Explaining Passkeys with Way Too Many Analogies
If you think about it, using passwords to log in is really weird.
When you sign up, you’re basically shouting a secret word over the ether to the server. The server hears your word, writes it down, and stores it.
Then when you want to log in, you shout your secret word to the server again. The server hears the word, writes it down, and checks it against their note. If it matches, you’re logged in.
At this point, I hope you find it as weird as I do: shouting my word every time I log in? How is that “secret”? What happens if someone else hears it? What happens if someone hacks into the server and steals the notes? What happens if someone tricks you into telling them the word?
We can solve some of these problems by making our secret word complicated and hard to pronounce. To prevent people from overhearing it, we can whisper it over a walkie-talkie. To stop hackers, the server can write their notes with a handwriting so ugly it’s unrecognizable by anyone. But if you get tricked and give your secret word to some baddies… we don’t have a good solution.
I mean sure, let’s be vigilant and always on the lookout for baddies. But what if the baddies are really good at pretending to be trustworthy? Then it’s hard to say. Even security experts come close to falling for that.
Enter Passkeys
Passkeys are designed to solve these problems. With passkeys, the sign-up and login flow differ a bit. When you sign up, you create a key and a lock—digitally, of course—and only pass the lock to the server.
When you log in, the server locks a box with your lock and gives it to you. You unlock the box with your key and send it back. The server then checks if the box’s contents match what it had before. If they do, you’re logged in.
Notice how in both the sign-up and login flows, your key never leaves your house. You’re unlocking the box in the safety of your house, so you never have to worry about baddies. If baddies try to trick you into handing over your keys, well, your key never leaves your house, so you wouldn’t even know how to give it to them.
The makers of passkeys are thinking one step ahead. What if someone breaks into your house? To solve this, they put your keys inside a strongbox in your house, out of reach of everyone—even you. You can use the keys by scanning your face at the strongbox, and the rest is taken care of.
This made some people uneasy. If my keys are out of my reach, are they even mine? What if I own multiple houses, or move house? Don’t worry, the strongbox is magic and will be teleported to your new house. What if I own a different type of house that comes with a different type of strongbox? Don’t worry, you can create separate pairs of keys and locks for each of your houses. And I heard the passkey makers are coming up with a way to move keys between different types of strongboxes, too.
Some people are still unhappy. They don’t want to use the strongboxes that came with their houses. What if I get chased out of my house for some reason? What if I want to live in a cave?
Maybe one day, you’ll be able to hide your keys under your pillow, which you can control, and bring with you wherever you move. Maybe you’ll be able to download blueprints of different strongboxes and build your own.
In the end, it’s about responsibility. Do you want to be responsible if your passwords get stolen? Or do you want to trade some control for convenience? Only you can answer that.