1

There is a good chance that you and nearly everyone else will be using passkeys in the near future.

Passkeys are the FIDO Alliance’s ( Passkeys (Passkey Authentication) ) latest attempt to move the world from passwords to something else more secure. The “Big 3” (e.g., Apple, Google and Microsoft) have strongly committed ( Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins - FIDO Alliance ) to supporting passkeys natively in their operating systems and applications. After years of any passwordless solution failing to gain critical momentum, this passwordless alternative initiative is likely to pay off. And in the process, it promises to push FIDO authentication as one of THE major player in the world of passwordless authentication, something FIDO has been pushing for since 2013.

To learn more about FIDO authentication in general and the inherent protections it provides, see: hhttps://community.spiceworks.com/topic/2467317-what-is-fido-and-why-is-it-good-authentication.

Passkeys are FIDO-enabled authentication credentials, which use public key cryptography (i.e., asymmetric private/public key pairs) tied to particular users and their devices and websites/services/applications (aka “Relying Parties”). When the user tries to log into a participating, already registered Relying Party (RP), the user will be prompted to perform an action (known as a “gesture”) to approve the login. The approval action can be requested on any passkey-enabled device the user has, such as their cell phone or laptop. The gesture can be a number of different actions, including clicking on the login acknowledgement message, a touch to a USB key or a biometric fingerprint swipe. What gesture is required depends on the FIDO solution involved.

Passkey Sync

One of the most crucial aspects of this new passkey technology is that the user’s involved passkeys will be synchronized between a user’s various devices. This is very important for usability and user adoption. One of the key problems with most passwordless alternatives is that the more protected login credentials cannot be easily shared among a user’s different devices, like a password can. One of the few benefits of passwords is that a user can use them anywhere they can access the RP that accepts them. Users can use passwords to log into their websites even if they are using a new device, using a friend’s computer or even a computer at a hotel or conference. There are some concerns about reusing passwords across just any device from a computer security perspective, but users love the ability to use their password wherever they want.

Most passwordless options only work where they are installed and registered. If you registered and use them on your laptop and then want to use them on your cell phone, you have to start a brand-new instance of the same passwordless option. Users do not like re-work.

Passkeys solves this problem by allowing all passkeys to be synchronized across all the devices the user uses, although, at least now, the synchronization is handled by each Big 3 vendor’s operating system or application and will likely be tied to just one platform at a time. For example, Apple will synchronize passkeys used on Apple products only. If the user also uses a Google Chromebook, it will likely take another set of passkey credentials. With the exception of Apple, passkeys can also be prevented from syncing if that is what the user wants. Synchronization is tied to the user’s main platform credential (i.e., iCloud, Microsoft Account, Gmail account, etc.). A user’s passkeys will be automatically synced on any device connected to the same platform using the same common platform credential.

It would be great if we had cross-platform support already, but how nice would it be to get a new phone or laptop and have all the passkeys automatically follow the user once they login using their same OS credentials, much like how your browser settings follow you when you log into a new computer.

Registration

Each time the user attempts to log into a passkey-RP, the user will be prompted to “register”. The user fills out the requested information and will be prompted to provide their “gesture”, whatever that is to initiate the registration process. The registration process generates a new key pair for the user tied to a particular RP. Key pairs are unique for the user and RP. Each RP and passkey client uses an open protocol called WebAuthN and FIDO APIs to handle the authentication actions.

Support

Apple Safari, Google Chrome and Microsoft Edge browsers already have support. The most popular operating systems, browsers and mobile devices will have passkey support. Apple has support in macOS Venture, iPadOS 16, and Safari 16.1 Monterey and Big Sur. Google announced passkey support for Androids by October 2022 and Chrome OS by 2023. Microsoft is expected to have support in Windows in 2023. Various Linux distributions, browsers and applications are also adding support.

Authentication Process

When a user attempts to log into a passkey-RP, the RP sends a “challenge” to the user/user’s passkey-enabled device. The user performs the required gesture, and then the passkey technology “unlocks” the passkey private key related to the specific RP, which is then used to sign a “response” back to the RP. The RP uses the related public key to verify the response, and if it verifies, the RP successfully authenticates the user’s login.

Passkeys are intended to replace passwords. Many RPs will just request the user’s passkey for the user to successfully log in. If an RP uses multifactor authentication (MFA), the user can be prompted for a passkey and something else (e.g., PIN, USB device, biometrics, etc.).

Caveats

As great as FIDO passkeys are, passwords are not going completely away anytime soon. They are likely to be with us for a decade or more ( Passwords Will Still Be With Us for Decades ). Also, storing more of your authentication credentials in one place, as passkeys do, means that a single hack of your devices could lead a hacker to have more access to your logins all in one place. However, that risk is always there, even with passwords and password managers, and it is expected that the major vendors will use always improving intelligent detection to make sure it is you using your passkeys. Any risk of using passkeys is smaller than the risk they offset.

Summary

FIDO passkeys are a big push in the fight to eradicate passwords. The support of the Big 3 vendors means that widespread adoption is likely. You probably do not have a passkey today, but by this time next year, you likely will. It may not be the death of the password, but it will move us forward quite a bit.

11 Spice ups
2

Roger, are you actually anti-password (i.e. for your own personal security)?

I understand end users may need password alternatives. But something I create in my imagination and never tell anyone is the only truly secret thing I (or anyone) can possess. Everything else can be stolen or copied or hacked. A truly secret password can only be brute-forced.

I have no problem with adding more to password authentication (MFA) but getting rid of passwords altogether seems very foolish.

1 Spice up
3

What relation do you make between password authentication and multi-factor authentication (MFA). Password authentication is not MFA. And MFA may use password authentication as one possible factor. Such factor may be optional or mandatory. Hence there exists MFA without using password authentication. Roger properly distinguished between the two.

  • Why?

I agree that progress to eliminate passwords will need a long time to succeed. In MFA, passwords may be the weakest factor as long as people don’t transition of passwords to passphrases. Passwords are simply too short. Many human languages are very limited in producing single words of comparable size as whole phrases. Indeed a long composite word of a single composition in my language is often translated into a term of several words in English, and a long composite word of repeated compositions is best translated into a sentence in English. To make users require a password length of at least 20 characters may make the transition of passwords to passphrases easier. But without educating users and management support, such a change of minimum length will probably not succeed neither. And not every application version nor operating system version does already support such password lengths resp. passphrase lengths.

2 Spice ups
4

What do you think about biometrics? My thinking is that it requires a lot of hardware and also can be fooled. The future of this debate will be very interesting.

5

No, I’m not anti-password. I think passwords work in many places and are even the best solution for many solutions. But even regardless of my personal thoughts I think they will be with us for a decade or decades: Passwords Will Still Be With Us for Decades

6

The fundamental problem with biometrics is what to do if your biometric attributes get compromised?

7

I’m aware password authentication is not MFA. My point was that MFA authentication without passwords cannot be 100% secret. Unless you pick an imagined value out of thin air and keep it to yourself (a password) someone else or something else must also know each of the values used in your MFA authentication.

I agree 2FA without passwords can be appropriate in many cases but I don’t think we should try to kill off passwords entirely. There’s value in having something be truly secret.

1 Spice up