The war on passwords has entered a new and more hopeful era: their final battle for existence. The challenger is the passkey. Let’s talk about why this has happened now, exactly what passkeys are, and how the industry may emerge victorious. It’s a worthy goal: the Verizon DBIR 2022 report found that 80% of data breaches still begin with a phishing or man-in-the-middle attack, using hijacked account credentials to take over an account. Spoiler alert: passkeys can help big-time in this fight.
All of us have a love/hate relationship with log-in passwords. There are too many of them, or too few, depending on a person’s point of view. Users are experiencing password fatigue, and that means they make bad password choices in the interest of expediency. The passwords are too simple, or too complex, and about one-third of consumers still don’t know how to strengthen their log-in security. We need to change them frequently, or don’t change them because we fear forgetting them. We have equipment – such as various IoT devices – where we can’t change the default passwords, even if we wanted to do so. Managing enterprise passwords costs money and replacing them with something more secure can cost even more money. Even the majority of IT and security professionals – who should know better – claim they engage in risky security behavior, according to a new survey by the Identity Defined Security Alliance. It also doesn’t help that enterprises are seeing increased breaches because they are better connected online.
But now, we have passkeys, a term that the industry has recently taken on. It’s a really simple idea, but hides a lot of complexity. In the past, making log-ins more secure required doing some extra effort: typing in a one-time code, adding more steps to the log-in process, setting up a password manager or some other software tool. Now, we can use a set of cryptographic keys – meaning a long string of digits – in a way that the user doesn’t have to remember or type anything additional. One of the keys runs privately, only known to the user – meaning it’s stored on a phone or computer in a safe digital place, and easily recovered if a device gets lost or stolen. The other key is public and used to unlock an account. This public/private key pair has been a fundamental security process for decades, and there’s still no stronger, faster or more scalable security technology.
There isn’t any easy way to compromise a log-in because gaining access to a private key will take a lot more effort than copying down a simple password. Passkeys are unlike passwords which are constantly passed back and forth between users and services and easily phished. Instead, with passkeys, nothing related to the user ever gets passed, therefore there’s nothing personal to phish to take over an account. The industry labels passkeys “phishing-resistant.”
In the past, we tried to augment passwords with various multi-factor authentication (MFA) methods. These include SMS texts to send one-time codes, or running a smartphone authenticator app (such as from Google or Authy) to generate the code, or specialized hardware keys from YubiKey, SoloKeys, or Google’s Titan.
SMS MFA fell out of favor almost a decade ago. The phone-based apps were helpful because most people already carry one around. But if a phone is lost or stolen, the user needs backups to complete their log-ins. And they’ll need at least two hardware keys and keep them stored in two separate places, just in case they lose one. Plus, the hardware keys fit into devices via a variety of connection methods, such as USB-A, USB-C, Bluetooth or NFC. That means managing a key collection and matching it with the appropriate endpoint device and connector becomes messy.
So here’s the challenge: we need to make MFA – or more secure logins -- happen in a single step without any passwords, one-time codes, or annoying captchas. Challenge accepted, and that’s why passkeys are a better idea. They don’t require users to remember anything, either to type in the one-time code or where the user last put their hardware key. It accomplishes MFA in a single step, making it a lot more user-friendly. And because there’s no personal or special “what you know” information stored anywhere or shared with anyone else, it’s much more secure than these other MFA methods. There’s no additional hardware to cart around either. Passkeys also make it possible to automatically provision keys and preserve privacy.
The protocols behind the passkey use the WebAuthn standard. When a user registers for a passkey, the device creates the keypair. Passkeys are managed by various tools that are part of the operating system (such as Apple’s iCloud Keychain or Windows Hello and Microsoft's Authenticator) or can be created by the browser’s built-in password manager. This standard exists as just one of a collection of others that have been assembled by the Fast Identity (FIDO) Alliance and adopted by hundreds of vendors and large corporate and government entities.
Google, Apple, and Microsoft are all supporters and contributors to WebAuthn and other FIDO standards, and included in the latest OS and browser software versions. FIDO’s standards also get rid of custom programming and proprietary methods and also divorces MFA methods from the actual apps that have to depend on them. Before passkeys, businesses needed to explicitly support device migration and cross-device use. Regulated businesses typically care about cross-device key uses, but the majority of businesses simply relying on passwords today don't care as much about cross-device keys.
However, there are several issues. First, passkey implementations don't come with attestation. That means there isn’t anything in the current spec that tells the relying party about the passkey's security characteristics. “Passkeys on Android will not initially have any attestation. If we add any attestation in the future it will be in a new format that's common across different Google products,” writes Google engineer Adam Langley in this forum. This has been changing, with an announcement that Android 13 will support better attestation protocols.
Second, Apple's passkeys cannot be migrated to Google or Microsoft platforms -- yet. However, within an OEM device family (iOS, for example), smartphones can be used as a security key cross-platform, such as PCs, tablets, and other iOS platforms supporting FIDO passkeys. Going forward, there's a clear market need and desire to sync passkeys across OEMs to avoid the "lock-in" problem that OEM-specific passkeys have helped to create.
Third, Apple's current passkey implementation doesn't allow relying parties to easily detect when new devices are being used for the first time. This creates a big concern for financial institutions today that won't know when a new device is being used for the first time to access their (digital) services. For first-time device access, banks typically want to trigger an additional layer of identity verification before granting access. Google and Microsoft have stated they want to implement this first-time detect feature, but Apple has not. This is even more relevant as Apple's implementation supports sharing a passkey with another person -- similar to how people could share their password with someone else.
Nok Nok can handle some of these issues. The company’s S3 Authentication Suite has been based on the modern WebAuthn standard using passkeys and keypairs and offers the security plumbing to make these authentications happen quickly and cost effectively. It works across any channel, with any device, any authenticator and any application to provide scalable and strong security.
The end days of the password have been frequently announced before. This time, passkeys might actually make it happen.
David Strom, president, David Strom, Inc.