Welcome to the world of passkey security, where the key to unlocking your digital fortress is simpler, yet more robust than ever. In this blog, we'll break down the basics of passkeys, explore how they work, and delve into their advantages and potential challenges.
[Table of Contents]
- Passkey Security: Understanding the Basics
- Passkeys and MFA
- How Does Passkey Security Work?
- Advantages of Passkey Security
- Best Practices for Passkey Security
Passkey Security: Understanding the Basics
If you want to protect your data from cyberattacks, you need to use strong and secure authentication methods. One of the most effective ways to do that is by using passkeys. But what are passkeys and how do they differ from traditional passwords?
A passkey refers to a cryptographic key pair that together encrypts and decrypts data. Unlike passwords, the passkey is never seen by the user.
If you don't know the passkey, how do you use it?
When creating a passkey for a new account, you'll verify your intent by unlocking the device using your PIN or biometrics. Your operating system creates a unique cryptographic key pair; one key is stored on the application or website where you're making an account, while the other is stored in secure elements on your device (such as secure enclaves or trusted platform modules (TPMs)).
When you return to log into your account, you'll need to verify yourself as the device owner with that same PIN or biometric.
Passkeys are highly resistant to stealing, guessing, and brute-forcing, and cannot be phished. A criminal's best bet is to steal your device and biometric data that unlocks it.
One drawback is that only this device is authorized to log into the account. This inconvenience is being overcome, however, as tech giants like Google and Apple give you the option to sync your passkeys with your Google or iCloud account. Third-party password managers are implementing passkey support as well. It's important to understand that this puts the security of your private key in their hands.
A full walkthrough of setting up a passkey, understanding what is stored where, and handling roaming can be found here.
Passkeys and Multi-Factor Authentication (MFA)
Part of a passkey's appeal is that it combines the security elements achieved by passwords + MFA.
Passkeys require something you are or know (biometrics, PIN) plus something you possess (the device you authorized to store the cryptographic key pair - usually your phone).
The password + MFA setup requires two steps to achieve this. You need a password (something you know) and something else you know or are supposed to possess (software token from 2FA app, the code texted to your phone). But SMS as a 2FA solution has severe drawbacks, and people's password hygiene habits aren't keeping up.
By combining elements of MFA with phishing-resistant cryptographic key pairs, passkeys increase convenience and improve security - a rare package in cybersecurity.
How Does Passkey Security Work?
Now that we've laid the groundwork, let's explore the inner workings of passkey security.
Passkey generation refers to the process of creating a unique cryptographic key pair for use in an authentication process. Passkeys replace the most common authentication method of username/password.
Here's an overview of the key components of passkey generation:
- Randomness: Passkeys are designed to be unpredictable and difficult to guess. To achieve this, cryptographic systems often use sources of entropy, such as random number generators, to ensure that the generated passkey is truly random.
- Asymmetric-key cryptography: This involves a pair of keys – a public key and a private key. The passkey generation process generates these key pairs. The public key is stored on a server, but it is useless without the private key, which is stored on your device. Data encrypted with the public key can only be decrypted by the corresponding private key.
- Secure Storage: Once generated, passkeys need to be securely stored. This is crucial, especially for private keys in asymmetric cryptography. Unauthorized access to the keys compromises the security of the system.
Details of passkey generation may vary depending on the specific cryptographic protocols or standards being used. Additionally, security best practices and standards evolve over time, so if you plan to implement passkeys from a developer's perspective or wish to know the latest in passkey security enhancements, you'll be best served by the FIDO Alliance website.
Public and Private Keys
Enter the concept of public and private keys. In passkey security, the public key is stored in an online database, while the private key remains on the user's device, or is "roamed" to other devices by a service like iCloud Keychain. This asymmetrical approach adds an extra layer of security, ensuring that even if the public key falls into the wrong hands, it remains useless without its counterpart.
Note: There are now several methods to sync your private key online and skip the Bluetooth authentication ceremony normally required to enroll a new device. Syncing your private key places the security of said key in the hands of Google, Apple, or a third-party password manager. Whether or not this is a worthwhile tradeoff is up to you and your use case.
Advantages of Passkey Security
Let's explore why passkey security is gaining traction in the digital landscape.
Leaked and stolen passwords, phished 2FA tokens, and social engineering attacks continue to cost millions for businesses and wreak havoc for consumers.
Passkeys can't be phished, obtained through social engineering, or tricked into signing into a fake website. Passkeys are always long and random - something fallible humans continue to miss with passwords despite warnings from every side.
Together, these features eliminate the main downfalls of passwords.
Say goodbye to complex password requirements and forgotten combinations. Passkeys streamline the authentication process, offering a user-friendly experience without compromising security.
Challenges and Considerations
As with any security system, passkeys come with their own challenges.
The features that make passkeys secure make managing them trickier.
- Passkeys can't be exported and imported between ecosystems at the time of this writing.
It's partly a security problem, but what incentive do vendors have to make it easy to transfer passkeys from Google Password Manager to iCloud Keychain, or from Keychain to a third-party password manager? If you have your passkeys in iCloud Keychain and decide to switch to Android, you'll have a lot of manual work to do setting up new passkeys for your accounts.
- If your passkey isn't synced and you lose the device storing it, how do you create a new passkey?
Relying parties (websites/applications) don't have a good answer. Sending a "reset passkey" email is off the table - it undoes the security benefits passkeys provide.
- Corporate security policies are slow to change - passkeys are not.
How will corporate security teams handle their users using passkeys? In the vast majority of cases, passkeys are more secure, yet most companies have no documentation or policies around how they should be used, whether or not the private key can be synced and to what vendor, etc. Passkeys will be adopted slowly and messily.
Best Practices for Passkey Security
The critical element in passkey security is device security. If you lose your smartphone and it's only protected with a PIN like 1234, you risk your passkey-protected accounts being compromised.
The best thing you can do is to never leave your devices unattended where they could be stolen, and secure them with biometrics or a strong PIN.
You may wish to opt out of syncing your passkeys to a third-party password manager. A Bluetooth authentication ceremony will be required to authenticate a new device to use the website/application, but the private key security remains on your device.
Increase Security with TeamPassword
Passkeys lack universal support; password security remains critical. If you share passwords with colleagues and seek an effortless, secure, and cost-effective solution, test out TeamPassword.
Need evidence? Explore customer testimonials on G2.