Passwords are Broken! All Hail Passkeys??

Passwords

Passwords have been around for decades. They are the de-facto authentication standard used across the web for identity verification. When interacting with an app or website that requires an account for added functionality or services, users are prompted to provide a username (typically an email address), and a password. The password is a shared 'secret' known by both the user and the online service they are accessing. During sign-in,as long as the user can provide a valid username and password combination, they are granted access.

Passwords, however, have always been intrinsically vulnerable from their first inception. They are:

• Easily guessable since most users use weak passwords (e.g. 12345678)

• Susceptible to keyloggers, social engineering, phishing attacks, and hacking attempts such as brute-force attacks.

• Most passwords are re-used across different accounts thus a data breach of a single online service can result in all other accounts of a user being at risk.

The use of passwords also affects the business providers as well. According to the FIDO (Fast Identity Online) Alliance, more than 80% of data breaches are the result of compromised passwords. Furthermore, one-third of all online purchases are lost due to customers forgetting an account password, which prevents them from completing the checkout process. Businesses also receive a lot of customer support requests due to forgotten passwords.

Over the years, different solutions have come up to address the problems posed by passwords. However, instead of addressing the underlying security problems, the solutions pile on additional processes at the expense of user experience. For instance:

• While the use of two-factor authentication (2FA) increases security for online accounts, it adds an extra step for the users and financial costs for the online service provider (SMS costs).

• Enforcing password complexity increases friction for the users, and the likelihood of customers forgetting their account passwords.

• While password managers were meant to help users set unique and strong passwords for each of their online accounts without the need of remembering the actual passwords themselves, they are still not yet widely adopted.

Due to all these underlying login security problems, a "passwordless" future needed to be envisioned and brought to life.

Enter passkeys!

Passkeys

Passkeys are a new passwordless authentication method that offer a safer and easier alternative to passwords. A passkey is a digital authentication credential, tied to a user account and a website/application. This digital authentication credential is stored securely on the device in which it was created.

With passkeys, users can sign in to apps and websites with their device biometric sensor (such as a fingerprint or facial recognition), screen-lock PIN, or screen-lock pattern, thus freeing them from having to remember and manage passwords. Since passkeys are stored securely on the device, this prevents phishing attacks because you can’t give away your passkey like you can with a password or MFA phrase.

How Passkeys Work

Unlike passwords which rely on a "shared secret" between the user and the online service, passkeys use public key cryptography to generate a unique key pair (a public key and a private key) for every online service one uses, and it is bound to the domain. So, if you create one for your online banking account, and a spoofed website prompts you to sign in, the passkey won’t work since the domain is the wrong one.

In the explanation above, the private key is the passkey, and it is stored securely on the user's device. The public key is sent to and stored in the server of the online provider.

During account sign in, once the user taps on the username/email input field, an auto-fill dialog pops up asking them to sign in using a previously created passkey. Once the user clicks on the passkey, their device prompts them to authenticate themselves using the screen unlock option setup on the device (fingerprint, facial recognition, PIN, or pattern). If successful, they are then authenticated to the online service.

NB: The unique passkey/private key is NEVER sent to the online service provider. During the authentication phase, the provider sends a challenge to the device to be signed by the passkey. Once signed (through the screen unlock method), the signature is verified with the public key stored on the online service provider's server. The only data shared with the online service provider for this to work is the public key, and the signature.

Benefits of Passkeys

Passkeys offer benefits for both users and the online service providers. For instance:

• Passkeys protect users from phishing attacks. Passkeys work only on their registered websites and apps; a user cannot be tricked into authenticating on a deceptive site because the browser or OS handles verification.

• Passkeys reduce costs for sending SMS, making them a safer and more cost-effective means for two-factor authentication.

• Developers only save a public key to the server instead of a password, meaning there's far less value for a bad actor to hack into servers, and far less cleanup to do in the event of a breach.

• Passkeys improve the user experience since they don't have to keep track of passwords. A simple verification of their fingerprint or face, or a device PIN, the same simple action that consumers take multiple times each day to unlock their devices.

Are Passkeys More Secure than Passwords?

Because every passkey is unique, stored on the device, and bound to a domain (phisihing resistant), passkeys tend to be more secure than passwords. That means passwords will no longer be reused across multiple sites and platforms. And because passkeys are generated automatically, users won't need to rely on passwords that are either easy to remember -- and unfortunately, easy for others to guess -- or so complicated that they're easily forgotten. Furthermore, passkeys eliminate the need for 2FA.

Using Passkeys on Other Devices to Sign In to Accounts

Passkeys can be used in two different ways: on the same device or from a different device.

We mentioned that passkeys are stored securely on the devices on which they were created. For example, if you need to sign in to a website on an Android device and you have a passkey stored on that same device, then using it only involves unlocking the phone.

However, what if you need to sign in to that website on the Chrome browser on your computer?

Simple.

You simply scan a QR code on the website to connect the phone and computer to use the passkey. The computer then verifies that your phone is in proximity using a small anonymous Bluetooth message and sets up an end-to-end encrypted connection to the phone through the internet. The phone uses this connection to deliver your one-time passkey signature, which requires your approval and the biometric or screen lock step on the phone. Neither the passkey itself nor the screen lock information is sent to the new device. The Bluetooth proximity check ensures remote attackers can’t trick you into releasing a passkey signature, for example by sending you a screenshot of a QR code from their own device.

How can I Setup Passkeys on my Other Devices

Suppose you have multiple devices (don't we all) and you want to be able to access your passkeys on all of them.

In this scenario, you can use your devices' credential manager to backup and synchronize your passkeys across all devices that you are signed into the same account. On Android and Chrome, passkeys can be stored in the Google Password Manager, while on Apple devices, passkeys are stored and synced through the iCloud Keychain service.

The passkeys are end to end encrypted. Only the user can access and use them.

NB: It is recommended that passkeys only be setup on personal devices. To use passkeys on public devices, one can use the hybrid approach of scanning the QR code on the website with the device containing the passkeys, and approving the passkey authentication on their personal device.

Limitations of Passkeys

• Passkeys are not yet available on most online sites and applications.

• Vendor lock-in: Currently, using a passkey locks you into a certain service provider e.g. Google, Apple, Microsoft. You can’t, for example, log in to websites on an Android phone with a passkey stored on a MacBook. Cross-platform accessibility is however coming, and Apple supports passkeys syncing using external providers.

Some major companies that have adopted passkeys technology can be found on the FIDO alliance website.

Should I use Passkeys?

If passkeys do take over, it will be a slow transition. Services will likely still offer password options because it’s what consumers are used to, and passkeys still don’t have wide enough support.

If you have done your research, and are comfortable with the limitations, you can consider using passkeys. At least for your most sensitive accounts like online banking, make the switch to passkeys as soon as it's offered for an added layer of protection on those accounts.

In the meantime, it’s a good reminder to stay on top of your online security settings. If passkeys aren’t available, make sure 2FA is set up and you are using a password manager to generate and store strong unique passwords for all your online accounts.

Further Reading

• https://fidoalliance.org/passkeys/

• https://developers.google.com/identity/passkeys

• https://security.googleblog.com/2023/05/making-authentication-faster-than-ever.html

• https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html

• https://developer.apple.com/passkeys/

• https://developers.google.com/identity/passkeys/supported-environments

• https://www.engadget.com/passkeys-passwords-authentication-security-133024414.html

• https://www.techtarget.com/whatis/definition/passkey