Introducing Passkeys


We at Concordia Technology Solutions value giving churches a high level of quality software as well as implementing the highest grade of security for your congregations data.

For that reason, though we've been blessed to never suffer a breach of data, we're currently rolling out a new form of authentication for Church360° Members sites called Passkeys to better guard against malicious actors that would seek to steal your congregation's data.

Passkeys is a new form of two factor authentication that completely negates the use and need for a password. So no more remembering passwords for your Church360° Members site. You'll simply go to your site, request access, and grant that access directly from your own device, which can be a phone, tablet, or password manager.

Passkeys is a paradigm that is incredibly new. It's what techies call "bleeding edge" which is more forward thinking than "cutting edge". So this concept is fairly new and is slowly being implemented into well known software tools and sites like Microsoft, Google, and Apple in 2023. And slowly, you'll see other sites start to offer this option as well.

So what are Passkeys?

Passkeys are a pair of keys, one public (a key that is used for verifying your request to access a site) and one private (secret and unique to only your device). These keys are tied to the domain where they are created, in this case, the domain).

Each passkey requires secure context (beginning with https) and is tied to a single domain so there is no repeated use like someone could do with a password.

When you log in using a passkey, the server for the domain will send an encrypted prompt called a challenge to a device that you own. You use that device to automatically answer the challenge and to allow access. The private key that is attached to your device never leaves it so this adds an extra level of security.

The only exception to this last notion is if you are syncing using iCloud, Google, or another password manager, which allows multiple devices access to the private key. However, this still means the private key is kept under your control, not shared with the internet.

That's a lot of information that might still be tech jargon for right now so let's compare it to passwords, something most people are fairly familiar with.

When using passwords, you go to the site and enter in your password into the login screen. This attempt is sent to the server that checks your password to make sure it's correct. If it's correct, it allows access. If it's not correct, it'll be rejected.

When using passkeys, you go to the site and press the button to use a passkey. This triggers an event where a challenge is sent automatically from the server to the browser, without the additional action of entering a password. The browser then sends this question securely to your authentication device, which verifies your identity and then uses the private key it has stored to answer the challenge. The answer to the challenge is then sent back to the server where the server uses the public key to verify that the challenge was correctly answered. If the answer is correct, you are allowed access. If it is not, you are rejected.

What you see on your side is similar to other 2FA methods where you try to access the site, you approve access from your device, and you are in.

This is a new paradigm and will take some users some time to get used to so we at CTS are happy to help with any questions you may have when accessing your site using this new method.