Return to Security and Privacy

Passkeys

As we all know by now, there are serious problems with the model of authentication on the Internet today, which is based on user names and passwords. It seems that on a nearly daily basis we hear of another site being hacked, and user credentials being stolen. To help guard against password thefts we are advised to create long and random passwords that resist brute-force cracking, something like Fyw21l7VftWYDY8ktsTR. This is a very good password, which I had KeepassX generate for me. But such a password, while resistant to cracking, cannot possibly be remembered, particularly when you consider that best practices dictate you have a similar but completely different password for every site you visit. I appear to have something on the order of 400 passwords for different sites, so memorizing is completely out of the question. That means we have to implement a password manager. For a long time LastPass was the leading provider of this, but now we have reports of hackers targeting LastPass and getting access to the encrypted databases of people’s passwords and cracking those (obviously because for one reason or another the encryption was not good enough). The main targets appear to be password vaults of people with large cryptocurrency accounts that can be stolen, but in principle any attack on password managers is bad.

To provide some added measure of protection the next step is to employ some kind of two-factor authentication, but that is an added hurdle to the consumer who just wants to log on and do some business. And they are different in how they are implemented and how secure they are. Many of them involve sending a text message to a phone, and the message contains a code number to authenticate you, but we know that text messages are not secure, and often phones are not secure, so this is not the ideal answer either. In the final analysis, password-based authentication is bad idea and we should drop it in favor of a more secure alternative. And that is where Passkeys come in. They are proposed as a better way to authenticate people over the Internet. But how good are they?

FIDO and WebAuthn

The starting point for this comes from the FIDO Alliance, which is an industry group of the usual suspects. The Executive Council contains representatives from Google, Microsoft, Apple, and Intel, among others, and the broader Board contains many executives from other major companies. You can see a complete list at https://fidoalliance.org/overview/leadership/. The other player here is the W3C’s WebAuthn, but it is in fact run by people from many of the same companies, so it is probably not valid to call it a separate player, at least not entirely. You can see the current W3C recommendation, and the editors and contributors, at https://www.w3.org/TR/webauthn-2/. So what did they come up with?

It isn’t anything revolutionary, in my view. The basic technology is just our old friends Public and Private key pairs, which we have looked at before, and which are the only reasonable technology to use for secure communication on the Internet. Done properly this should be quite sufficient, but the devil, as always, is in the details.

A Brief Recap

Public Key/Private Key is a technology that uses some algorithm such as RSA or Elliptic Curve to generate two linked files which have the property that each file can decrypt a message encrypted by the other file. One of these files is usually designated as Public, and other as Private, but that is actually fairly arbitrary. We first looked at this in the context of E-mail, but it underlies TLS connections to Web sites, and SSH logins to remote servers, among other uses. This is the fundamental technology for secure communication at this time. So the idea that this underlies the proposed Passkey solution is not a particularly surprising thing.

How It All Works

This is where it can get tricky. A passkey is not anything physical like a USB security dongle. Those do exist, and Yubikey is a good example of one. To use it, you would insert it into the USB port of your computer when you want to log in to a Web site. That works well, but it is cumbersome and has not caught on with a mass audience. And clearly the FIDO Alliance has given up on that solution, good as it is for security. Instead, a Passkey is a a blob of random data generated on your device and then registered with the Web site. This is a unique blob for each site and each device, so it improves security because Passkeys cannot be “reused” the way passwords frequently are. But now you have a problem. Suppose you have a smart phone, a laptop, a tablet, and a desktop. You would need to create four separate passkeys since the link is not between you and the web site, but between the device and the web site. Or if you don’t like that, you have a separate problem of storing your passkey in the cloud.

The process is really designed around phones. The Username/Password model we have all been using for decades is about something you know, which is of course your Username/Password combination. You can memorize this, keep it in a physical notebook, store it in a password manager, or whatever. It has its drawbacks, of course, since that information can be obtained by hackers, such as through an exploit against a Web site that stored this information. But it also has advantages. On one of my trips, I needed to print out a ticket to a show that existed only as a PDF file in my email account. I went into a Library because these days most Libraries have computers for the use of the public. I could log into my email on this computer, bring up the PDF file, and for 10 cents I printed it out. Problem solved. With a passkey I am supposed to hit the login for the site and the site will then send me a message encrypted with with the public side of the key pair. Then my private side of the key pair decrypts the message, and I am in. I never need to to enter a Username or a Password. I may be asked to provide second factor, often a fingerprint or a face recognition. All of this works great on a phone, but I would hit a wall trying to get a printout in the Library.

There are multi-device passkeys, but they have to be stored in a cloud service of some kind if you intend to use them on multiple devices. That much should be obvious. But what kind of cloud service? The first answer is Password Managers. 1Password, BitWarden, and LastPass all support the storing of multi-device passkeys.

Apple and Google also do so in a way that is somewhat convenient, but also involves vendor lockin, which of course both companies love to do. How much of a problem this is may be debatable since in my experience a large number of people tend to sort themselves into one or the other ecosystem. There may be a few people using iPhones and Chromebooks together, but I suspect that if you use an iPhone you will use a Macbook, and similarly for people in the Android/Chrome ecosystem. As someone who has an Android phone and a Chromebook, I know it is just much more convenient to stick within one camp. I can use all of the same apps, for instance.

There are definite advantages to passkeys. Being built around encryption they are inherently safer. We recently discussed the hack of LastPass that gave hackers access to people’s password vaults. Those vaults are encrypted, of course, but this is an arms race. What served as good encryption five years ago is now a lot weaker as the technology of decryption has advanced. But if you had passkeys in your LastPass account, decrypting the vault is only the very first hurdle. All of the passkeys would then have to be decrypted. And in the scenario they were designed for, they are definitely convenient. To illustrate, right now if I go to a Web site on my phone, I have to put in a Username and a Password. I may remember the Username, but being security conscious I have created long, strong, and random passwords, I have to use my Password Manager. But it somehow seems that whenever this come up for me, my password manager (LastPass) is not already open. So I have to use my password to unlock my password vault. But I have set up two-factor authentication for added security, and that is also on my phone, so I have to switch to another app to get my 2FA code, copy, and then return to LastPass to paste it in. Then if everything went well I can login to the Web site. With passkeys, if I am logged into my phone, whether by my fingerprint, face recognition, or a PIN code, the passkey automatically logs me in. It really could not be simpler.

Another benefit of passkeys is that there are no shared secrets. Many web sites do not handle passwords the right way. To illustrate, a fundamental property of good encryption is that the hashed binary blob created bears no traceable resemblance to the input. But many times have you encountered a site that says that certain characters are not allowed in a password, that is a strong indication that they are not hashing the passwords, which means there are definite security problems with the site. And that is frequently the case when you hear stories about a site getting attacked and millions of passwords getting stolen. As to why that is, it might be legacy systems or they don’t understand security. But with passkeys, there is nothing shared. The web site has the public side of the key pair, and that was always intended to be publicly accessible. The hackers are welcome to it, because it is useless to them. Your private key is still with you.

Passkeys are getting pushed strongly by FIDO and major internet companies, so we are definitely headed in a direction like this, but there are still a lot of obstacles. When you bring in corporate accounts it gets even hairier. For instance, does your passkey to a corporate account live in your password manager or other online account, or in a corporate supplied wallet? And what if your private passkey gets added to the corporate wallet? There are still a lot of issues to work through. And are support lines ready for the calls from people who lost their passkeys? Dropping your phone in the toilet could mean more than you are out a pile of cash, it could mean you are locked out of every account you have. For this reason, even the places that support passkeys generally support Username and Password as a backup. Right now, for an individual user, what I plan to do, and recommend, is to use a password manager, configure it to be secure, have long strong passwords, and employ 2FA. That is still pretty good security.

 Save as PDF