29 May 2025
Feisty Duck’s Cryptography & Security Newsletter is a periodic dispatch bringing you commentary and news surrounding cryptography, security, privacy, SSL/TLS, and PKI. It's designed to keep you informed about the latest developments in this space. Enjoyed every month by more than 50,000 subscribers. Written by Ivan Ristić.
Passwords are ubiquitous, but their best days could be behind us. Their replacement, passkeys, have already been deployed—cautiously—by some of the biggest companies on the planet. Apple, Google, Microsoft, and many others are all in. If you haven’t noticed the changes happening in the last couple of years, that’s probably because most companies are first adopting them as the default authentication method for new accounts.
On the surface, passwords are great. To create an account on a website somewhere, you choose your username and a secret that you only know. Technically, this can be secure. In practice, pretty much everyone picks something simple that’s easy to remember and uses it in a variety of places. This leads to a variety of problems:
Various Band-Aids have been attempted, with limited success. For technical users, password managers and two-factor authentication provide a working solution, but this combination doesn’t scale. It’s also pretty awful to use on a daily basis.
Passkeys solve many of these problems by utilizing public key cryptography, replacing secrets (obscure “words”) with cryptography (“keys”). We remove the human element and generate a private-public key pair with the help of very large random numbers. This leads to important results:
At present, passkeys are often promoted as more convenient and easier to use, allowing users to authenticate without triggering the two-factor authentication. This saves them having to respond to a text or email or to use their authenticator application. The UK government, for example, just announced that it will deploy passkeys as an alternative to the current text-based two-factor authentication approach. It’s right to do so. According to Microsoft, users have a 98 percent passkey success rate, versus only 32 percent for passwords. Passkeys, which are usually a fingerprint away, are much faster too.
However, in this model, passwords remain in the background, with all their weaknesses. To reap the security benefits, we need to make a leap and embrace a password-less future. Microsoft is doing just that, with new accounts skipping passwords altogether and existing accounts given an option to delete their existing passwords.
Unfortunately, this is where it gets tricky. As bad as they are, passwords can be remembered or written down, printed, and shared if really necessary. Passkeys can’t do any of these things. Losing access to your devices might mean not being able to recover your key accounts. Passkey cloud synchronization can help, but it’s under control of big, often unaccountable organizations. Tread carefully.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 2,000 students who have benefited from more than a decade of deep TLS and PKI expertise.