What are passkeys?

The other day I was invited to give a presentation about passkeys – a method of passwordless authentication with high security properties – at an internal event for a Swiss company. So I thought why not turn this into a blog post and share it with a wider audience.

Overview: What are passkeys? What are they good for?

  • The harm of passwords
  • What is FIDO?
  • What are passkeys?
  • Why should an organisation adopt passkeys?
  • There’s no silver-bullet, so set realistic expectations
  • Q&A

The harm of passwords

By understanding the value of a new technology it’s important to be clear about the problem it solves. In this case, the objective is to replace passwords. Passwords have been a part of using computers, websites, and other digital assets for ever. They were around when computers where as big as a small car and only used in large companies and universities. And they still are around in our connected world, where (almost) everything can be accessed from everywhere. With that they don’t meet today’s requirements to keep bad people out of private data and help good people access their information.

Passwords are hard to remember

  • 78% of people had to reset one or more passwords in the past 90 days
  • One-third of consumers have reported giving up on accessing an online service one to two times as a result of a forgotten password.
  • Forgotten passwords contribute to churn on consumer platforms and loss of productivity with workforce accounts

Passwords are easy to steal (phished)

  • Phishing is one of the oldest tricks in the book, but it still works
  • Just in Q3 alone, about 150 Million phishing attacks were registered
  • Automated phishing attacks are cheap and easy to set up with open-source tools like EvilGinx2

Passwords are often easy to guess

  • People tent to use simple passwords (and still forget them)
  • The most common passwords are password1234, password12345, and similar ones.
  • Almost half people use their phone number, birthday, or similar information as their password.

Passwords are reused across platforms

  • 60% of people use the same password across multiple services
  • Information of 12,961,127,682 accounts are recorded on HaveIBeenPwnd.com as breached
  • Attackers probe breached passwords across platforms
Conclusion: Passwords are bad at keeping bad people out and helping good people access their stuff

Here comes FIDO

FIDO stands for Fast Identity Online and is a set of standards defined by the FIDO Alliance to reduce our reliance on passwords for online authentication.

  • FIDO: A set of standards including UAF, U2F, FIDO2, CTAP, etc. that defines how phishing resistant authentication can be implemented in browsers and native applications.
  • FIDO Alliance: Industry lead standardization body with member companies like Google, Microsoft, Apple, Yubico, Visa, 1Password, etc. that contribute to the development of FIDO standards
  • Passkeys: Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.​Passkeys simplify account registration for apps and websites, are easy to use, work across most of a user’s devices, and even work on other devices within physical proximity.​

What are FIDO Credentials?

Cryptographically signed credentials that allow access to online resources. A set of credentials consists of private & public keys exchanged between a website and the user’s device, linked to a specific service (domain).

Single- vs Multi-Device Credentials

  • Single-Device credentials: In this case the FIDO credentials are bound to the device/browser and can’t be used on any other devices.
  • Multi-Device credentials: Multi-Device FIDO credentials can be synced across multiple devices. This synchronization is performed by a sync-fabric like iCloud Keychain.

Passkeys replace passwords

  • They don’t make 2FA obsolete
  • They don’t make Hardware Security Keys obsolete
  • They don’t replace all other security measures
  • They don’t replace your Enterprise IT systems like MDM

The internet is still a scary place.

Passkey – Demo using passkeys.io

Account creation: Create an account with a passkey (Safari on Mac)
In this video you see me create a new account with just an identified and a passkey. No password or anything else that I’ll have to remember when trying to access this account from this or another device in the future.

Passkey created: A passkey is created and synced on the iCloud Keychain (iPhone). This passkey is now available across all devices that are signed into the same iCloud account (and support passkeys).

Login on another device: Using this passkey on another device now allows for me to access the same account from my iPhone without having to provide any password.

What’s so great about that?

  1. Creating passwordless accounts that aren’t exposed to the potential risks that come with passwords
  2. Login with phishing resistant credentials provide a higher level of assurance than the ones using knowledge factors or other phishable/guessable factors.
  3. Synced credentials across multiple devices reduce the risk of users losing access to their accounts and simplify using the same account on all of their devices.

Reasons to adopt passkeys

Improve Security: Superior protection than passwords

Reduce Liability: Risk for developers to maintain passwords in a reliable and privacy preserving way.

Reduce churn and lockout rates: Not depending authentication on a knowledge factor people have to remember reduces the risk of them loosing access.

Reduce cost: Cost of SMS based 2FA has increased in recent years and reseting passwords is a major driver of cost for support organisations.

There’s no silver bullet – set realistic expectation

  • Passkeys don’t work everywhere
    • Support across platforms still limited – Microsoft is lagging as of now
    • Old versions of Operating Systems / Browsers are excluded
    • Hybrid (aka cross-platform) support is not yet available everywhere
    • More detailed and up to date overview on passkeys.dev
  • Reliance on underlying platform account
    • Bad actors might target platform account.
    • Relying Party doesn’t know the security baseline of the platform account
    • Access to passkeys depends on being able to access platform account.
    • Platforms sometimes block accounts for a broad range of reasons (justified or not)
    • Many people abandon their platform account, when getting a new phone.
  • Passkeys in regulated environments
    • Concerns that syncable credentials are not in accordance with various regulations in Finance, Healthcare, and other regulated industries
    • Device independence puts passkey on low assurance levels in NIST framework
  • Passkeys in Enterprise environment
    • Underlying platform account likely outside of the companies control  leads to company credentials synced on personal devices

Conclusion

There’s no silver bullet …

… Account compromise will still happen as attackers will change tactics (at higher costs / lower rate of success)

… Some people will still lose access to their accounts

Passkeys are superior to passwords

… The most common attack vectors against accounts are password-related

… People are more likely to keep access to their accounts.