WhatsApp has officially confirmed the adoption of ‘passkeys’, access codes that come as substitutes for passwords.
Traditional passwords have their days numbered, and there can be no better news for our security. Experts have been denouncing for years how bad they are at protecting our data, especially if we repeat the same password in all our services.
The big problem with a password is that it must be stored on an external server so we can check it every time we log in. That opens the door to many attack vectors; For example, if a hacker accesses the server, they could obtain a list of all used passwords by all users, as has already happened on countless occasions.
A password is also dangerous because of the need for it to be unique for each service; If we repeat it, we run the risk that the hacker who has stolen our password from one site could use it on another. But most people don’t want to learn dozens of passwords.
Although solutions have been developed for all of these problems, such as two-step authentication or password storage apps, they are still ‘patches’ on a failed concept. That is why ‘passkeys’ were born, a new standard in which large technology companies such as Google, Apple and Microsoft.
A passkey is a unique and exclusive cryptographic access key that, instead of being stored on a server, is stored securely within our own device; It is that device that is responsible for authentication, such as, for example, with the fingerprint reader on our mobile phone. Therefore, to log in to a service that supports passkeys The only thing we would have to do is put our finger on the fingerprint reader, exactly the same as unlocking your mobile. In fact, operating systems like Android or Windows ask exactly that, that we do the same thing we do when we unlock the device, whether it is using our fingerprint, face, or a PIN.
When authenticating, the private key is associated with a public key generated for each service or web page; that too prevents logging into fake apps that try to steal our data, a very common problem in apps like WhatsApp.
WhatsApp is precisely the latest service that has made the leap to passkeys, although for now it is not mandatory, and normal authentication methods still work. The beta version of the app has been experimenting with ‘passkeys’ since last August, and now Meta is happy with the results and is going to start expanding it to all users of the stable version of WhatsApp.
WhatsApp passkeys replace the classic method of receiving an SMS message to log in, and appear as a new option in the account section of the app. By activating them, WhatsApp will ask us for our fingerprint, face, PIN, or another method that we use to unlock the phone, which will create a new passkey that will be stored in the Google password manager on Android phones. From then on, if we buy a new mobile phone, we will only have to import our passkey and log in to WhatsApp with our number and fingerprint.