Authentication is one of the most important components of Cyber Security, it is the "front door" for most applications and as such securing it is critical. Despite implementing the most secure application security measures, the vulnerability often lies within an inadequate authentication solution. Multi-Factor Authentication (MFA) has undoubtedly brought about significant improvements in the security landscape. However, let's face it, MFA is not perfect. It has its vulnerabilities, such as MFA Fatigue and Social Engineering. And to make matters worse, many systems don't even support MFA because of the fear that it may impact the user experience. This has been a problem in the authentication world for as long as applications have existed.
Now, step up, Passkeys!
Passkeys, an alternative authentication method, is changing the way users verify their identities. In the traditional method of storing passwords in a system's database, the user's password is hashed and then compared to the stored value during login to ensure a match. While encryption may be used in some cases, it is less secure, and storing passwords in plain text should be avoided.
Passkeys are a unique authentication method that utilises Public Key Cryptography, which is the same technology used for web certificates. It involves the use of two keys - one public and one private. Data encrypted with the private key can only be decrypted with the public key, and vice versa. These keys are securely linked mathematically and are incredibly strong, making it impossible to derive one key from the other. It's important to note that the same key cannot be used for both encryption and decryption. While the specifics of Public Key Infrastructure (PKI) can be quite complex, at its core, a passkey is a pair of mathematically connected public and private keys. The public key is stored on the system being authenticated, such as eBay, while the private key is typically stored on a mobile device.
I am a vocal critic about passwords and passphrases and have concerns about several issues with them. It's worth noting that things are generally improving, as organisations are finally recognising that expiring passwords, requiring special characters, and allowing common words are not conducive to a good user experience or security. It's important to acknowledge that humans tend to reuse passwords across multiple sites, and if they are forced to change, they often only make minor modifications, such as adding a special character to the end. For example, a password like "Yesapassword1!" might simply be changed to "Yesapassword2!".
Although password managers have become more common and are now built into browsers and devices, they are not without their flaws. While they are generally better than not having one, there are still issues with user adoption. Google, Apple, and Microsoft are making efforts to automatically detect and intercept account creation, as well as encourage the use of random password generation. However, full integration is not always possible due to web apps not being designed to align with password manager expectations.
Additionally, passwords, no matter how strong, are still a series of characters that can be easily shared or intercepted. Phishing attacks continue to be the most common form of attack, and while MFA can greatly enhance security, it often poses challenges in terms of usability, especially if the system you are authenticating to does not support MFA.
There are a few fundamental differences to note. Firstly, when it comes to passkeys, only the public half of the key pair is stored on the system side. This public key holds no value on its own, so if it is lost, it cannot be used to gain access or be reused. On the other hand, the private key is securely stored on the user's devices and synced. This means that the user does not have direct access to the private key, and the device simply passes the key when needed.
Secondly, the keys are generated to a robust standard, making them highly resistant to brute force attacks. Public key cryptography is built with multiple safeguards to prevent unauthorised access. In other words, in theory, it should remain secure as long as the private key, which is tied to the hardware security on a device, is not compromised. Stealing the private key is an incredibly difficult task, further enhancing the security of passkeys.
As promising as the technology is, it does not come without its challenges. In my view there is 3 fundamental problems with Passkeys in its current form, which, if addressed would provide a truly great solution:
Well, there are two main reasons. Firstly, as an end user, it's important to understand this technology so that when you encounter it, such as when logging into eBay, you can recognise it and take advantage of the much more user-friendly process. I also hope that this article serves as a reminder of the inherent weaknesses of password-based authentication and emphasises the importance of using strong, random, and unique passwords while also implementing MFA whenever possible.
Secondly, if you are involved in the application creation process, it's essential to stay updated on the latest developments. It's likely that most platforms and frameworks will soon introduce simple ways to implement passkeys, and I strongly encourage you to consider offering them for your apps. After all, the security of end users is only as good as the capabilities your application provides. In addition to passkeys, it's also important to utilise current authentication features, such as MFA, password manager-friendly login and registration processes, and robust password reset capabilities. These measures will continue to be valuable and should not be overlooked, even if passkeys gain widespread success.
Passkeys offer a promising alternative to password-based authentication and the inherent weaknesses that come with it. They bring us one step closer to a future where user security is not compromised by inadequate authentication measures. However, like any new technology, passkeys have their own set of challenges that need to be addressed. This is a call to action to everyone involved in the cyber security landscape - end users, application creators, and cyber security experts. We should embrace and nurture this innovative technology. We need strive to understand its intricacies, push for its widespread adoption, and work towards solving its present limitations. Making passkeys the standard in authentication will be a significant leap towards a more secure digital world. It's time for passkeys.
Contact us today to discuss your cyber security challenges.