The purpose of the passkey is to give you an alternate authentication method that does not require a password. It does not make password access go away. You can still use a password.
I would argue that different levels of security are needed depending on whether my Google mail is full of nuclear launch codes or letters from my great-aunt Tillie. Ideally, the user should be able to configure the level of security based on their needs.
Yes, we moved to “2-Step Verification” this past August. It is definitely more secure. You just have to be sure that you have your phone with you, but who doesn’t these days?
Two-factor authentication is more secure, but the goal of the passkey is not primarily added security, it is obviating the need for a password. That in turn does offer security in that there is no password to crack, and no password to have to remember.
The problem is that the base level security needed for the normal person’s email account is much greater than many people appreciate. For most people, and most on-line companies they deal with, there is a password reset capability that assumes secure access to email. If I have read access to your email account, I can reset your passwords, and thus gain control of almost every account you have with on-line companies. This may well include your bank. Some companies implement two factor authentication for things like password resets, but this is where we came in. They assume you have your phone with you.
Nuclear launch codes don’t get stored in any internet connected system. But for a normal person, loss of control of their email to a bad actor can lead to consequences that are not that far short of loss of the launch codes.
This is a bad situation. Basically, for most people, control of your phone and your email is what identifies you and stands between you and identity theft with potentially catastrophic consequences. Driver’s licence is the other one, and that is also a problem.
Normally I have some vague understanding of how authentication schemes work. But since the announcement of the passkey initiative by Google, Apple and Microsoft, I’ve been trying to decode what it all means and how it would work in practice.
This article from late last year tries to clear things up, but frankly I find that the comments on the article are where the explanations start to move away from PR soundbites and make some sense.
On the “I lost my phone” problem, they argue that this problem is already present and already requires a second channel and/or some human intervention, and the passkey initiative doesn’t really change much on that front.
MY CONCLUSION :
This is a muddled & ill-thought-out plan.
The experts say it’s actually a good initiative with a sound security architecture behind it, and that eventually we’ll use it without thinking about it.
The problem is that the companies and the experts haven’t managed to make it understandable to us mortals. Apple rolled it out in 2022, so many people use it without their knowledge, and many others adopted it uncritically as part of their unyielding faith in Infallible Apple Security, which I guess is one approach.
There are no text messages required with passkeys.
I just read that article, and it did help. Let me try and summarize. Please anybody who understands this better fight my ignorance.
The basic thing that happens is the operating system’s authentication (biometric, pin, or password) is used to unlock an encrypted key on your device (phone, laptop, etc.). That encrypted key is used to do some math, and it sends the result off to the site you want to login. That remote site does some math on the code sent there, and then allows a login (or not).
Because of the magic of networking, the device that is trying to login and the device that does the authentication do not have to be the same. Go to a website on your laptop and click the “passkey login option”. Then one of several things can happen.
- You get a prompt on your laptop to authenticate as if you’re unlocking it. Perhaps a fingerprint or face-id. That unlocks the passkey on your laptop which is sent off to the website.
- The laptop uses bluetooth to know your phone is nearby, so you unlock your phone (pin, fingerprint, face, etc.) and your phone sends the passkey off to the website.
- The laptop browser puts up a QR code that you scan with your phone, and then use your phone’s passkey for login.
Get a new laptop? Use your phone’s passkey to enroll your laptop as a passkey device. Or vice-versa.
Lose your phone? A thief would both have to be able to unlock your phone to use the passkey, and be physically near to where the login is occurring.
Lose all of your enrolled devices? Then you have to go through the equivalent of a password reset, as done today. Flaws in the password reset process (sim hijacking, etc.) are also present for passkeys.
This probably does not improve security for people that use password managers and different passwords for every site, plus two factor authentication. This probably does improve security for everybody else.
From what I read today, Apple and Google and Microsoft have agreed on technical protocols and on the “passkey” nomenclature, and some level of interoperability, but their keychains will remain separate.
If you’ve set up your iPhone as the key, you will (I think?) be able to log onto a website on your Windows PC using your iPhone’s face recognition, and you can migrate to a different Apple device later on, with your passkeys maintained through iCloud. But switching to an Android phone as your main device will require re-creating your passkeys on all relevant websites. And the same problem going the other way or course.
This is even worse lock-in than what we already have. I have an Android phone and an Apple tablet. If I adopt passkeys, it will be through a third-party, platform-neutral solution like 1Password.
Or Lastpass?
There is no easy answer.
Personally I place whatever trust I have in Apple for no other reason than they are the only ones with a dedicated silicon trusted enclave. This may change, but as I’m pretty much immersed in the Apple ecosystem, it suits me now. It isn’t perfect but I certainly trust them more than companies like Lastpass or 1Password (who unilaterally killed the product I paid in full for when they decided they needed more money. )
If humans were logical, responsible, careful, and security conscious such systems would be a really, really good idea.
Anybody notice the flaw in this thinking?
People screw up all the time in this regard. Forgetting a password is nothing compared to messing up a passkey. E.g., encrypting a drive and asking the user to save a passkey on something else for recovery. That passkey might end up on a USB stick that could easily get overwritten, lost or corrupted. And making multiple copies is unlikely to happen. Etc. The encrypted drive has Something Bad happen and the data is lost.
There is a serious danger that our favorite encryption schemes will someday be untenable. And things that are even more complicated than passkeys will have to be used. It will be a different world then.
I think the idea with passkeys, as being discussed here, is that they are being managed by professionals off in the cloud someplace. So there isn’t anything for you to forget with regards to the passkey. You might get locked out because you forget the pin for your phone, or the password to login to your computer, but hopefully those are things you won’t forget because you use them all the time.
The big flaw I see, is that the whole passkey system is only as secure as Apple’s or Google’s password recovery system.
I haven’t seen any mention of it, but I wonder if anyone is providing a hardcopy backup mechanism for the private key. One of the key features of passkeys is that the private key lives in some secure enclave and can’t be extracted from a device. However, it would still be nice to have an offline backup of the key (i.e., printed out on paper and stored in a safe, or at least stored on a USB key).
As long as it can only be done at creation time, I don’t think this would violate the security of the system at all.