Yuichiro Chino/Moment via Getty Images Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s essential insights highlight that passkeys represent a revolutionary category of digital credentials developed to replace the conventional and significantly less secure password system. Unlike the fragile alphanumeric codes most people still depend upon, passkeys redefine identity verification by functioning through one of three specialized types of authenticators: platform, virtual, or roaming. Among these, virtual authenticators operate exclusively through software mechanisms and are usually integrated into widely used password management solutions.
Whether we welcome it or not, the reality is that the majority of our online identities are undergoing a transformative transition toward passkey-based authentication. Within cybersecurity discourse, passwords are often characterized as “shared secrets” because, during both account creation and subsequent login attempts, we must transmit that secret to the multitude of digital services and websites—collectively referred to as “relying parties”—with which we interact. This persistent dependency on shared secrets has long represented one of the frailest foundations of modern internet security, as once that shared data is exposed, its protective value entirely collapses.
The problem becomes even graver when human behavior enters the equation. Despite decades of warnings and extensive best-practice campaigns, users continue to rely on simplistic, recycled, and easily guessed passwords. Attackers readily exploit this weakness through forms of social engineering such as phishing and smishing, manipulative strategies that deceive users into surrendering their credentials. The outcome has been a long and painful history of breaches, exfiltration incidents, and severe economic repercussions resulting from poor password practices. Even with extensive security education programs, empirical findings still suggest that an overwhelming majority—nearly 98%—of individuals can be deceived into disclosing their passwords under the right conditions.
Recognizing that waiting for end-users to perfect their digital hygiene was an unrealistic hope, the technology ecosystem collectively sought a systemic remedy. Out of this effort emerged the concept of the passkey—a secure alternative that eliminates the notion of a shared secret altogether. The passkey mechanism requires no extraordinary discipline or memory from the user. Nevertheless, implementing passkey systems across disparate platforms remains a complex endeavor and necessitates ongoing public education and gradual adaptation.
At the heart of the passkey philosophy lie three foundational principles. First, passkeys are mathematically unguessable, making brute-force attempts inherently futile. Second, each passkey is cryptographically unique and bound to a single application or site, thus preventing the hazardous reuse phenomenon so common with passwords. Third, users cannot be misled into handing their passkeys to malicious parties because they never directly access or transmit the secret itself. Instead, authentication is achieved through cryptographic proof-of-possession: users demonstrate that they hold the secret key, but that key is never exposed. This architecture leverages asymmetric key cryptography—pairing a private key, securely guarded by the authenticator, with a public key that the relying party stores—to confirm identity without sharing sensitive material.
The term “passkey” colloquially refers to what is technically known as a FIDO2-compliant credential. Defined by the FIDO Alliance—a collaborative consortium of major industry stakeholders—this standard fuses two complementary frameworks: the WebAuthn specification created by the World Wide Web Consortium (W3C) and the Client-to-Authenticator Protocol (CTAP) governed by FIDO itself. This coordinated architecture establishes the rules and communication sequences that allow authenticators, whether embedded in devices or manifested in software, to interact securely with browsers, operating systems, and online services.
Under the WebAuthn framework, authenticators come in three primary forms: platform (integrated into devices and managed by the operating system), virtual (software-only and typically delivered through password managers), and roaming (portable devices that connect via USB, NFC, or Bluetooth). Each serves a distinct purpose in the creation, storage, and verification of passkeys. While adoption among major technology leaders—Apple, Google, Microsoft, PayPal, and Kayak—has begun, the broader digital ecosystem will likely take considerable time to achieve full convergence.
As an increasing number of websites transition to support passwordless authentication, users must become informed about how various authenticator types influence security and convenience. Understanding these differences enables users to select solutions that align with their devices, operating systems, and personal preferences. This article, the third in ZDNET’s four-part exploration of authenticators, focuses specifically on the virtual authenticator’s role and its unique advantages and limitations when compared to platform and roaming alternatives.
A virtual authenticator represents a purely software-based approach to passkey management. In typical scenarios where users employ passkeys without relying on built-in system authenticators, the virtual authenticator becomes the functional substitute. It performs cryptographic operations entirely through software, independent of specialized hardware protection mechanisms found in platform-based counterparts. Conceptually, this model operates under a “bring your own” philosophy: instead of depending on proprietary authenticators embedded by a device manufacturer or operating system, users install and configure third-party software to manage the credentials and execute authentication tasks on their behalf.
In today’s market, these solutions are more commonly recognized as password managers—applications like 1Password, Bitwarden, Dashlane, LastPass, and NordPass—which have expanded beyond simple password storage to become comprehensive repositories for security credentials. When functioning as virtual authenticators, they not only manage traditional passwords but also generate and maintain passkeys, providing a bridge for users navigating from the legacy password world to the new cryptographic landscape.
Google’s Chrome browser presents an interesting borderline case: its credential-handling capabilities can operate either as a platform or virtual authenticator depending on context. Outside of Android, Chrome usually requires explicit user installation, thereby aligning it technologically and philosophically with virtual authenticators rather than platform-bound ones.
Vendors competing in the virtual authenticator space distinguish their offerings through a variety of features, pricing models, and integration options. Some, like Bitwarden, provide both complimentary and premium tiers, with paid plans unlocking more advanced administrative dashboards, security auditing tools, and multi-device support. Others may focus on enterprise-grade deployment controls and compliance-friendly features designed for organizations needing centralized management.
One of the major strengths of virtual authenticators lies in their flexibility and broad compatibility. Unlike platform authenticators that are closely tied to the ecosystem of their creators—such as Apple’s iCloud Keychain or Microsoft’s Windows Hello system—virtual authenticators are typically designed to operate across a multitude of platforms and browsers. This cross-platform architecture allows a single account to span macOS, Windows, Android, Linux, and iOS, thereby catering to users who navigate heterogeneous device environments.
Because platform authenticators are built into operating systems and cost users nothing, third-party vendors must compete by optimizing usability, synchronization speed, and interface design. Most virtual authenticators accomplish this by offering unified ecosystems: browser extensions for major browsers like Chrome, Edge, Firefox, and Safari; native desktop and mobile applications; and secure web-access portals that synchronize data between them. Synchronization is often powered by a vendor-managed cloud infrastructure that ensures user credentials remain consistent across devices.
Still, recognizing that organizations may harbor concerns about entrusting sensitive cryptographic material to third-party servers, several password managers provide the option for self-hosting synchronization hubs. Through that configuration, enterprises can maintain complete sovereignty over their data while continuing to leverage the streamlined user experience that virtual authenticators deliver. This capability mirrors, in essence, the synchronization services provided by Apple and Microsoft through their respective clouds but extends flexibility to customers wishing for stricter control over data residency.
In summary, virtual authenticators constitute a vital bridge between the outgoing paradigm of password-based authentication and the fully realized vision of a passwordless internet. They combine the convenience of cross-platform availability with the robust cryptographic principles at the core of FIDO2 standards. As the ecosystem continues to evolve, these software-based authenticators will likely remain indispensable for both individuals and enterprises seeking to modernize their security posture without being locked into a single hardware or operating system vendor. In the concluding installment of ZDNET’s series, attention will turn to the final category—the roaming authenticator—completing the picture of how next-generation authentication frameworks will safeguard our digital identities.
Sourse: https://www.zdnet.com/article/you-already-use-a-software-only-approach-to-passkey-authentication-why-that-matters/
