Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Passkeys Will Kill Passwords – and Soon!

October 27, 2022

Ars Technica published a post on October 25th that contains welcome news after ONLY 50 years. Passkeys have finally arrived.

For years, Big Tech said that the death of the password is imminent. Empty promises! The password alternatives—such as pushes, OAUTH single-sign ons, and trusted platform modules—introduced as many usability and security problems as they solved.

Thank heavens we are now on the cusp of a password alternative that’s going to work.

The new alternative is passkeys. Passkeys refer to various methods of storing authenticating information in hardware, a concept that has existed for more than a decade. What’s different now is that Microsoft, Apple, Google, and a consortium of other companies have united around a single passkey standard guided by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks.

PayPal has said that US-based users would soon have the option of logging in using FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers, and WordPress as online services that will offer the password alternative. In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys. Passkey support is still spotty. Passkeys stored on iOS or macOS will work on Windows, for instance, but the reverse isn’t yet available. In the coming months, all of that is expected to be sorted out.

Want the short description of passkeys?

Passkeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. There’s no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack.

Even if an attacker was able to extract the cryptographic secret, they would have to supply the fingerprint, facial scan, or—in the absence of biometric capabilities—the PIN that’s associated with the token. Even better, hardware tokens use FIDO’s Cross-Device Authentication flow, or CTAP, which relies on Bluetooth Low Energy to verify the authenticating device is in close physical proximity to the device trying to log in.

Until now, FIDO-based security keys have been used mainly to provide MFA (multi-factor authentication), which requires someone to present a separate factor of authentication in addition to the correct password. The additional factors offered by FIDO typically come in the form of something the user has—a smartphone or computer containing the hardware token—and something the user is—a fingerprint, facial scan, or other biometric that never leaves the device.

Attacks against FIDO-compliant MFA have been scant. An advanced credential phishing campaign that recently breached Twilio and other top-tier security companies, for instance, failed against Cloudflare for one reason: Unlike the other targets, Cloudflare used FIDO-compliant hardware tokens that were immune to the phishing technique the attackers used. The victims who were breached all relied on weaker forms of MFA.

But whereas hardware tokens can provide one or more factors of authentication in addition to a password, passkeys rely on no password at all. Instead, passkeys roll multiple authentication factors—typically the phone or laptop and the facial scan or fingerprint of the user—into a single package. Passkeys are managed by the device OS. At the user’s option, they can also be synced through end-to-end encryption with a user’s other devices using a cloud service provided by Apple, Microsoft, Google, or another provider.

Passkeys are “discoverable,” meaning that an enrolled device can automatically push one through an encrypted tunnel to another enrolled device that’s trying to sign in to one of the user’s site accounts or apps. When signing in, the user authenticates themselves using the same biometric or on-device password or PIN for unlocking their device. This mechanism completely replaces the traditional username and password and provides a much easier user experience.

“Users no longer need to enroll each device for each service, which has long been the case for FIDO (and for any public key cryptography),” said Andrew Shikiar, FIDO’s executive director and chief marketing officer. “By enabling the private key to be securely synced across an OS cloud, the user needs to only enroll once for a service, and then is essentially pre-enrolled for that service on all of their other devices. This brings better usability for the end-user and—very significantly—allows the service provider to start retiring passwords as a means of account recovery and re-enrollment.”

Ars Review Editor Ron Amadeo summed things up well recently when he wrote: “Passkeys just trade WebAuthn cryptographic keys with the website directly. There’s no need for a human to tell a password manager to generate, store, and recall a secret—that will all happen automatically, with way better secrets than what the old text box supported, and with uniqueness enforced.”

Trying out passkeys, for now, isn’t easy because there is a scarcity of sites or apps offering it.

Platforms that support passkey sign-in from a nearby device include:

  • Edge and Chrome on Windows
  • Edge, Safari, and Chrome on macOS

With the iOS 16 and macOS Ventura releases from Apple and Google’s rollout of new Android support, virtually all mobile devices now automatically synchronize passkeys to all of a user’s devices. Microsoft has said it plans to provide sync support in 2023.

As Microsoft, Apple, Google, and others roll out additional or new support, we can expect the process to be streamlined.

Is this technology ready to be used extensively today? Nope. But soon, so be watching for the next generation of cybersecurity.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology