your laptop. When you create a passkey for a website or service, your device creates a unique pair of digital keys specifically for that account. At this time, 2 keys are created: the private key and the public key. One key is public and shared with the website, and the other is private and stays securely on your device.
When you attempt to log into a website, it will ask for your passkey, rather than a password. And since this is stored on the device you're using, you’ll be able to confirm that you hold that passkey by proving you are who you say you are. This is typically done using a fingerprint, facial scan with FaceID or a PIN. If everything matches as it should, you’re granted access. If not, you're not. The private key never leaves the device; the user simply proves they have it stored via a cryptographic challenge.
Passkeys vs. Passwords: the benefits of using passkeys
Each passkey is unique to each account and device which means you use a different passkey for every product or service you interact with. This helps with security because users are prone to re-using passwords. Not only does this do away with passwords completely, it creates unique passkeys for each instance, which adds an extra layer of security.
Even if a hacker gets access to a public key stored by the website, they’re not able to impersonate the real user since they don’t have the corresponding private key which is locked on a device. If you compare that to a password leak, which often includes other credentials like emails which can be used to compromise the entire login details of a user, it’s easy to see why passkeys are so powerful.
Here’s how passkeys compare to passwords:
Companies who currently support or are implementing passkeys
Passkeys have suffered from a lack of adoption in the past but more recently we’ve seen a number of major companies declare their support for the technology (see the full list of companies who support passkeys at the end of this post).