New Delhi, April 25 -- Passkeys are a modern-day alternative to traditional passwords that offer better security and convenience. The passwordless authentication mechanism of passkeys work on the concept of cryptographic key pair mechanism. For example, if you want to configure a passkey for your X (Twitter) user account, your public key will be stored on the account server of the Twitter website, and your private key will be generated and stored on your device. Whenever you want to access Twitter, you can just directly login from that device via other methods like biometric authentication (Touch/Face ID), PIN, or patterns. This makes it very hard for hackers to intercept or misuse them. Not to mention, each passkey is unique to the corresponding website since they are automatically generated.
The challenges of growing digital adoption and poor password hygiene
India has come a long way in its digital transformation journey thanks to initiatives like Digital India, Startup India, UIDAI, UPI, Digi Locker, and more. Today, India ranks second only to China for the total number of active internet users, with over 90 crores. The fierce competition between Indian telecommunication companies also plays a part in this rapid user growth, by driving down prices and helping democratise accessibility to mobile devices and the Internet for Indians.
This accelerated pace of digital adoption also means that crores of first-time Internet users are exposed to today's new-age cyberattacks. Most times, the first (or the only) line of defence that protects users from these attacks is passwords. However, it's common knowledge that users tend to create passwords that are easy to guess, like password123 and admin123, while some use passwords that are even more easier to guess, like their name and a combination of birthdates or anniversary dates. They also reuse these passwords across multiple digital accounts, making matters worse.
Besides, in a workplace setting, the problem of password hygiene is compounded further by poor password sharing practices. Many times, passwords are shared between and within teams via printouts, spreadsheets, chats, emails, etc. These practices, when left unmitigated, increase the chances for password attacks that can, in turn, lead to data loss and crippling financial and reputational damages for the business.
According to Microsoft's Digital Defence Report of 2024, of more than 600 million identity attacks (a form of cyber attack that exploits and compromises the digital identity of individuals or organizations) per day worldwide, more than 99% are password-based. In fact, the number of password-based attacks grew from 4,000 attacks per second to 7,000 attacks per second between 2023-24. This is exactly where passkeys can help with their modern authentication mechanisms.
Why passkeys are comparatively secure than passwords
The overall design of the cryptographic key pair mechanism itself is relatively secure by default. The private key is the core part of a passkey's security. The following are some of the benefits that passkeys provide:
Passkeys are unique and hard to crack, making them more secure than passwords. Not only are they unique and auto-generated for each account, but the private key will work only from the device that it's tied to and nowhere else.
Passkeys will work only on authentic websites, making it impossible for users to fill them in on fake websites. A user's passkey-once associated with a website like amazon.com, for instance, will not autofill on fake phishing sites that mimic the original site. The private key will not pair.
Users can log into their accounts faster without remembering complicated passwords or weak passwords.
Passkeys can function as both a login mechanism and two-factor authentication, making it easy for users.
Multi-device sync will also allow users to access their favourite apps and websites from any device of their choice without re-enrolling every single time.
Besides, OS platforms today are coming up with their own security components for fortified protection of private keys. For instance, Windows and Android platforms work with Trusted Platform Module (TPM), a security chip that is present in most laptop or desktop computers, to store passkeys securely. Meanwhile, Apple works with Secure Enclave, and Samsung offers Knox for these purposes. This added security mechanism provides encryption at rest and during transit for private keys.
Passkeys adoption in India
FIDO Alliance's 2024 Online Authentication Barometer report states that there has been an approximately 54% increase worldwide in the familiarity of passkeys over the last year. This study was conducted with 10,000 participants from ten countries including the UK, France, Germany, the U.S., Australia, Singapore, Japan, South Korea, India, and China. Among these nations, China and India led the study, with more than a 70% adoption rate.
While the adoption rate looks promising in India, we still have a long way to go for a country as large and diverse as India. Most of our banks, insurance companies, hospitals, real estate, online travel aggregators, and many others are yet to offer passkey support to their apps and websites.
By the time businesses start offering passkey support across their apps and websites, users should also be in a position to understand the advantages of passkeys and how it can protect their data from cyberattacks. All stakeholders, including the Government, media, experts, public and private companies, need to be involved in making India a global leader in passkey adoption.
Published by HT Digital Content Services with permission from TechCircle.