Passkeys vs. Passwords: Which Method Is More Secure?
“Using passwords puts a lot of responsibility on users. Choosing strong passwords and remembering them across various accounts can be hard,” the Google blog notes. “In addition, even the most savvy users are often misled into giving them up during phishing attempts.”
With passkeys, once a user authenticates the device, he or she can switch between devices and browsers without a problem. The authentication uses a fingerprint sensor, face recognition or the device’s unlock pin, as explained in this Google Developer article.
The National Cybersecurity Alliance describes passkeys like this: When a user enables passkeys on a device, it creates a private and a public key. When someone tries to log in to, say, a Google account using the public key, the site will issue a challenge to prevent a hacker from accessing the account by sending a confirmation to another linked device — the private key — which typically lives on the user’s phone. The confirmation prompt will ask the user to unlock the device, using face recognition, a PIN or fingerprint scan (whichever method is currently used to unlock the phone). Once the private key is confirmed and authenticated, the public key works, and the user can access his or her Google account.
“In the cyber world, we talk about the ‘kill chain,’” says Sunil Mallik, vice president of product and platform security at Discover Financial Services and a National Cybersecurity Alliance board member.
Lockheed Martin developed the concept of a cyber kill chain, defining this linkage as the process by which a hacker finds a victim, targets them, then exploits their data for financial or other incentives.
“With passkeys, the hackers need to have access to the user’s portal or device. It breaks the kill chain and makes it harder for hackers to compromise systems,” says Mallik.
The Pros and Cons of Using Passwordless Authentication for K–12
In the K-12 education space, the usefulness of passkeys becomes muddy. In fact, Google does not currently allow schools or educational institutions to use passkeys.
“In the education space, managing security is a challenge,” says Mallik. “Designing security is not one-size-fits-all.”
The education space has various users, each group with its own set of behaviors: students, teachers and leadership. The majority of K-12 students might not have a phone to connect to their school laptop, and the only information they’d be accessing in Google Workspace for Education would be homework and other assignments — nothing confidential or high-risk.
Teachers and leadership, on the other hand, might be a good group to use passkeys, Malik says, as they have access to personally identifiable information, such as students’ grades and other personal information.