With the introduction of passkeys for authentication by major players such as Android, iPhone, and 1Password, and with the wide adoption by Apple and Google, they are the next big thing in securing user credentials. It is imperative for those first adopters among us who may risk losing a lot by using new technologies, to understand the mysteries of passkeys and what it entails. The questions of whether passkeys are worth using for increased security must be answered, and is it all really worth it?
Creating and managing passwords can be tedious and time-consuming, even when using a password manager.
We have broken this down into two parts: a detailed post for the regular readers and a technical summary for the more tech-geek like us.
So What is a passkey?
Passkeys have existed for some time now. However, the concept was standardized by tech giants and security industry leaders under the FIDO alliance. The goal was to enhance the ease of creating and logging into online accounts while also improving their security. This standardization has revolutionized online security, making it more convenient and secure for users.
A passkey is a new sign-in method that eliminates the need for passwords. Generally speaking, a passkey is a way of authentication where your device is recognized by the service as being you. With this, you don’t need to provide a password; the service recognizes your device itself. Let’s take it from the top and see how it contrasts with traditional passwords.
How traditional passwords work
Traditional passwords consist of a public username and a private password known only to you. Let’s use Instagram as an example. The password is sent by you from the registration page. It is then hashed and salted (encrypted), in a way that makes it hard to crack. This seasoned password is then stored on the Instagram server. When you log in, your password is compared against the encrypted password to verify if it’s correct.
Now there are a few issues with that:
- Your password may be easy to guess, like your date of birth or the name of your pet.
- Computers can attempt to crack the password by using cracking tools.
- The server may get compromised, and your password may be stolen.
- Hackers may hack your network and get access to your password when you are sending it (called a man-in-the-middle attack).
- Hackers may even trick you into going to a legit looking site and have you give up your password without knowing it (phishing attack).
- And many, many other issues…
One of the many ways that companies have tried to mitigate this issue is by using MFA or multi-factor authentication, where a code is sent to your phone number and, along with providing the password, you have to provide the code you just received. But hackers have found a way around it, the details of which would need a post of its own.
Enter Passkeys, the new secure way of Authenticating.
How does passkey work
Your device generates a long string of characters that is stored in a secure enclave on the device. A pair key is generated as well, that is sent to the service. These secure enclaves on your phone are hardened secure parts of your phone that cannot be accessed. This long secure key is not known to you. It is stored on your phone so this eliminates the need of remembering anything other than your username. It also means no one can ever know or steal your password. Problem 1 and 2 of traditional passwords is solved.
The public part of the key being “public” means it can be openly known to the world (like your username). So we can stop worrying about “data breaches” and our passwords being stolen. The public key sent to service (like Instagram or Twitter) is used to issue a “security challenge” to your device. Your device answers it using the stored key. The service verifies it using the public key that it has and voilà, you are authenticated. Your device is challenged using a secure method that only the legitimate service can use. So the challenge cannot be sent by a fake site.
This solves problems 3 to 6 of traditional passwords.
Public Private Key encryption
We need to take a pause here for a moment.
The nature of public and private keys is important to understand. It’s a key pair; imagine a lock can only be locked using the private key and opened using the public key, and vice versa. If one of the locking keys does not match the pair, then the opening key will not be able to open it. So, if I am able to open the lock with your public key, which is openly available to everyone, it necessarily means that you are the one who locked it. That is how I know the lock is from you.
I know how we might already have some eyebrows raised: ‘What if my device is in the hands of someone I don’t trust?’ Well, that’s where the second layer of security comes in, like biometrics and PIN keys. It will be just a way to unlock your passkey so you can log into your favorite app. But rest assured, the passkey is not linked to your biometrics. Biometrics are not used to generate the passkey, nor does it send your biometrics or phone PINs to Instagram.
at the end of it all one question stands.
Are passkey more secure than a username and password?
In a nutshell, Yes but kinda. They are secure because they eliminate a lot of the issues of having to remember, store, and send passwords over the internet. However, they are not without their issues listed below.
Humans in the mix
It may not come as a surprise to most that the greatest risk posed is, as always, in striking the balance between security and user convenience. The issue arises with normal human behavior, when we lose our devices, share devices, use multiple devices, or like to log in on a friend’s device. These are all aspects that engineers have to consider and provide simple solutions for.
To provide support for many such scenarios, the services provided may include backup systems. The passkey might not be vulnerable, but these backup systems seem to open up a Pandora’s box itself.
Up in the clouds
If users prefer to use multiple devices, the keys need to be synced across devices using keychain sync systems like iCloud. This opens a potential gap in security if systems like iCloud are breached. Given sufficient time, there will be methods and technologies that can exploit encrypted files.
Lost keys
Our constant need to upgrade and tendency to lose devices requires a solution as well. If I lose my phone, I would still like to be able to log into my Instagram with a new phone. To account for this, backup codes are provided by most services. These are one-use codes that allow users to access the system without having their passkey or password, for that matter. If the backup codes are not stored properly or are compromised, a malicious user can take over the account using these codes.
One Pin to rule them all
Lastly, the use of PIN codes for unlocking devices is sometimes the only viable solution since biometrics have still not matured to their full extent. The fingerprint reader can have issues reading the prints, or face scanners can fail if you are wearing a mask or have a damaged camera. The use of PIN codes is a standard backup for biometrics. Nevertheless, the same PIN code is also used for unlocking passkeys for authentication. This creates a security vulnerability where a malicious user can access your device and use your PIN to log into your apps. It can even be worse, and you can be locked out of your account permanently.
Phone a friend
Though companies like Instagram allow you to preselect two friends to help validate your identity, you might not be hackable, but your friends could be exploited or socially engineered into identifying a malicious user as you.
Flippers come home to roost
One solution is to use short-range Bluetooth validation when logging into new or public devices. A validated device can send a confirmation to the new device over Bluetooth. Future advancements in technologies like Flipper Zero may make it possible to intercept and imitate the broadcast, compromising security.
Technical Summary
Passkeys are a solution created to avoid the pitfalls of traditional passwords. Passwords that are stored on servers using hashing and salting algorithms are still susceptible to dictionary or other brute force attacks. This can result from low complexity, data breach hacks, Man-in-the-middle attacks as well as phishing attacks or social engineering attacks that target the users directly. A way to solve this problem was by the use of MFAs (multi-factor authentication); however, with the advancement of technology and the widespread use of smart devices by users, hackers have been able to compromise MFAs using social engineering and phishing attacks as well as tech support scams.
The Step-by-step
Passkeys were introduced to take human memory and interaction out of the equation. Passkeys use a process called asymmetric cryptography, which involves generating:
- A public key sent to the server.
- A private key stored in the device’s keychain.
- The devices themselves have hardened protection against secure cracking “enclaves” within the device.
- The user then attempts to authenticate themselves to the server.
- The service issues a one-time Security challenge to the device specific for the device and the service.
- The user authorizes the unlocking of their private key on the device by unlocking methods such as a fingerprint, face, or PIN.
- The device in turn returns the security challenge by signing the challenge with their private key.
- The service validates it with the public key, authenticating that it’s the user.
The keys are stored in the device’s keychain, which can be synced across devices. A second layer of security using biometrics ensures human interaction for unlocking but is not a password. The biometrics are not coupled with the keys, nor are the keys generated using any information from biometrics. This avoids the need for the service to hold on to any security information other than the public key.
This effectively eliminates almost all known phishing and social engineering attacks as well as the issue of data breaches.
Potential Security issues
However, since there is still some human involvement in the process, the loss/theft or damage of authenticated devices, the need for using multiple devices, as well as the need for accessing your account from a public device raises issues to accommodate average user behavior.
To allow login on a new/public device, the solution provided is the use of short-range Bluetooth authentication with an existing validated device, such as your phone. To compensate for loss/theft or damage of a device, there is a requirement for the users to be able to access their account through the use of “Forgot password” tactics such as verification by a known “friend” or verification by recovery are offered. However, both these options open potential vectors of attacks by:
- Compromising of keychain syncing servers
- Short-range Bluetooth sniffing and cracking (if it is possible in the future)
- Theft of device and PIN codes
- Hack by social engineering known users’ “friends” or
- The theft of recovery keys
These issues remain to be addressed.
Conclusion
Passkeys are expected to be the future of the login process and will become more widely used over time. They provide a smooth and fast login process with less cumbersome account creation than traditional usernames and passwords. There is no downside to trying out passkeys, and they are expected to be more seamless in the near future. But we must always remember passkeys are not a replacement for good security practices. You would still need to be vigilant about where you leave your devices. Be careful about who has access to your pins. Lastly, always make sure never to hand over sensitive information to unknown persons. Even when they claim to be calling from the bank or from Facebook to “verify your account credentials.
