Are Passkeys really the beginning of the end of passwords? I certainly hope not!
Published on 2023-11-09.
As of late, Passkeys are promoted as the killer of passwords and a lot of companies are now manically transitioning from passwords to Passkeys. I don't think that is a good idea.
For decades now, security experts have emphasized the importance of creating strong and unique passwords yet to no avail. Internet users apparently still click on fake links in phishing emails without validating the URL leading them to disclose their passwords at a fraudulent look-alike website controlled by attackers. Using authentication applications and password managers doesn't seem to help either, because users are still tricked into entering their one-time password on a fake log in page.
Research from 2020 found that 91% of all Internet related attacks begin with a phishing email to an unsuspecting user. Google's Threat Analysis Group reported that they detected 18 million themed malware and phishing emails per day during COVID-19. That's without including all other email attack variants.
It's tempting to call users that fall for phishing attacks stupid. How can this still be a problem? Why don't they just check the URL of the link in the email message to verify it's legitimacy before they click on the link? But it's not that simple. Awareness requires device and application specific information. Users don't have the same life experience as security people and sometimes a user simply do not know how to verify a link on e.g. his iPhone.
This problem would not exist had someone not had the amazingly brilliant idea of stuffing HTML into email. The ASCII ribbon campaign was an Internet phenomenon started in 1998 advocating that email be sent only in plain text, because of the dangers of using HTML in email. Go figure, the Unix graybeards were right!
The FIDO Alliance developed FIDO2 as an open standard that is supposed to enable secure and user-friendly passwordless authentication. Members of the FIDO Alliance include 1Password, Amazon, Apple, Google, Meta, Microsoft, Yahoo, and Yubico.
In marketing hype, the terms Passkey or Passkeys are preferred over related terms such as FIDO or WebAuthn.
FIDO2 Passkeys are supposed to provide a robust authentication mechanism immune to phishing attacks, man-in-the-middle, and replay attacks through public-key cryptography, a methodology that employs two keys: a public key and a private key. The private key is maintained on the user's device, e.g. a smartphone, while the public key is registered with an online service.
FIDO2 impresarios trust that the Big Tech companies will protect access to the private keys via the build-in protection their operating systems and devices provide, such as e.g. smartphone biometric authentication. By the use of "Face ID", "Touch ID", or any other equivalent scanning technology on a Android or iOS device, the user will gain access to the private key, which is then used to sign in at a relying party.
If you don't trust a cloud service to sync your login credentials, the FIDO2 specs allow for something called single-device passkeys. These passkeys work on a single device and aren't synced through any service. Single-device passkeys are typically created using a FIDO2 security key, such as a Yubikey. However, this doesn't help as the FIDO Alliance doesn't guarantee interoperability between devices from different vendors. This is where an additional cross-device authentication Bluetooth protocol comes into play because Bit Tech believes that users will always have another device nearby with all the necessary Passkeys.
Of course all of this requires a reliable and modern computer or smartphone which makes Passkeys inaccessible to the poor, underprivileged, or anyone who does not own or operate a capeable device.
Sadly, the tech industry has yet again been blinded by the hype and are now manically transitioning from passwords to Passkeys because, well, Big Tech have spoken, Google, Apple, and Microsoft want you to get rid of all your passwords.
The only reason why Big Tech have hyped up Passkeys this much is because Passkeys are intended to be used through operating system infrastructure, i.e. Microsoft Windows, Google Android, and Apple iOS/MacOS. The OS then allows Passkey managers to create, backup, and make Passkeys available to the applications running on that operating system. This provides e.g. the opportunity for Passkeys on Android to be stored in the Google Password Manager, which then synchronizes Passkeys between the user's Android devices that are signed into the same Google account. Passkeys are then encrypted on-device before being synced, and requires decrypting on new devices. Third-party password managers are supported as well, but the majority of users will most likely use Google, Apple, and Microsoft password managers.
Thus the FIDO2 Passkey implementations still heavily rely on proprietary software embedded into Apple, Google, Microsoft, and others’ devices and solutions. The general strategy results in Big Tech creating and overseeing the key storage. There are no open source software implementations for creating and exchanging keys.
Even if alternative open source solutions appear, most users will most likely just use the solutions from Big Tech as they do with everything else - which is what is expected.
As a result, the Passkey concept pushes data ownership one step closer to the Big Tech industry. Taking another vital element of informational self-determination out of the hands of end users by favoring biometric-based authentication factors over something that is actually available solely to the user.
And developers and users both hate passwords: they give a poor user experience, they add conversion friction, and they create security liability for both users and developers.
No, they do not!
My password is mine. I control my password. I own my password. I am not dependent upon some third party closed proprietary operating system or device to handle my security. I would rather have a piece of paper with all my passwords written down, stored in a drawer at home, than have Google, Apple, or Microsoft handle anything regarding security for me!
With passwords and SSH keys, I can look at them. I can copy and paste them. I can write them down on a piece of paper. I can import and export them. I can back them up to external hard storage. Whereas in my testing with macOS Ventura and Safari, none of this is possible with Passkeys. In fact, Apple requires you to enable iCloud and iCloud Keychain in order to save a Passkey on a macOS or iOS device.
Passkeys also makes you more vulnerable to seizures of electronics and keys. Forcing someone to give up a password is considered a violation of the Fifth Amendment to the United States Constitution by courts in the United States. Forcing someone to unlock biometrically secured devices is entirely legal.
Possession-based systems rely on items, such as a smartphone, that can be misplaced, stolen, or damaged, potentially locking users out of their accounts. And when it happens to you, Google will let you know that they reserve the right to terminate your account for any reason or no reason at all. You will get the same email response over and over again:
We have concluded the review of the information you've submitted. To prevent possible fraud and abuse, your Google products and services will remain suspended. It is our policy to not discuss the specific reasons for these suspensions.
Good luck with that!
The tech industry and the tech press need to face the fact that they have yet again been swept off their feet by Big Tech hype and are now causing massive migrations to this crap!
Update 2023-11-09
Email from serafean
Hi,
I'd like to suggest a potential expansion to your article about passkeys.
It relates to FIDO certification levels, and to the FIDO MDS - Metadata Service.
TLDR: the party you're authenticating yourself to can simply say "nope, I won't accept authentication from this device".
Services requiring authentication MAY decide to require a certain FIDO certification level to accept a device. The certification process appears to be pay to win. Every service should have an up to date MDS3 blob containing the curated list of certified devices. I can already imagine how this will look like in a few years. Plus it will probably exclude any devices that aren't locked down in a user unfriendly way.
The reason I know about this is that I got a Nitrokey3 to use as a hardware token, and ended up not being able to access my country's e-gov facilities, because L1 certification required.
Applying this info to passkeys is so far conjecture on my part, based on both being based on the FIDO & WebAuthN mechanisms.