For years, we’ve known how to eliminate passwords, but it was too hard for users. There may now be an accessible way for the average user. Or maybe not.
On any list of priorities made by security practitioners, you’ll find something along the lines of, “Passwords are a disaster, and we need to get rid of them.”
They’re right. As a security technique, passwords have become a bad joke. They’re frequently stolen through hacking and social engineering, and as if it couldn’t get any worse, we recently learned that AI Steals Passwords by Listening to Keystrokes With Scary Accuracy.
There are best practices that minimize the problems with passwords, but they are too difficult even for expert users to follow without the use of third-party products. The problem is that the Internet grew up at a time when few had actually thought through the problems that would arise from reliance on passwords, so they’re entrenched in our usage patterns.
As is often the case with broad security improvements in Internet usage, Google has been at the forefront of finding a better way. For many years we’ve had standards to address the problem. The most important is FIDO, a standard to allow users to perform strong cryptography to prove to a site that they are who they claim to be. FIDO was always implemented as physical security keys with crypto chips in them. Admins configure a specific key for a specific account and give it to the user who then has to insert it into a USB port or connect it wirelessly to the computer. In fact, Google began giving FIDO keys to all their employees and eliminating passwords many years ago.
These keys are state of the art, but you’re probably already thinking they’d be a burden. You may not need to use the key every time you access your account, but you need to have it available. The keys are small and easy to lose. And, unlike passwords, they’re not free.
Enter Passkeys
So how do you make FIDO free and easy? You make a soft version of them. A passkey is a private key stored and maintained by trusted software. This is usually a web browser, but it could be a password manager like 1Password or Apple’s iCloud Keychain.
When you attempt to connect to a service for which you have a stored passkey, the browser or password manager uses the key in the passkey to encrypt a token. The service uses your public key to decrypt it. Based on the assumption that only you have control of your private key (always a necessary assumption in PKI), the service concludes that you are who you claim to be and lets you in. No passwords are involved. It’s worth pointing out that passkeys are FIDO keys; instead of being stored on a physical device that also performs the cryptography, they’re stored on your computer or phone, which performs the cryptography like any other software.
How Many Factors?
If you’re familiar with the concept of two-factor or multi-factor authentication (2FA), you may be wondering if the passkey is just one factor and whether you need another. The answers are yes and yes.
The creators of passkeys recognized that almost every device people use today requires at least a PIN for access, and they encourage a biometric like a fingerprint or facial recognition. You don’t need a biometric, but you do need to have screen lock enabled so you are forced to enter your PIN or biometric in order for the passkey to become accessible. Google allows you to use the passkey on your phone to connect to your account on a computer, in which case your phone will prompt you to authenticate. With a password manager, you may also be challenged to authenticate as you typically would.
So there is a second factor. Is it not as strong as having a physical FIDO key in your possession? It can be, and this approach does prevent all the common cases of account theft. There’s no way for breaches, like the big password and other secrets leaks we read about all the time, to happen with passkeys because the service doesn’t store them.
Passkeys and Ransomware
Passkeys prevent many, but not all, ransomware scenarios. Social engineering is a major vector through which ransomware attackers gain access to your computer. To the extent that they try to trick you into giving them your password, passkeys prevent the attack. If the attacker tricks you into running malware on your computer, then passkeys won’t help. In fairness, the theory of passkeys is that you control the device from which you are logging on, and you prove it with the PIN or biometric. If an attacker is running privileged malware on your device, you don’t really control it anymore.
Bonus Protection with Passkeys
Google recently announced the first implementation of quantum-resistant cryptography of the type used in FIDO2 authentication. Implied in this story is a major benefit of passkeys: Since they are software, the provider can upgrade them through normal channels. If you need a new key for whatever reason, including the instance where new crypto software requires it, generating the key is relatively easy.
Passkeys are a natural improvement for use with SASE and Single-Sign-On providers to implement, resulting in improved protection for all the systems you access through them. I checked several vendors and didn’t find any support for passkeys yet, but it’s still early days for passkey adoption. Google is evangelizing the technique to developers, trying to make it as easy as possible to add to your software.
Speaking of Google once again, if you have a site you connect to that allows you to authenticate using your Google account, you get automatic passkey protection for that site without them having to implement it. So now there’s a new incentive to use the “log in with Google” option, where available.
As stated above, it’s still early days with passkeys, and other than Google, I found no services I use that support them. Microsoft appears to support them on higher-end Microsoft 365 plans, but not yet for the unwashed masses. Passkeys are also trickier to set up than a password, involving a few steps that may seem confusing to people. Once again, it’s still early in the adoption and normal use of passkeys. I expect (hope?) that this will improve, because without passkeys, we may be stuck with passwords and all their many flaws forever.