Thou Shalt Pass

As we near the end of the year, we’re going to go with a tech story today.  But it’s a fairly important one -- and also, rest assured, really easy.  So, bear with me.
 
It concerns passkeys, which are the future for replacing passwords.  You don't need to know this right now.  But -- you will be using passkeys to sign into websites and even Windows sometime in the near-future.  In fact, they aren’t even just the near-future, passkeys are here right now for many websites (and for logging into Windows and Apple computers).  But the concept of passkeys is probably a bit bewildering to most people.  The thing is – it’s actually very easy to understand…when explained properly.

Which brings us to this.
 
I’ve mentioned my friend Ed Bott on this site occasionally.  Ed is a great, award-winning tech journalist who writes a wonderful column on ZDNET (which you can find here).  You've heard the expression, "He wrote the book on..."  Well, Ed literally "wrote the book" on how to use the Windows -- the current and earlier versions, each published by Microsoft Press.  His most-recent, an 816-page tome on using Windows 11 can be found here.

That's how smart and good Ed is.  For his column, he writes about very high-tech subjects, but in clear, human English, often with a good dose of Bottian humor. 

And last week, Ed had a superb article about passkeys.
 
He notes in the piece – “After a lengthy online exchange on the subject with a friend who finally achieved an "Aha!" moment, I think I figured out why the topic is so confusing.”
 
I can speak from personal knowledge when I say how terrific the column is – because the “friend” Ed refers to is…me!  About six weeks ago, I’d read yet one more article purporting to explain how easy passkeys are, and it was utterly bewildering.  So, I wrote to Ed about passkeys being so convoluted.  And that began a long exchange of emails between us, where he tried to explain them – until, finally, after a barrage of questions, I did indeed have that “Aha!” moment.  And for Ed, as he writes in this column, based on that exchange, it was an “Aha!” moment for him, as well, in realizing how to explain it easily.
 
The challenge in explaining what a passkey is and how it works, he notes, is that “A passkey is not a tangible thing -- it's an abstraction.”  And Ed figured out how to easily explain the abstraction.

(I try not to bug Ed too much with techie questions, since I know he SO graciously spends a lot of time explaining them.  Amusingly, in checking our passkey exchange, my first email to him had the Subject line:  "Minor passkey question."  Ha!  It turned into anything but that!  I'm deeply appreciative each time he goes into Bott Mode and explains so wonderfully, but he always says that "Explaining is what I do," and adds that often my questions and our discussions lead to column ideas for him.  My favorite came after a lengthy exchange we had about me getting a new computer and all the options.  He later wrote an article about it, and in a video interview about the column, he told the interviewer, "I was having a discussion with a friend -- let's call him....."Bob".)
 
I’ll let Ed's passkey article speak for itself, because it’s so good and so fun to discover one’s own “Aha!” moment.  But just to put it in perspective and set the table, I’ll give a very brief, easy -- and very simplistic -- background.  But it should give you a basic starting point.
 
First, the reason to get rid of passwords is that a password can be figured out by scammers or stolen.  Passkeys cannot.  Passkeys only reside physically on your own computer (or tablet or phone).  And they’re hidden in a totally secure area on your system – so hidden that even you don’t know where they are.  As Ed wrote to me in our email exchange, "That passkey can't be stolen. It's locked in a secure vault and is never exposed. Ever." 
 
And second – and this is part of the “Aha!” moment realization – is that passkeys are nothing more than like a high-tech handshake between the website you’re logging into and that hidden passkey on your system. Think of it this way: 

When you’re asked by a website, “Do you want to log in with a passkey?” and answer yes, that website checks to see on its own site that “Oh, okay, this person has a passkey” -- and it then sends a question  to your device, to ask “Is this person who they say they are?”  What your system then does is simply confirm that the request came from a legitimate site, and then asks you to confirm your identity.  Once you do, your computer goes ahead and checks that secure, hidden area that is physically on your system to see whether you really do have a saved passkey.  If it finds one, it sends a confirmation back to the website (but does not send the passkey itself!), and you get access.  Again, to clarify, the passkey is never even sent.  It stays secure and hidden on your system.  The only thing sent back is the confirmation that all is well, so let the person into your website.
 
That’s it.  There’s nothing for you to remember.  No keystrokes that an outside hacker can steal. No way at all for an outside scammer to get access to your passkey unless they literally are sitting at your system and using it.  (And even at that, they still have to be able to first identify themselves with either biometrics, like facial recognition, or the PIN you set up on your device to log in.)
 
So, that's what a passkey is:  just the website you want to log into shaking hands with the passkey hidden on your system, and matching.
 
That’s all.  That’s also just a very basic explanation.  Ed explains it so much better.  So clearly.  So simply.  So much more enjoyably.  And his article also has more, interesting things to know about passkeys and using them on multiple devices.
 
So, do yourself a favor and take a look at his article about it here.  
 
Because passkeys are here already.  (I use about a dozen so far.)  And they are going to eventually replace passwords.  Because they are extremely safe.  And easy.