Are passwords a thing of the past? N.B. cyber expert on emerging debate over passkeys

Beauceron Security’s David Shipley says there are pros and cons to both

Image | A screen to enter a password to a website

Caption: A New Brunswick cybersecurity expert said he can't pick whether he's team passkey or team password because they both have pros and cons. (Sean Kilpatrick/Canadian Press)

It may be a foreign concept to some but for others, it's a natural technological progression: Passkeys.
Cybersecurity expert David Shipley, of Beauceron Security in Fredericton, said a passkey is a computer-generated password. Your device remembers the passkey and allows you access to websites you visit frequently — without having to remember all of your unique passwords.
There are pros to the new tech, said Shipley, starting with the fact that a passkey is more secure than using the same password across multiple sites.
"Digital lock-picks will breach a website and they'll breach another one, and they'll start to get a sense for the patterns you may use and then they'll digitally lock-pick," said Shipley.

Image | David Shipley

Caption: David Shipley, with Beauceron Security in Fredericton, said a passkey is 'only as secure as the algorithms used to generate it.' (Submitted by David Shipley)

"But if you're using a truly random, very long, machine-generated pass key, [it] doesn't have that same pattern repeatability."
On the other hand, there are cons. Shipley said a passkey is "only as secure as the algorithms used to generate it." So if there's a pattern or flaw in the generation of the passkeys and someone were to discover how the company's algorithm works, that attacker could then unlock all the passkeys.
Another downside, said Shipley, is that passkeys can usually only be used with the most modern devices, so if one piece of someone's technology is older, the passkey won't be of any use on that device.
Having a passkey that is tied to a device can also be a bit of headache, said Shipley.

Image | Apple passkey (DON'T USE AGAIN)

Caption: Shipley said the latest Apple iOS is really pushing passkeys forward, which is great for people who exclusively use Apple devices. (Apple)

"You're out canoeing the Restigouche, your smartphone goes into the river … then you've got to re-establish all of your credentials — what a pain."
Shipley said the latest Apple iOS is really pushing passkeys forward, which is great for people that exclusively use Apple devices.
But if you have an Apple iPhone, a Windows computer and an Android tablet — the ease of use decreases.
Shipley said a lot of sites just also are not ready for the technology of a passkey, such as banking websites, which sometimes still only support passwords of certain lengths.
"It's probably going to be a decade-plus journey to see these become commonly offered on the places we need them the most," he said.
"Yeah, it's cool that the latest bleeding-edge tech magazine can use passkeys — that's not what I'm worried about getting compromised. I'm worried about my tax account, my government ID accounts, my bank accounts, those types of things. And these will probably be the last ones to adopt this technology."

Image | No passkey

Caption: Not all websites or devices allow the use of passkeys yet. (CBC)

Shipley said he can't pick whether he's team passkey or password because they both have different upsides, and sometimes, the need is a generational difference.
For example, seniors might already have a system where they keep all of their different passwords written in a password book, so changing to a complex technology, that could cause mass frustration if it goes wrong, doesn't make sense.
But for a Gen Z or millennial with multiple mobile devices, it might be just what's needed.
"It's probably my biggest frustration with the tech industry is they come out and they drop the solutions, like this is perfect for everybody, right? No, it's not," said Shipley.
"The problem comes down to a fundamental belief whether technology is better than humans. So the belief right now is you can't trust the human, we can trust the machine, except if the machine makes a mistake.
"In 2024, when we're all obsessed about [artificial intelligence], I continue to be impressed with the amazing potential of human beings, and I'll bet on the human over the machine still every day."