What are "passkeys" and how do they reduce reliance on phone numbers for authentication?

[suhashini25]

"Passkeys" are a new, more secure, and user-friendly alternative to traditional passwords for authenticating into websites and applications. They are designed to replace passwords entirely and significantly reduce reliance on phone numbers for authentication, especially for the common SMS-based One-Time Passcodes (OTPs).

What are Passkeys?
A passkey is a digital credential tied to a user account and a specific website or application. Instead of a memorized string of characters (a password), a passkey uses public-key cryptography to authenticate a user.

Here's how they generally work:

Key Pair Generation: When you create a passkey for an online service, your device (e.g., smartphone, laptop, tablet) generates a unique pair of cryptographic keys:

A private key, which remains securely stored on your device and never leaves it. It's often protected by the device's built-in security features, such as a Secure Enclave or Trusted Platform Module (TPM).

A public key, which is sent to and stored by the website or application you're signing up for.
Authentication Process:

When you want to sign in, the website or app sends a "challenge" (a random piece of data) to your device.
Your device then prompts you to verify your identity locally, typically using your device's screen unlock method (e.g., fingerprint scan, facial recognition, or PIN).
Once verified, your device uses switzerland phone number list its private key to cryptographically "sign" the challenge.
This signed challenge is sent back to the website/app, which uses its stored public key to verify the signature. If the signature is valid, you are authenticated and logged in.
Synchronization (Optional but Common): Passkeys can be securely synchronized across your devices (e.g., via iCloud Keychain for Apple devices, Google Password Manager for Android/Chrome, or Microsoft Account for Windows). This means you create a passkey once, and it's available on all your trusted devices, allowing for a seamless login experience across your ecosystem.


How Passkeys Reduce Reliance on Phone Numbers for Authentication:
Passkeys directly address the vulnerabilities and inconveniences associated with using phone numbers for authentication, primarily through SMS OTPs:

Elimination of SMS OTPs for 2FA:

SMS OTPs are a common second factor for authentication (2FA) after a password. However, they are highly susceptible to SIM swap fraud, where attackers trick telecom carriers into transferring a victim's phone number to a SIM card they control, intercepting the OTP.
Passkeys inherently incorporate a strong second factor by combining "something you have" (your trusted device holding the private key) with "something you are" (your biometric authentication) or "something you know" (your device PIN). This built-in multi-factor authentication means there's no need to send an SMS code to your phone number, eliminating the SIM swap vulnerability.
Phishing Resistance:

Unlike passwords (and even OTPs that can be phished), passkeys are cryptographically bound to the specific website or application they were created for. Even if an attacker creates a convincing fake login page, your device will not prompt you to use your passkey because the domain won't match the one the passkey is registered to. This makes phishing attempts largely ineffective. Phone numbers, conversely, are often used as targets in phishing scams to gain access to accounts.


No Shared Secrets on Servers:

With passwords, the server stores a hash of your password, which can be vulnerable in data breaches. With passkeys, the server only stores your public key, which is useless to an attacker without your private key (securely on your device). This means there's no sensitive data linked to your phone number (or any other identifier) for attackers to steal from the service's database to facilitate identity fraud.

Simplified Recovery:

While losing access to your device is a concern, passkey systems typically offer robust recovery options, often through cloud backups (like iCloud Keychain or Google Password Manager) or other pre-registered recovery methods (e.g., another passkey on a different device, or a recovery code). This provides alternatives that do not necessarily rely on your phone number being active or controlled by you for recovery.
In summary, passkeys represent a significant leap forward in online security and usability. By leveraging strong cryptography and device-based authentication, they offer a secure, convenient, and phishing-resistant way to log in, drastically reducing the need for traditional passwords and, critically, the reliance on phone numbers as a vulnerable link in the authentication chain.