Passcodes vs Passkeys

Passcodes are a necessary part of life, and to a degree, the bane of many an existence.

Once upon a time, in the pre-cyber world, the game was all about keys, locks, and the sheer physical strength of a door, drawer, box or other enclosure that kept any but the owner of the enclosed space from accessing it. But those days also pre-dated, at least to a large degree, data as an asset. While that's not entirely true, as things like social security numbers, birth records, even things like, say, a marriage license, or a chemical formula, as data, held a value and could thus be mis-appropriated for gain, this data was stored physically, and would have to be removed physically (or at least copied) to provide any value to someone taking it. 

But once data became digitized, it could be taken digitally, without so much as, necessarily, a sign that anyone had broken into it until such time as it was used to gain access to a bank account, or take the personal information of hundreds or hundreds of thousands of users.

Passwords/passcodes were the locking mechanism of digital "safes." While at first just a recommendation, eventually many storage spaces insisted that a password contain certain elements that would make it harder and harder to, using computing power, simply keep trying until a password could be assembled. "Your password must contain an uppercase letter, two lowercase letters, at least one special character and three numbers and must contain at least 7 characters." I had a programmer friend who had worked out a very good system, in my estimation at any rate, to overcome the hurdle of trying to remember all those passwords without writing them down - the risk, of course, of having 50 passwords to remember. He had a formula which was his own secret code - something like the fourth letter of this third child plus his mother's birth year plus the third three letters of the location being accessed (or something similar) so that it had a pattern but always had elements that were unique to the specific situation. And with a little thought, it could be made even more one-of-a-kind, so that if, for example, the location (YouTube, for example) started with a letter in the second half of the alphabet, it would be the third letter of the second child in his family - thus becoming even more particular to a given situation and harder to break, yet no harder to remember once the code was devised. The one challenge was that you had to be rigorous in your application of your formula, else it would be pointless.

While I still like the system, as is always the case with things technological, the proliferation of technology itself may hold another solution.

Who reading this article doesn't have multiple devices? The most Luddite among us, or the most unwilling to "adopt" is likely to have at least a smart phone and a tablet and/or PC (at least). That provides the ingredients for a "passkey." 

Actually, the germ of a passkey has been around and in use for quite a while. We have had "recovery" accounts for other accounts for a long time. This was typically an email account to which you would send a "lost password" or "recover password" email. Assuming only you had access to that account, if you couldn't remember your password, you could reset it using this message. 

Passkeys take this idea, but use it as the "password." When you log on to an account, you don't enter a password - you send a request to an "authenticator." This would typically be a smart phone, or possibly another device with a notification system of some kind on it. 

Then, you would be requested to log in to the account you're trying to access on your authenticator, using typically a PIN or perhaps (and probably safest) a form of biometric (thumb print, facial recognition, for example). 

Once that is done, your account, on whatever device you requested access, would be granted. Anyone attempting to hack into your account would need a) the account; b) the authenticator; c) access to your authenticator. (Cue the stolen "eyeballs" or "thumbs" memes here.)

It certainly makes sense if a given account offers two-step authentication to go ahead and use it - even if it's just occasionally asking for a secret question, or to send a verification code to a mobile phone every so often when you log in. Certainly request, if available, that an unrecognized device or IP address be challenged with a two-step authentication for your protection.