Authentication is one of the most important components of Cyber Security, it is the "front door" for most applications and as such securing it is critical. Despite implementing the most secure application security measures, the vulnerability often lies within an inadequate authentication solution. Multi-Factor Authentication (MFA) has undoubtedly brought about significant improvements in the security landscape. However, let's face it, MFA is not perfect. It has its vulnerabilities, such as MFA Fatigue and Social Engineering. And to make matters worse, many systems don't even support MFA because of the fear that it may impact the user experience. This has been a problem in the authentication world for as long as applications have existed.
Now, step up, Passkeys!
Passkeys, an alternative authentication method, is changing the way users verify their identities. In the traditional method of storing passwords in a system's database, the user's password is hashed and then compared to the stored value during login to ensure a match. While encryption may be used in some cases, it is less secure, and storing passwords in plain text should be avoided.
Passkeys are a unique authentication method that utilises Public Key Cryptography, which is the same technology used for web certificates. It involves the use of two keys - one public and one private. Data encrypted with the private key can only be decrypted with the public key, and vice versa. These keys are securely linked mathematically and are incredibly strong, making it impossible to derive one key from the other. It's important to note that the same key cannot be used for both encryption and decryption. While the specifics of Public Key Infrastructure (PKI) can be quite complex, at its core, a passkey is a pair of mathematically connected public and private keys. The public key is stored on the system being authenticated, such as eBay, while the private key is typically stored on a mobile device.
What’s wrong with passwords?
I am a vocal critic about passwords and passphrases and have concerns about several issues with them. It's worth noting that things are generally improving, as organisations are finally recognising that expiring passwords, requiring special characters, and allowing common words are not conducive to a good user experience or security. It's important to acknowledge that humans tend to reuse passwords across multiple sites, and if they are forced to change, they often only make minor modifications, such as adding a special character to the end. For example, a password like "Yesapassword1!" might simply be changed to "Yesapassword2!".
Although password managers have become more common and are now built into browsers and devices, they are not without their flaws. While they are generally better than not having one, there are still issues with user adoption. Google, Apple, and Microsoft are making efforts to automatically detect and intercept account creation, as well as encourage the use of random password generation. However, full integration is not always possible due to web apps not being designed to align with password manager expectations.
Additionally, passwords, no matter how strong, are still a series of characters that can be easily shared or intercepted. Phishing attacks continue to be the most common form of attack, and while MFA can greatly enhance security, it often poses challenges in terms of usability, especially if the system you are authenticating to does not support MFA.
How are passkeys better?
There are a few fundamental differences to note. Firstly, when it comes to passkeys, only the public half of the key pair is stored on the system side. This public key holds no value on its own, so if it is lost, it cannot be used to gain access or be reused. On the other hand, the private key is securely stored on the user's devices and synced. This means that the user does not have direct access to the private key, and the device simply passes the key when needed.
Secondly, the keys are generated to a robust standard, making them highly resistant to brute force attacks. Public key cryptography is built with multiple safeguards to prevent unauthorised access. In other words, in theory, it should remain secure as long as the private key, which is tied to the hardware security on a device, is not compromised. Stealing the private key is an incredibly difficult task, further enhancing the security of passkeys.
How can they be improved?
As promising as the technology is, it does not come without its challenges. In my view there is 3 fundamental problems with Passkeys in its current form, which, if addressed would provide a truly great solution:
- Private keys need to be stored on a device. The most commonly used devices are Apple, Google, or Microsoft, and most users will end up setting up their passkeys on the platform they use the most. This may not be a problem for some users who only use Apple devices and never switch platforms, as iCloud can sync their passkeys seamlessly. However, imagine if you use an iPhone, a Windows Laptop, and an Android Tablet. Your passkeys cannot currently sync across these different platforms. There are two potential solutions for this issue, but neither of them is particularly elegant.
The first solution is that the standard allows an account to have multiple passkeys, so you could have one passkey stored on your iPhone, another on your Windows Device, and a third on your Android tablet. However, the implementation of passkeys may be fragmented, and some websites may not fully support all features, such as multiple passkeys per user. This implementation challenge is further discussed in my next point.
The second option to solve the syncing issue is to choose a third-party platform to hold your passkeys. For example, 1Password offers an option in Early Access that allows you to sync passkeys between platforms and even share them. While this is a viable option, it does tie you into a third-party vendor, which may require payment. Additionally, using a third-party platform may not fully utilise the hardware security features that operating systems provide. - The next issue is one that has plagued innovators for decades. In order for Passkeys to achieve widespread success, it is crucial for them to become a standard adopted across the industry. Currently, according to Passage (a company now owned by 1Password), there are only 55 web applications that support Passkeys, including major companies such as Adobe, eBay, and Paypal. However, achieving large-scale adoption will undoubtedly take time. The fragmented nature of third party logins via Facebook, Google, and Apple demonstrated the challenges of widespread adoption, with not all websites supporting social login. While companies like Passage claim to offer an easy-to-implement option for Passkeys, we still have a way to go before it becomes truly effortless and gains widespread adoption.
- One challenge that always arises with the adoption of new technologies across the web is device and user compatibility. HTML5 serves as a great example of how a so-called standard can become fragmented across different browsers. Additionally, the requirements of public key cryptography necessitate a fair amount of processing power on devices. While this won't be an issue for most people, as smartphones are capable of utilising this technology, it's important to consider that not everyone has a smartphone. As a result, backwards compatibility is likely to remain, meaning that passwords will still be functional. However, it's crucial to recognise that passwords will continue to be a weak link. It's no surprise that malicious actors always target the weakest link, as it's the easiest option available to them.
While the challenges of storing keys across different platforms, achieving widespread adoption of industry standards, and ensuring device and user compatibility may seem daunting, they are not insurmountable. It is imperative for all digital users and providers to confront these challenges head-on. Malicious actors will always target the weakest link, making it crucial for us to collectively strengthen this link in order to ensure a secure digital future.
Why should you be interested?
Well, there are two main reasons. Firstly, as an end user, it's important to understand this technology so that when you encounter it, such as when logging into eBay, you can recognise it and take advantage of the much more user-friendly process. I also hope that this article serves as a reminder of the inherent weaknesses of password-based authentication and emphasises the importance of using strong, random, and unique passwords while also implementing MFA whenever possible.
Secondly, if you are involved in the application creation process, it's essential to stay updated on the latest developments. It's likely that most platforms and frameworks will soon introduce simple ways to implement passkeys, and I strongly encourage you to consider offering them for your apps. After all, the security of end users is only as good as the capabilities your application provides. In addition to passkeys, it's also important to utilise current authentication features, such as MFA, password manager-friendly login and registration processes, and robust password reset capabilities. These measures will continue to be valuable and should not be overlooked, even if passkeys gain widespread success.
The road ahead for passkeys
Passkeys offer a promising alternative to password-based authentication and the inherent weaknesses that come with it. They bring us one step closer to a future where user security is not compromised by inadequate authentication measures. However, like any new technology, passkeys have their own set of challenges that need to be addressed. This is a call to action to everyone involved in the cyber security landscape - end users, application creators, and cyber security experts. We should embrace and nurture this innovative technology. We need strive to understand its intricacies, push for its widespread adoption, and work towards solving its present limitations. Making passkeys the standard in authentication will be a significant leap towards a more secure digital world. It's time for passkeys.
%20(1)-1.png?width=290&name=Team%20(3)%20(1)-1.png)
COMMENTS