Passkeys & the passwordless future

This is a personal blog, any views expressed are my own.

Today, a lot of responsibility is placed on consumers to ensure their online accounts are secure. The reliance on username and password based authentication systems necessitates a lot of work for us all; to use complex secure passwords, update them regularly and somehow remember them all. As well as being a lot of work, password based accounts are vulnerable to a number of attack vectors. Multi-factor authentication (MFA) helps protect against some of these attacks, in exchange for yet more work on the part of the consumer.

Passkeys are a potential password replacement technology that has gained traction with the major technology platforms (Microsoft, Apple & Google). They use secure ‘public key cryptography’ for account login, and protect against more attack vectors than even an MFA based system. They do all this whilst requiring much less work on the part of the consumer. Passkeys have the potential to eliminate credential phishing attacks as we know them today, and to massively reduce the risk of login credential leaks when a company has a data breach.?

Although it is early days for passkeys, the quick adoption of this technology could radically reduce consumer harm from unauthorised access to accounts.

The problem with passwords

Keeping on top of your password estate

We are all constantly bombarded with advice, constraints and frankly annoying reminders about password best practice. The UK Government currently invests significantly in a Cyber Aware campaign aimed at consumers to educate and encourage them to improve their passwords for important accounts. Over the years, you may have been told that passwords need to be:

• Unique per account
• Changed regularly
• “Strong” or “Complex” - including special characters or a mix of lower and upper case
• Memorable
• Not easily guessable
• Random
• Generated and stored in a password manager
• Never given out to anyone
• Changed immediately if your device is stolen
• Never typed into a website you aren’t 100% sure is legitimate

This is a lot for consumers to keep up with, and experts disagree about how the average consumer should approach managing passwords, and what is realistic to expect of them. The advice we have all heard is based on the main attack vectors that could lead to an account being compromised:

• Password guessing (commonly used passwords are easiest to guess e.g. password1!)
• Brute Force attacks (systematic attempts using software to try every possible combination of letters, numbers, and symbols until you discover the one correct combination)
• Credential reuse (the attacker knows your username and password to another account)
• Phishing (you are tricked into providing your password to a fraudulent website)
• Device theft?
• Server leaks / Data Breaches (where your password is obtained through a cybersecurity breach at the service provider)

Businesses try to mitigate these risks too, to varying degrees, by implementing password policies that may:

• Require your password to be a certain length & degree of complexity
• Reject common phrases that may be easily guessable from being selected as a password
• Requiring you to change your password after a set period of time
• Requiring you to use Multi-factor authentication
• Hash and Salt passwords for storage on their servers - so that passwords are harder to derive for attackers in the event of a breach?

Password managers like those built into popular browsers (Chrome, Safari, Edge) & third party offerings (OnePassword, Dashlane, LastPass) also sprung up to try and help consumers create stronger unique passwords without having to remember them every time.

Multi-factor authentication (MFA)

To improve the security of password based authentication, many websites, workplaces & accounts allow (or require) you to set up MFA. MFA means that when you sign into an account, you need more than just the username and password - you need a second "factor" to prove who you are. The three most common types of factors are:

1. Something you know - Like a password, or a memorised PIN.?
2. Something you have - Like a smartphone, phone number, or a secure USB key.?
3. Something you are - Like a fingerprint, or facial recognition.?

MFA reduces the risk of accounts being compromised, because even if the attacker somehow knows the correct password they cannot access the account without access to the other factor/s too.

MFA in action

Scenario: A user's password is weak & easily guessable

• Attacker inputs the known username and correctly guesses the password
• Website accepts these & prompts for an SMS code sent to the account owner’s phone
• Attacker cannot gain access to the account as they are not in possession of the phone

MFA is a good security measure that protects consumers from many of the attack vectors that username and password only systems are vulnerable to & prevents a great deal of unauthorised access today. Consumers should use MFA where available for this reason - it’s the best solution currently widely available.?That's why Twitter's recent decision to lock SMS based 2FA behind a paid subscription was heavily criticised by those in the know.

However, MFA has not fully solved the problem of unauthorised access to user accounts for a number of reasons.?

These barriers lead us to a situation in 2023 where:

• MFA is only mandated in a few places - e.g. Banking
• A sizeable proportion of consumers do not use MFA, even on their most important accounts (e.g. email accounts)
• Businesses that do offer MFA, largely do not require it or prompt it to be set up by default
• Username and password based accounts, with all the associated vulnerabilities, continue to dominate user accounts online

Goodbye passwords, hello passkeys?

Passkeys aim to address all the issues set out above by replacing passwords entirely, rather than bolting on extra security coverage to the existing system. They are designed to:

• Be more secure than passwords / MFA
• Be easy to use, fast and low friction
• Be interoperable between platforms, browsers, apps and devices
• Work alongside password based authentication during the transition

What on earth is a passkey?

Passkeys are a new way to login to user accounts, designed by the FIDO alliance, an industry association that includes Microsoft, Apple, Google, Meta, Intel, Qualcomm, PayPal, Mastercard, Visa, Amex and others. Passkeys let you sign in to online accounts without ever setting a password.

Passkeys are cryptographic key pairs that utilise state of the art public key cryptography. One key is private and tied to a user's devices. They are only usable after the user has authenticated themselves through on device biometrics or their device PIN. The other key is ‘public’, and held on the server. These cryptographic keys are always strong, they cannot be guessed, weak or reused & they do not require the user to remember them.

This explainer from OnePassword puts it best

(Passkeys are) digital credentials that are stored on your devices, and you access them using biometrics. This makes them convenient and practical while still being highly secure. Using a passkey to sign in feels just like unlocking your phone with your fingerprint or face.

While passkeys are very easy to use, it can take a little adjustment to feel comfortable with them. Unlike with passwords, there’s nothing to “see” when you use a passkey. One way to understand passkeys is to think of a physical security key that you plug into your computer or phone. Passkeys are based on the same underlying technology, but they’re entirely software-based.

You can set up and use a passkey via this demo website if your operating system/browser is supported, current and up to date.

To understand public key cryptography at a basic level watch this video from around 25 minutes in.

What are the benefits of passkeys over passwords?

Goodbye password policies

The burden that currently sits mostly with users, to create and remember strong, complex, and unique passwords, to update them regularly and all the complexity of managing your ‘password estate’ is taken away in a passkey only future. Passkeys are always strong & secure, don’t need to be changed, and are not designed to be ‘remembered’ by a consumer. That burden is passed off to the business you are creating an account with online & the device/OS/browser manufacturer you entrust to store and secure your passkeys. All the user has to do is ensure they trust the security practices of their chosen device/OS/browser manufacturer & protect the device with strong biometric security and a secure & secret PIN.

No need for added MFA friction?

Passkeys eliminate the need for consumers to set up MFA. MFA adds friction to the user journey - which has put businesses off from adopting it & consumers off from enabling it where available.

Adding factors to a password based account is designed to protect user accounts from a wider array of attack vectors than a password only approach.

Passkeys alone protect against each of these attack vectors - so adding MFA would not significantly increase their security. See the chart below.

Eliminates credential phishing scams as we know them today

Phishing scams/attacks generally operate by:

1. Attackers setting up a fake but convincing website imitating a service with a login field
2. Attackers send a convincing text message or email to a consumer urging them to sign in to rectify something, and providing them a link to the fake site
3. The user then types in their password into the fake site, unwittingly giving the attacker their credentials
4. The attacker can now use those credentials to login to the genuine website/account

Passkeys are intrinsically linked to the website they were set up for. That means you can’t be tricked into using a passkey on the wrong website - it just won’t work. It’s not possible to type or copy a passkey into a convincing fake website, or give away the key to someone looking over your shoulder.

Much lower risk from server leaks/data breaches

‘Public key cryptography’, is designed in such a way that the server does not store enough data to unlock access to an account on its own. The server holds the ‘public key’, and the user’s device holds the ‘private key’.?

1. At login - the server sends the device a cryptographic puzzle to solve - only the real ‘private key’ issued to the device will be able to return the correct solution.
2. The device sends back the solution and the ‘public key’ held on the server determines whether that solution is correct.?
3. If the solution is correct, the user is authenticated, and can log in.

Important: the private key never leaves the user's device, only the solution it generates. Therefore the private key cannot be intercepted, and the server never learns what the private key is.

In the event of a server leak or data breach where a company uses passkeys rather than passwords - attackers cannot steal full login credentials. The server does not store the private keys needed & without these, stealing the public key that is stored server side is of minimal value to them.

This is much lower risk than the current model, where passwords are stored directly on company servers, even if these are otherwise hashed and salted. There are no user credentials on the server to leak with passkeys.

How close are passkeys to wide adoption?

Passkeys are a new technology, and the open industry standards are a recent development. The core members of the FIDO alliance (Apple, Google and Microsoft) began the necessary groundwork to support passkeys on their platforms in 2022. They are supported on all the current software platforms and web browsers from these companies (e.g. iOS, macOS, Android, Chrome, Edge).

Passkeys are not yet widely available for consumer use, because websites and apps must adopt them. Given the major platform vendors are working together on this, we can expect them to push developers towards Passkeys in the near future.

FIDO alliance members claim that adopting passkeys is relatively simple for apps and websites, and that passkeys can be added as a peer to existing password based systems during the transition.

Too good to be true?

The picture painted by Apple, Google and Microsoft is a rosy one, but a transition to passkeys poses a lot of questions . Here are a few of mine:

• How interoperable will passkeys really be between computing platforms? What are the implications for consumers surrounding ecosystem lock-in? How portable are these credentials for someone who wishes to switch from using iOS, to using Android for example?
• What does account recovery look like with passkeys? What routes are available in the event of device theft or loss?
• How accessible are passkey implementations to consumers with additional needs?
• Is the reliance of passkeys on on-device security the right approach?
• How will consumers be supported to understand the transition & what they need to do?
• With the UK Government seeking to place a ‘Cyber Duty to Protect’ on businesses in the UK, how do plans for a passkey transition from major platform vendors impact on this?

Useful resources:

The first 5 minutes of this video provide a real life look at how passkeys operate on the web, in apps and across different platforms: