Passkeys

The traditional ways you authenticate (prove you who are) on a network include:

  1. Something you know (such as a password or PIN),
  2. Something you have (such as a smart card or token), and
  3. Something you are (such as a fingerprint or other biometric).

Passkeys are a newer way to authenticate on apps and websites. Mobile platforms and desktop operating systems increasingly support and encourage use of passkeys. But what are passkeys and how do they work?

passkeys

What are passkeys?

Passkeys are a type of passwordless authentication. Passkeys are composed of cryptographic keys that your computer sends to a website to prove your identity. Instead of filling out a login form with a username and password, you would simply click a button that tells your browser (or app) to send your passkey. The website can then verify your identity without you needing to type anything.

Creating New Passkeys

The following workflow describes how you would start using passkeys on a website.

  1. You log into a website where you have an existing account with a regular username and password.

  2. The website asks if you want to create a passkey instead of using a password. Sometimes you may have to go to your account settings to see the option to add a passkey. The following screenshot shows the option to add a passkey to a target.com account.

    target account settings

  3. You agree and create a passkey. The subsequent steps happen in the background, but from your perspective, you are done.

  4. You computer creates a passkey composed of a private key and public key. The passkey is stored a secure area on your device, such as a password manager.
  5. Your computer sends the public key to the website. The website stores your public key with your account data.

The private key is similar to a very long and complex password. But the software on your device is streamlined so that you would never need to type it.

Using Passkeys

The following workflow describes what happens when you log into a website with a passkey. Screenshot from target.com's website and the BitWarden password manager are used as an example.

  1. You visit a website where you have previously registered a passkey.

  2. You click a button that tells the website to log you in using your passkey.

    target login page

  3. You select the passkey. After selecting the passkey, you should be logged in. The subsequent steps explain what happens in the background.

    target passkey selection

  4. The website sends a challenge to your device to determine if you have the private key associated with the public key stored in its system. The challenge is a random string of characters.

  5. Your device uses the private key to cryptographically sign the challenge. Your device sends this data to the website.
  6. The website cryptographically verifies the cryptographically signed data using the public key.
  7. If the signature is valid, the website knows you have the private key and logs you in.

So using a passkey, it only took 2 clicks to log into target.com.

Inspect a Passkey

Your phone or computer will let you create a passkey and store that passkey on your device. They make it hard to inspect the passkey itself. The text below shows a passkey for a target.com account exported from my password manager (with a few small changes to protect my account). There are a couple of things to note about the passkey. First, the key itself (the KeyValue) is a long string of characters. It would be impossible for a hacker to guess or brute force this key. Second, key is part of a "FIDO2" credential. FIDO2 is a standard for passwordless authentication. The "userHandle" is links passkeys on a site to your account. The "keyAlgorithm" is ECDSA--a type of public key/private key cryptography.

"fido2Credentials": [
    {
    "credentialId": "1bede134-58a6-47da-ac12-426bc4185d7a",
    "keyType": "public-key",
    "keyAlgorithm": "ECDSA",
    "keyCurve": "P-256",
    "keyValue": "MIGHAgEAMBMGCyqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgT0gNRQQp-hD4gaek3AAwEB8UteS_YFV7xvOyvBi3vr-hTANCAARnzL3-bHJw3UhSLEoYLrEtzu1yzNZWi2SVyvLixlKCF3boemPLtA_hy_FgCh4X3Dw86C3DDmDOF0oGVhz7S_HA",
    "rpId": "target.com",
    "userHandle": "MzY4Mjc2NDJwMA",
    "userName": "this_is_fake@gmail.com",
    "rpName": "Target Corporation",
    "userDisplayName": "this_is_fake@gmail.com",
    "creationDate": "2024-09-09T16:09:40.325Z"
    }
],

So, a passkey is basically a cryptographic key pair, with the private (i.e., secret) key stored on your device, and the public key stored on the website.

Problems Passkeys Solve

Passkeys solve three significant problems with traditional passwords:

  1. Password reuse. People tend to use the same passwords on multiple sites. You cannot use the same passkey on multiple websites. Each passkey is unique. If one website is compromised, the attacker cannot use the passkey to log into other websites.
  2. Poor passwords. People tend to choose passwords that are short or easy to guess. Passkeys are generated automatically and are long and complex. This makes them essentially impossible to guess or brute force (i.e., try every possible password).
  3. Password storage. People often try to remember all of their passwords or store them in insecure ways. Because passkeys are stored on the device in secure areas, if a hacker wants to steal the key, they would need to steal the device itself or discover the (hopefully strong) master password securing your third-party password manager. This is much harder than stealing a password from a server.

Concerns with Passkeys

Passkeys are not perfect. Some concerns with passkeys are included below.

  1. Device loss. If you lose your device, you lose your passkeys. You would need to use a backup method to log into your accounts. Apple provides key escrow for iCloud Keychain, so you can recover your passkeys if you lose your device.
  2. Device theft. If someone steals your device, they could potentially use your passkey to log into your accounts. Devices must be protected with a PIN, password, or biometric to prevent this.
  3. Device compromise. If a hacker compromises your device, they could potentially steal your passkey. This is why it is important to keep your device up to date with security patches and avoid installing untrustworthy software.
  4. Password manager lockout. If you use a third-party password manager, it is possible that you could lose access to your secure vault (e.g., if you forgot your master password). Make sure you have a backup plan for accessing your password manager. This risk is not unique to passkeys, but it is worth mentioning.

Methods for Using Passkeys

If you are ready to start using passkeys, there are a few ways to get started.

  • Use a third-party password manager. I use the BitWarden password manager to store all of my usernames, passwords, and passkeys. BitWarden generates and stores passkeys automatically. If I log into BitWarden on any of my devices, BitWarden synchronizes all of my passkeys to that device. I could use the same passkeys on Windows, Linux, iPhone, etc.
  • Use a built-in password manager. Many browsers and operating systems have built-in password managers that can store passkeys. For example, Google Chrome can store passkeys in the Google Smart Lock feature. Apple's iOS has strong support for passkeys. If you use iCloud, you can store passkeys in your iCloud Keychain so that they are available on all of your Apple devices.

I tend to prefer third-party password managers because they are more flexible and can be used across multiple devices and platforms. But, built-in password managers are easier to use and are often more secure because they are integrated with the operating system.

When I created a passkey for my coinbase.com account, Coinbase gave me the following warning:

Your passkey is only as secure as your passkey manager. Make sure to keep it safe to prevent your account from being compromised.

coinbase passkey warning

In essence, the password (or passkey) manager is the weakest link in this security chain.

My Final Thoughts

Passkeys are a good attempt to make authentication easier and more secure without making users' lives more difficult. Passkeys are a step in the right direction. But, I have a problem with the way we (cybersecurity people) talk about passkeys. Everything I've written about passkeys is true, but careful scrutiny might reveal some seeming contradictions. For example, I said that passkeys stay on your device. This is true, mostly. But, if you use a password manager like BitWarden or use Apples iCloud, a copy of your passkey is also stored on their servers on the internet. So, the passkey does not really stay on your device. But the passkeys should be stored in an encrypted format on BitWardens' or Apples servers, so no BitWarden or Apple employee could use them. This quickly becomes confusing. We need to be more careful about how we talk about passkeys to make sure people know where the data is stored and how it is protected. Overall, a person's personal cyber hygiene would be better if they relied on passkeys instead of traditional passwords, so we should explain passkeys in a way that makes people feel comfortable adopting them.

Challenge

  • Find a list of websites that supports passkeys. Login to one of the sites where you have an existing account and create a passkey.
  • There are hardware devices that try to make using passkeys easier. See how much it costs to buy a YubiKey or a Google Titan Key.

usb device for passkeys

Reflection

  • Should regular people need to give dictionary definitions of passkeys before adopting them?
  • Would you recommend passkeys to a friend? A grandparent?
  • Are you comfortable with companies like Apple, Google, and BitWarden storing your passkeys on their servers?

Key Terms

  • Passkeys: A type of passwordless authentication that uses cryptographic keys to verify a user's identity. Passkeys are stored on the user's device and are used to authenticate without requiring a traditional password.
  • Passwordless Authentication: A method of verifying a user's identity without requiring a traditional password. Passwordless authentication methods include passkeys, biometrics, and other forms of authentication that do not rely on passwords.
  • Key Escrow: A method of storing cryptographic keys in a secure location so that they can be recovered if they are lost or stolen. Key escrow is used to protect sensitive information and prevent unauthorized access to encrypted data.
  • FIDO2: A standard for passwordless authentication that uses cryptographic keys to verify a user's identity. FIDO2 is designed to improve security and usability by eliminating the need for passwords and other traditional forms of authentication.