I am sure you have experienced it, your IT team, your bank, a government department, favourite social media platform has required you to setup Multi-Factor Authentication. This usually has been by sending an email, text message, using a code from an app, or a biometric scan to show that not only do you know about the account (first factor), but you also have a second factor (possess something, or inherit something). You know how kludgy this can be, fumbling with your phone, or other device, slowing you down from getting into the resource that you need access to.
But what if there was as system that was easier to use, and more resistant to take over attempts.
The Magical Door: A Tale of Passwordless Authentication
Imagine you’re in a magical world where each website is a different door. Some doors are for fun places like game rooms (like Xbox Live, or PlayStation Network), some lead to learning spaces (like edX, or Pluralsight), and others take you to places where you can chat with friends (like Mastodon, or Signal).
In the old days, to open these doors, you needed a secret word, a password. You would whisper this secret word, it would travel through a secret tunnel, and if it was the right word, the door would open. But there was a problem. What if a naughty goblin was hiding in the tunnel and heard your secret word? He could use it to open the door when you’re not there! Or what if you used the same secret word for multiple doors?
The Problem with Passwords
This is like when you use a password to log into a website. The password is sent through the internet (the secret tunnel) to the website (the door). If someone bad intercepts it (like the naughty goblin), they can pretend to be you. And to make it worse, sometimes those naughty goblins setup doors that look similar and it is up to you to be able to tell the difference between two very subtly different doors.
Multi-Factor to the Rescue!
So the wizards came up with a neat way to defeat some of the naughty goblins, they made it harder for you to login by making you remember a second incantation or receive some additional information from an owl that delivers some additional information. This is Multi-Factor to the rescue. But this got in the way, and made it slower and harder to login. Some of those naughty goblins have figured out how to get past this new set of tricks.
The Magic of Passkeys
But now, we have a new kind of magic called Passkeys. With Passkeys, your powerful magic knows each doors distinguishing features, and each door knows you by a special secret spell, but the secret spell is never sent through the tunnel. Instead, the door asks you a question (this is called a challenge), and you send a response using your secret spell and the challenge (the response). The door knows if the answer is right, but it never knows your secret spell. So even if a goblin is listening, he won’t know your secret spell!
No More Impersonation
This also means that if a goblin tries to trick you by making a fake door, your magic knows that the door is different and will not use the same spell. Because your magic secret spell is unique for each door, the goblin can’t pretend to send a challenged from another a target door to try and trick you. This is how Passkeys protect you from someone pretending to be a website you trust.
How the Challenge Works
When the door sends a challenge (a question), it’s akin to asking, “If I provide you with a number, can you reveal the original number?” Since you possess the knowledge of how to multiply by your secret number (one of your secret keys), you can indeed respond correctly. But the goblin, who doesn’t know your secret, can’t answer correctly.
So, that’s how Passkeys work! They’re like a magical secret that lets you open the doors you want to, without worrying about goblins stealing your secret.
*this is a highly highly simplified analogy of how cryptography of Passkeys works.
Putting it all together
But, how is this better? Well, you know how previously you needed to input a password, and then do the MFA challenge. Passkeys make it that super simple, so simple that you should try it out: What is a passkey? | Passkey.org