New technologies, especially those that are transformational, get scrutinized – that’s normal. The benefits need to be carefully understood along with any potential drawbacks. The danger to progress however, results from an imbalance in focus … when we place too much emphasis on “edge cases” at the sacrifice of all the benefits.
We miss the forest for the trees.
Passkeys are a perfect example. Passkeys (aka passwordless FIDO credentials) are transformational as an authentication approach. They are phishing-resistant, easy to use, and future proof (open standard supported by the ecosystem). While they are still new to most users, passkeys will quickly become the preferred method of authentication in the same way most users happily adopted Touch ID and Face ID when offered for app sign-in.
Simply put, passkeys are more secure and more convenient than passwords and one-time passwords (OTP):
- Keys cannot be “phished” (there is no “secret” to share)
- Fake sites (man-in-the-middle attacks) will fail because they do not have the appropriate private key to impersonate a user.
- Attacks don’t scale because the attacker must physically have the user’s device where the private key is stored, as well as their user verification method (fingerprint, face recognition, etc).
- Users don’t need to remember complex passwords or fumble with OTPs — they just sign in with a swipe or look into the camera. The complexity of the private/public keys is behind the scenes.
Although passkeys are vastly more secure and greatly improve the user experience, the attention seems to be focused on the “edge cases” that make them not “perfect”.
- Edge Case #1: Unclear how the synced key is protected – what if it is compromised. Synced passkeys may be stored by platform providers like Apple and Google, or they may be protected by password managers. That is no different from passwords. The big difference, however, is that passwords can be easily phished and stolen. While password managers can help prevent phishing, not everyone uses one. Also, the relying party cannot tell if they are using a password manager or how strong the password really is. With passkeys the phishing resistance doesn’t depend on user behavior. It is guaranteed by the standard. And to steal someone’s passkey you’d have to take over their account or trick a provider to restore a key to your device, which is orders of magnitude more difficult to achieve. Is it possible, yes, but the current risk with passwords is far greater.
- Edge Case #2: The transport security of the keys is unknown. The protocol may be proprietary to the provider, however the large providers strongly encrypt the passkeys and synchronization of passwords to the cloud uses proprietary protocols, too.
- Edge Case #3: The key may have been shared (“AirDropped”). This is true, a user can air drop their passkey to another user. It is also true, however, that someone can just as easily share their password. And, unlike passkeys, passwords can be easily guessed making them much more vulnerable.
Understanding risk is important, but not at the expense of gain.
Imagine all the doors and windows in your house with flimsy padlocks that can be easily snapped off with one kick. You have the opportunity to replace them with a high-security deadbolt system that is resistant to being kicked in. However there is one very tiny window on your 3rd floor that would require a 30 ft ladder and gymnastics across your roof for a thief to reach, but it cannot leverage the new lock system. Since you can’t secure that one window, you decide not to secure any of them.
That’s missing the forest for the trees.
The bottom line is even if you change nothing else, you are greatly reducing your attack surface by implementing passkeys to replace passwords wherever possible. For regulated markets that typically require MFA with strong device binding, you can combine device-bound passkeys with synced passkeys, creating a “trust anchor” to deal with the 3rd floor window.
Nok Nok has all the capabilities and expertise to help you on your journey through the enchanted forest.