Passkeys has been portrayed as, if not a revolution, at least an important reform for better IT security. Most of the major IT giants such as Google, Apple, Samsung and Microsoft have embraced the technology, and urge their users to do so as well. However, many of the users have chosen to refuse when they are asked to create a passary, and the technology has not been broken as desired. One explanation is precisely the absence of an explanation. When Google sends a call to you to create a secure key, you may first wonder why this is not already done and what the difference is in how it works, and secondly, you may be affected by a nagging suspicion that it may be a scam, which it is safest not to act on.
Another explanation for the confusion is that Passkey may be a word that should be translated into Swedish, but in that case there is no consensus on what it should be translated into. Apple and Samsung call it Passkey, while Google invites you to get a secure key, and Microsoft calls it a security key.
Although this is not the first article written about Passsyys, there is still something of an information deficit that we will help to try to remedy. There are also other reasons why the technology has encountered resistance that we have to explain, and if there are any problems with the technology.
Passkeys has been portrayed as, if not a revolution, at least an important reform for better IT security. Most of the major IT giants such as Google, Apple, Samsung and Microsoft have embraced the technology, and urge their users to do so as well. However, many of the users have chosen to refuse when they are asked to create a passary, and the technology has not been broken as desired. One explanation is precisely the absence of an explanation. When Google sends a call to you to create a secure key, you may first wonder why this is not already done and what the difference is in how it works, and secondly, you may be affected by a nagging suspicion that it may be a scam, which it is safest not to act on.
Another explanation for the confusion is that Passkey may be a word that should be translated into Swedish, but in that case there is no consensus on what it should be translated into. Apple and Samsung call it Passkey, while Google invites you to get a secure key, and Microsoft calls it a security key.
Although this is not the first article written about Passsyys, there is still something of an information deficit that we will help to try to remedy. There are also other reasons why the technology has encountered resistance that we have to explain, and if there are any problems with the technology.
What is passsyys?
You can and we should talk about open and closed crypto keys and to simplify for the user, but the easiest way to explain to Swedish users what Passsyys means is that it acts as a mobile bank ID. Bank ID uses a different technical solution than pass pyys but the principle we recognize. Just as with BankID, we create a passkey that we protect with a PIN or biometric login (fingerprints or face ID), and which we then use to legitimize ourselves in all possible places. And above all, there is only one copy of your mobile bank ID, it is on your phone and cannot be moved from there, you have to create a new bank ID if you get rid of or change your phone.
The advantages of Bank ID and Passsyys compared to having a username and password are several. First, you do not need to remember different usernames and solvents for different sites, it is enough with the PIN to your key and not even if you log in with fingerprints or face recognition. Second, no one can log into your name just by accessing your password. Although they would get the PIN code for your mobile bank ID, they also need the phone with the Bank ID to be able to log in, and if you have gotten rid of it you can easily block your bank ID and make the PIN code useless for the thief.
How does it work?
The principle behind Passsyys is that there are two keys. One is the one you have on your mobile/tablet/computer. It is encrypted and protected in every conceivable way and cannot be moved and thus not stolen. The other key is public and is available at your Passkey provider, such as Google or Apple. By fit these two keys together, you can confirm that you are the one who created the keys. The encryption method used means that you cannot calculate what the private key is based on the public.
If you want to log in to a service with Passkeys, you bring out your key by unlocking your mobile, and the service provider asks to access the public key, and then they connect to each other and confirm that the login is correct.
In practice, the service providers want to make this storage as smooth as possible for you and they rarely talk about passsy's or secure keys but just ask you to log in by identifying you on your mobile. This is part of the educational problem, because as a user you see no difference if Google uses a secure Passkey for login or if it only uses the service to save passwords on your device. But from a security point of view, there is a big difference, with a passkey no username or password is sent over the open internet where it can be cut, as it does in the latter case.
Shared passsyys
Google and Apple have circumvented one of the most important basic principles in their Passkey solutions, and it also involves another security risk.
That a passkey, like Mobile Bank ID, is only available in one place is of course an advantage from a security point of view, but it can also be a bit impractical. If you have a Google or Apple account, you probably log in to the same services on more than one device, both on computers, tablets and mobiles.
Both Google and Apple have therefore decided in their Passkey solution that the private key should not only be stored locally, but also shared through the companies' cloud services. If you have created a passkey, you then have it available on all devices where you are logged in with your Google or Apple account. Definitely smooth, but at the same time you have then departed from the principle, which is one of the reasons why Passkey technology is so much safer. Because in practice, there is now more than one copy of your passkey, and someone could have access to one of the copies without knowing it.
Compared to a solution like Bank ID where anyone who wants to access your login needs both your passcode and your mobile, it is enough in practice to access your login to Google or Apple. Since then, both Apple and Google have added a number of security measures that make it more difficult for someone to log in with your ID on a new device without discovering it, and biometric reading on several occasions to make it difficult to access the features.
What kind of attacks does Passsyys protect against?
Passsyys protect against several different types of cyberattacks.
On the one hand, you do not risk getting your account hijacked by leaking the password in a hacker attack, as you do not use any password to log in. But another important form of attack that Passkeys works against is various forms of phishing and social hacking, where you are tricked into entering personal information on a web page.
This is due to the authentication standard Webauthn used by most passsyys. For admittedly, your public key is publicly available, but thanks to Webauthn, a check is made that the person who uses the key are also the ones they claim to be. It is therefore not possible to create a fake site similar to your bank where you can log in with your passkey. We can once again be similar to Mobile Bank ID. If a site lets you log in with Mobile Bank ID, you are not only guaranteed that no personal login information can leak, but Bank ID also guarantees that the site is a serious player.
The parable is not 100 percent. Access to Bank ID is more limited than to Passkeys and Google and Apple are major players who need to potentially review millions of players. Probably no one will be able to pretend to be your bank without being, but perhaps as a serious service that you want to hire but which in fact turns out to be a fraud business that shuts down the website and disappears. Still, common sense is to check out the services you hire and not to enter personal information for no reason, but with Passkeys you can feel a little calmer.
Why is Passkey's difficult to break through?
Everyone wants to introduce passsyys, and that is part of the problem.
A couple of years ago it was talked about Passsyys as a revolution that would more or less abolish the passwords. That has not been the case, at least not yet. We have talked about being bad at explaining what it is and why we should approve badly explained requests from Google and Microsoft, but there is also another explanation. Google, Samsung, Microsoft and Apple all want to introduce Passsyys, but you have no common technology.
This means that the sites that want to use Passkeys instead of username and login users must support a number of different techniques, and you as a user must choose whether you want to log in with Google, Samsung or maybe Microsoft.
In order to once again compare with Bank ID, it would be as if each Swedish bank had their own bank ID system, which they tried to get the holders of different websites to embrace. The result would probably be that only a few sites used a certain bank's bank ID, and that it was mainly useful to log in to your bank, and then you would probably have difficulty seeing the benefit compared to using the bank box, and the technology would never take off.
That is not the case, and probably it is precisely a collaboration that is needed for Passkeys to seriously replace the passwords. The potential is there, because the large players' passport is based on the same standards and are quite similar to each other technically. But we still see no cooperation for universal passsyys.