reader comments
444 with 180 posters participating, including story author
For years, Big Tech has insisted that the death of the password is right around the corner. For years, those assurances have been little more than empty promises. The password alternatives—such as pushes, OAUTH single-sign ons, and trusted platform modules—introduced as many usability and security problems as they solved. But now, we’re finally on the cusp of a password alternative that’s actually going to work.
The new alternative is known as passkeys. Generically, passkeys refer to various schemes for storing authenticating information in hardware, a concept that has existed for more than a decade. What’s different now is that Microsoft, Apple, Google, and a consortium of other companies have unified around a single passkey standard shepherded by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks.
On Monday, PayPal said US-based users would soon have the option of logging in using FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers, and WordPress as online services that will offer the password alternative. In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys. Passkey support is still spotty. Passkeys stored on iOS or macOS will work on Windows, for instance, but the reverse isn’t yet available. In the coming months, all of that should be ironed out, though.
What, exactly, are passkeys?
Passkeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. There’s no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack.
Even if an adversary was able to extract the cryptographic secret, they still would have to supply the fingerprint, facial scan, or—in the absence of biometric capabilities—the PIN that’s associated with the token. What’s more, hardware tokens use FIDO’s Cross-Device Authentication flow, or CTAP, which relies on Bluetooth Low Energy to verify the authenticating device is in close physical proximity to the device trying to log in.
Until now, FIDO-based security keys have been used mainly to provide MFA, short for multi-factor authentication, which requires someone to present a separate factor of authentication in addition to the correct password. The additional factors offered by FIDO typically come in the form of something the user has—a smartphone or computer containing the hardware token—and something the user is—a fingerprint, facial scan, or other biometric that never leaves the device.
So far, attacks against FIDO-compliant MFA have been in short supply. An advanced credential phishing campaign that recently breached Twilio and other top-tier security companies, for instance, failed against Cloudflare for one reason: Unlike the other targets, Cloudflare used FIDO-compliant hardware tokens that were immune to the phishing technique the attackers used. The victims who were breached all relied on weaker forms of MFA.
summed things up well last week when he wrote: “Passkeys just trade WebAuthn cryptographic keys with the website directly. There’s no need for a human to tell a password manager to generate, store, and recall a secret—that will all happen automatically, with way better secrets than what the old text box supported, and with uniqueness enforced.”