For years, we have been held hostage by passwords. Complex sequences of letters, numbers, and special characters that we had to memorize, jot down on sticky notes (don't deny it!), or entrust to password managers. With every data breach, every phishing attack, every "forgot your password?", the frustration only grew. The password, that relic of the digital era, became the weakest link in our online security. But what if the end of that era is already here? And that, with it, a new challenge emerges, worthy of a science fiction film?
We are talking about Passkeys, or access keys. They are not just an alternative to passwords; they are a revolution in the way we authenticate online. Imagine never having to type a password again. Sounds like a utopia? It is the reality that the FIDO2 and WebAuthn standards are building. Passkeys work with public key cryptography: your device (phone, computer) generates a key pair. One is private, and it never leaves your device. The other is public, and that one is sent to the server of the site or application you want to access. When you try to log in, your device uses the private key to prove it is you, without ever revealing the secret.
The unassailable advantage: if there is no password, there is nothing to leak
The benefits of Passkeys are clear and impactful:
- Immunity to phishing: Phishing attacks depend on you typing your password into a fake site. With Passkeys, your device only authenticates if the site proves it is the real one, making phishing ineffective.
- Goodbye to data breaches: The biggest nightmare for companies and users alike. With Passkeys, the server does not store your password. Even if a company's database is compromised, there are no passwords for criminals to steal. Simple as that.
- Simplicity and convenience: Authentication is done with biometrics (FaceID, TouchID) or your device PIN. It is faster, easier, and infinitely more secure than typing complex passwords.
In the meantime: what you need to stop doing today
Passkeys are coming, but while they are not everywhere yet, you are still vulnerable. And here is the truth: most of us are making it easier for hackers. Stop using the same password for everything. If an irrelevant shopping site leaks your password, your main email account and your bank account will be at risk within minutes.
Ask yourself right now: If your main email account were compromised at this exact moment, how much of your digital and financial life would be in a stranger's hands in less than 5 minutes? The answer is probably alarming.
While the full transition has not happened yet, here is your survival kit:
- Use a password manager: Stop relying on your memory. Use tools like Bitwarden, 1Password, or your operating system's built-in keychain to generate and store unique, complex passwords.
- Enable 2FA (two-factor authentication) on EVERYTHING: But forget SMS. SMS is vulnerable to SIM Swap attacks. Use authenticator apps (Google Authenticator, Microsoft Authenticator) or, even better, physical security keys.
- Protect your email as if it were your vault: Your email is the key to resetting all your other passwords. If it falls, everything falls. It should have the strongest password and the strictest 2FA of all.
The quantum provocation: will passkeys be secure forever?
Our current digital security, including that of Passkeys, is based on cryptographic algorithms that are extremely difficult to break with today's classical computers. But what if a type of computer capable of performing calculations on an unimaginable scale were to emerge? We are talking about Quantum Computing.
The public key cryptography algorithms that underpin Passkeys (such as ECDSA and RSA) are, in theory, vulnerable to attacks from sufficiently powerful quantum computers, using algorithms such as Shor's. This means that, in the future, an attacker with a quantum computer could, in theory, derive your private key from the public key, compromising your security.
Are we building a security castle that will one day be torn down by a new technology? The good news is that the security community is already moving. In April 2025, IANA (Internet Assigned Numbers Authority) updated the COSE (CBOR Object Signing and Encryption) specifications to include Post-Quantum Cryptography (PQC) algorithms, such as ML-DSA (based on the Dilithium algorithm). This means that Passkeys are evolving to become "Quantum-Safe", that is, resistant to quantum attacks.
This is the beauty and the madness of technology: with every problem solved, a new and more complex challenge appears. Digital security is a constant cat and mouse game, and Passkeys are our newest and most powerful weapon. But the race against time and against the advance of quantum computing has already begun. And I wonder: will we manage to maintain control over this new security frontier, or will progress itself force us to accept that the only constant is change? What we cannot do is stop learning and adapting to new realities.
Article originally published on GazzConecta.
