Security

Passkeys vs. Passwords: Enhanced Security in K-12 Schools

Tech companies are testing new authentication methods to confound hackers and free users from remembering complicated passwords.

Alexandra Shimalla

Alexandra Shimalla is a freelance journalist and education writer.

Most technologies will require users to update their passwords at a regular cadence, increasing the security level, strength and difficulty of the combination of letters, numbers and special characters. The National Cybersecurity Alliance encourages strong passwords as a priority for maintaining strong cybersecurity.

However, last year, Google, Apple and Microsoft announced plans to support passkeys, a stronger alternative to passwords. Earlier this year, Google integrated passkeys into some versions of Google Workspace.

What Is a Passkey?

There are quite a few ways to authenticate identity when logging in to a secure account: traditional passwords, multifactor authentication and now, where available, passkeys. Passwords are the traditional mix of letters, numbers and special characters that are paired with a username or email address to access an account or website.

Multifactor authentication is the next step: Users pair a device with their account, and once the username and password have been entered, a code is either called in, texted or emailed to the paired device for the user to enter into the computer.

Passkeys, however, take cybersecurity to another level by using biometrics or lock-screen data.

In a Google Security blog written by Arnar Birgisson and Diana Smetters, of Google’s Identity Ecosystems and Google Account Security and Safety teams, passkeys are described as a more convenient and safer alternative to passwords. “They work on all major platforms and browsers, and allow users to sign in by unlocking their computer or mobile device with their fingerprint, face recognition or a local pin,” the authors explain.

Click the banner to learn about cybersecurity solutions and services for your K–12 institution.

Passkeys vs. Passwords: Which Method Is More Secure?

“Using passwords puts a lot of responsibility on users. Choosing strong passwords and remembering them across various accounts can be hard,” the Google blog notes. “In addition, even the most savvy users are often misled into giving them up during phishing attempts.”

With passkeys, once a user authenticates the device, he or she can switch between devices and browsers without a problem. The authentication uses a fingerprint sensor, face recognition or the device’s unlock pin, as explained in this Google Developer article.

The National Cybersecurity Alliance describes passkeys like this: When a user enables passkeys on a device, it creates a private and a public key. When someone tries to log in to, say, a Google account using the public key, the site will issue a challenge to prevent a hacker from accessing the account by sending a confirmation to another linked device — the private key — which typically lives on the user’s phone. The confirmation prompt will ask the user to unlock the device, using face recognition, a PIN or fingerprint scan (whichever method is currently used to unlock the phone). Once the private key is confirmed and authenticated, the public key works, and the user can access his or her Google account.

“In the cyber world, we talk about the ‘kill chain,’” says Sunil Mallik, vice president of product and platform security at Discover Financial Services and a National Cybersecurity Alliance board member.

Lockheed Martin developed the concept of a cyber kill chain, defining this linkage as the process by which a hacker finds a victim, targets them, then exploits their data for financial or other incentives.

“With passkeys, the hackers need to have access to the user’s portal or device. It breaks the kill chain and makes it harder for hackers to compromise systems,” says Mallik.

The Pros and Cons of Using Passwordless Authentication for K–12

In the K-12 education space, the usefulness of passkeys becomes muddy. In fact, Google does not currently allow schools or educational institutions to use passkeys.

“In the education space, managing security is a challenge,” says Mallik. “Designing security is not one-size-fits-all.”

The education space has various users, each group with its own set of behaviors: students, teachers and leadership. The majority of K-12 students might not have a phone to connect to their school laptop, and the only information they’d be accessing in Google Workspace for Education would be homework and other assignments — nothing confidential or high-risk.

Teachers and leadership, on the other hand, might be a good group to use passkeys, Malik says, as they have access to personally identifiable information, such as students’ grades and other personal information.

You always have to balance the risk with the technology and controls you’re putting in and what you’re trying to protect.”

Sunil Mallik Vice President of Product and Platform Security, Discover Financial Services

“Schools might selectively implement passkeys for high-risk users or high-value assets,” says Mallik, referring to teachers, counselors, principals and superintendents.

It’s also important to consider the availability of IT resources to support the addition of passkey protection to Google Workspace. Does the district have enough staff to support implementation and respond to users’ questions?

Also worth noting: Passkeys, much like any type of security, do not provide a frictionless experience, says Mallik. “Every time you can improve the security, there is some element of friction that’s introduced because we want to make it difficult for the threat actors.”

LEARN MORE: What could federal attention to K–12 cybersecurity mean for your school?

What to Know About the Future of Passkeys and Cybersecurity

In education, where passkeys might be irrelevant for some users, security may be better served by a longer password.

“You can have a really long password or passphrase, and you’re making it harder for anyone to guess your password or compromise your password. You have to find the right balance and the specific use case,” says Mallik.

Counselors, however, may be a better case for passkeys, given their access to highly confidential student and parent data.

Mallik suggests always considering the worst-case scenario when trying to determine whether passkeys are appropriate for various user groups. If a hacker accessed a particular group’s account, what is the worst that could happen?

“You always have to balance the risk with the technology and controls you’re putting in and what you’re trying to protect,” he says.

Illustration by Olly Kava