Making sense of passkeys and the demise of passwords

An introduction to passkeys and FIDO 

Over the last 10 years, the FIDO Alliance has been championing a new and open standard to rid the world of passwords. According to the U.S. Government’s Cybersecurity and Infrastructure Security Agency (CISA), FIDO is now considered the “gold standard” of multi-factor authentication (MFA).  

The early adopters of FIDO were mainly global brands with millions of users, including eBay, Facebook, NTT DoCoMo and Yahoo! Japan. 

Starting in October 2022, the next major FIDO milestone will come into effect with the launch of passkeys. Passkeys will be enabled and supported by the major platform vendors Apple, Google and Microsoft. Passkeys are much easier to use than usernames and passwords. They aren’t typed or remembered and can be easily recovered, eliminating much of the password reset frustrations and costs. And passkeys are phishing-resistant and cannot be hacked and stolen en masse like usernames and passwords. 

However, like any major new technology, it is vital to understand the details to ensure they are appropriate for your business. This post aims to make sense of passkeys for you and your business as an application provider — commonly referred to as a Relying Party (RP) — so you can prepare for the end of passwords. 

FIDO barriers to adoption 

Until now, the widespread adoption of FIDO has been stymied for a few reasons: 

1. Usability: Each FIDO credential was tied to a single device. This meant that for a given RP, a user needed to perform a FIDO enrollment on every device they used to access the service.
2. Account recovery: Credentials could not be backed up and restored. This meant that account recovery to the RP from a new device was very difficult if the original device was lost or stolen, for example.
3. Development effort: The RP needed to perform extensive work to ‘FIDO-enable’ their website, including researching and defining new user journeys, developing and testing new code and migrating existing users away from passwords to the new passwordless experience.
4. Pervasiveness of FIDO-compliant devices: To support a FIDO-based authentication, a device must have the requisite hardware and software such as a biometric reader, a secure enclave and a compliant OS and browser. 

Why FIDO adoption will soon become mainstream 

Fortunately, a series of developments will soon culminate to alleviate these limitations, leading to the mass-market adoption of FIDO for RPs: 

1. Passkeys will resolve the above-mentioned usability issues due to their ability to be synced to other registered devices belonging to a user on the same platform vendor.
2. Authentication-as-a-service vendors like Trusona can rapidly FIDO-enable a website or application with little to no development effort by the RP and provide user journeys that leverage industry best practices.
3. Almost every mobile device, laptop and desktop computer rolling off the production line today is FIDO-compliant. Around the world, there are now over four billion such compatible devices in use with the ability to be used for FIDO authentication. 

What are passkeys? 

In May of 2022, the FIDO Alliance along with Apple, Google and Microsoft announced passkeys as the solution to the usability challenges. Passkeys are a new type of FIDO credential — also known as a “multi-device credential” — that provide two major capabilities: 

1. The ability for a user to automatically access their FIDO credential on many of their devices — including new ones — without having to re-prove identity and re-enroll on each device.
2. The ability for a user to leverage a FIDO credential on their mobile device to sign in to an app or website on another device, regardless of the OS platform or browser.
    

How do passkeys work? 

Passkeys are simply FIDO credentials. However, what sets them apart is that the platform vendors Apple, Google and Microsoft are incorporating them into their respective cloud backup services along with account synching.  

This means, for example, that a passkey created on a user’s iPhone will be synced to their iCloud Keychain and made available to all their other registered Apple devices. A similar approach is used by Google and Microsoft in their respective services.  

This also means that if a user acquires a new device for a given platform, it will automatically inherit that same passkey. This serves as a “backup and restore” capability, which is why FIDO account recovery will now become so much easier. 

This is also good news for the RP as passkey synching between devices is a feature of the platform vendor and completely transparent to the RP. The RP therefore benefits from this capability for free, and no development effort is required on their part to support passkeys.  

However, it should be noted that currently the synching of passkeys is done by each platform vendor independently, and only across registered devices on their own platforms. For example, a passkey synced and stored in Apple iCloud will not be synced with Google or Microsoft. That said, the passkey approach includes an extension to the W3C Credential Manager specification that makes it simple for end users to use a passkey on one platform to bootstrap the creation of a passkey on another platform.
 

Passkey support timeframes 

Detailed release times and implementation specifications currently remain vague. The platform vendors have so far committed to the following: 

Apple passkey support 

• Initially available in Q4 2022 in iOS 16, Safari 16 and macOS 13 (Ventura)
• Apple has confirmed that the synching will be automatic and not based on user preference
• Apple has also confirmed that passkeys can be shared using AirDrop with other people, such as a spouse or friend. To prevent misuse, protections include:

○ Ensuring physical proximity between the two devices using Bluetooth
○ Ensuring that both people have each other in their respective contact lists

• Note the user interface to revoke a passkey will be the responsibility of the RP to provide (just like a password)
• For more information, learn about Apple’s passkey security
   

Google passkey support 

• Initially available in Q4 2022 in Android 
• For more information, learn about Google’s passwordless future
   

Microsoft passkey support 

• Initially available in H1 2023 in Windows 
• For more information, learn about Microsoft’s updates for passwordless solutions 

How to achieve full cross-platform FIDO authentication 

As mentioned above, the FIDO Alliance also announced the ability for a user to leverage a FIDO credential on their mobile device to log in to an app or website on another device, regardless of the OS platform or browser to achieve cross-platform authentication. Example use cases include logging in to an RP from a kiosk, public device or friend’s computer.  

When a user initiates a login on a computer, the user has the option to “Sign in with another device”. When chosen, the browser displays a QR code to link the smartphone and the computer. The user’s phone serves as a roaming authenticator to perform the authentication, and then transfers the trust established with the RP to that second device. When completed, the user can opt to establish a new passkey on that device for future authentications without requiring their phone. Or, the user can choose to continue to use their phone to sign in to the website on the computer, but without the need to scan a QR code for each sign-in. This process makes it much simpler to enroll a new device using a passkey than with a username and password. 

Apple has announced that the initial passkey release will support the use of a mobile device for logging in to a computer, but not the reverse. This use case will be supported at a later date. 

This cross-platform capability is facilitated by an extension to the FIDO specification known as FIDO Cross Device Authentication. This transport also requires physical proximity between the two devices and is enabled by Bluetooth Low Energy (BLE) — without the need to formally pair the two devices. 

Although the QR code is not immune to QRL jacking, the physical proximity requirement of the two devices would mitigate the risk significantly. 

And like the above section on passkeys, the RP can utilize these capabilities without any additional work as the functionality is delivered by the OS and browser. 

Risks and concerns with the current passkey implementation 

Because passkeys will be synced across devices from the platform vendors, a bad actor with access to an individual’s Apple, Google, or Microsoft account would also inherit all their passkeys. Since the platform vendors apply two-factor authentication (2FA) for account registration and recovery, a passkey is as secure as the processes they use. It should be noted that the risk of unauthorized account access is extremely low — although not impossible — and would require a breach of at least two factors of authentication. 

For RPs who use a single factor of username and password in their applications, a passkey is materially more secure. And for RPs who use SMS OTP as a second factor at sign-in or as a step-up challenge to authorize certain events and transactions, a passkey is also significantly more secure as it cannot be phished.  

For RPs who are subject to high assurance requirements in regulated industries, government, the enterprise workforce and others where higher levels of NIST SP 800-63 AAL assurances and PSD2 SCA compliance are required, passkeys alone may not provide sufficient security until stronger device management improvements are made. 

What’s next with passkeys? 

One of the major concerns with passkeys is that they can now represent an authenticating user from any number of devices. To provide additional security controls for the RP, a Device Public Key (DPK) is under proposal by the FIDO Alliance as an extension to the specifications. This key is device-specific by design and can be used along with an attestation to provide metadata on the device as a signal for the RP’s risk engine. 

For example, the RP can determine if the device is authenticating for the first time — and combined with other data such as location and IP address — it can offer an additional authentication challenge based on the risk factor.  

As of this writing, Apple has not yet committed to supporting DPK and is evaluating its benefits and drawbacks. 

Summary 

Passkeys materially increase the usability of FIDO across many industries and use cases. Its broadest applicability will be with consumer-based digital commerce applications in non-regulated industries. 

And along with the pervasiveness of FIDO-compliant devices and new authentication-as-a-service offerings such as Trusona Authentication Cloud that help digital businesses quickly passkey-enable their services, the mass market adoption of passwordless authentication will soon be commonplace and we can finally rid the world of passwords. 

Passkeys arrive in the fall of 2022. Will your digital business be ready?
 

About the FIDO Alliance 

To learn more about passkeys, including videos, demos and FAQs, visit the FIDO Alliance page at: https://www.fidoalliance.org/passkey