Tech companies adopt passkey features for convenience, safety

[Graphics by Kim Eo-jin]

Passkeys, an alternative to passwords that allow users to log in via biometric authentication such as fingerprints, facial recognition, or PINs, are gaining attention globally.

They have been adopted by major services like Google LLC, Microsoft Corp., Samsung Electronics Co., and Apple Inc., and are now used on platforms such as X, formerly Twitter. The trend points to an increasing number of services that make logging in convenient without needing to remember complex passwords.

According to sources from the information technology (IT) industry on Tuesday, X started supporting passkeys for iOS users in April 2024 and has expanded this to Android users since last week. The passkey method is a new digital identity verification standard established by the FIDO Alliance, an international standards organization in online authentication. The core of this method is using a passkey stored on the user’s device for login via biometric verification instead of using a password.

To create a passkey, users need to access the account management menu of a service that supports passkeys, such as Google. In the security menu under account management, selecting the passkey option activates the passkey after a one-time password verification. Users can then log in using biometric authentication or a PIN instead of a password. Galaxy smartphone users can store and manage the passkey in the Samsung Pass application, while iPhone users store theirs in iCloud Keychain.

In South Korea, KT Corp. is working on implementing passkey-based biometric authentication in its My KT app and has applied a similar biometric login method in its PASS app. LG Uplus Corp. is also considering adopting passkeys, while SK telecom Co. previously implemented the passkey authentication system in its PASS app in March 2023. Samsung Electronics began applying passkeys to its digital authentication service, Samsung Pass, starting in 2023.

Passkeys work by generating a pair of cryptographic keys instead of a traditional password. The public key is stored on the service’s server while the private key remains on the user’s device, and the server’s key is compared with the key on the user’s device to verify identity during login. The advantage of using passkeys is that users can log in using facial recognition, fingerprint recognition, or a PIN, making it possible to access accounts even if they forget their passwords.

According to a survey by the FIDO Alliance, which established the passkey standard, users around the world abandoned service logins nearly four times a month due to forgotten passwords. Passkeys offer improved security. Accounts can be easily stolen If a company’s server is hacked, and account IDs and passwords are leaked, when using passwords. But for passkeys, only the public key is exposed while the private key, which is necessary to decode it, remains on the user’s device even if the server is hacked, making it relatively safer.

Passkey adoption has been rapidly increasing among major companies since 2022. Dashlane, which provides password management solutions, said that the number of passkey-based authentications worldwide increased by about 400 percent from the beginning of 2024 to July.

While passkeys are not completely immune to security threats, adhering to basic security practices is crucial, according to experts.

“Users should download apps from official app stores and keep their device’s operating system and apps updated to the latest versions,” Park Tae-hwan, who heads AhnLab’s Cyber Security Center, said.