25
votes
Should I be using a passkey?
I saw all the hype about Google's new passkey rollout on Hacker News and Ars Technica in the past month, and have even read an article stating that, paraphrased, "I should start using passkeys immediately, even if the tech is not all the way there yet."
Some questions:
- Are you using passkeys currently? Which provider?
- Is there a fear of vendor lock-in (looking at you, Apple) or ditching the product in the future (looking at you, Google)?
- Any other concerns I should be aware of, e.g. what happens if my phone gets run over by a bulldozer?
I think that while the concept of passkey tech is absolutely something we should be striving towards as a new medium of security, it might not be worth delving into just yet, but not because the first-party tech isn't there like Google or Apple. I actually think that the moment this will become a larger thing is the moment third-party companies pick it up and start using their own version of the tech.
As we start to see things like the MS Password Safe utility, but for passkeys, become more common, I think we'll see larger use of passkeys and the phasing out of passwords entirely.
Edit: I realize this doesn't reach the other points that you have questions about, so very briefly:
-I think that at first, there will be the risk of these very concerns you're pointing out, but the support staff wil adapt to accommodate this in the future. Still might be a bitch of a process to recover a passkey though.
-I think NFC scanners that want your information are going to end up becoming semi-prevalent as a method to try and steal peoples' passkeys. AirDrop is already ahead of this by requiring you to acknowledge whatever it is you try to receive, but NFC on Androids (and possibly NFC for Apple products too) still do not have that second step of acknowledgement
I’m not using it yet. I’m not opposed, but I haven’t seen a website where I would want to use it. I haven’t studied the protocol in detail but it seems well thought out.
If you have multiple Apple devices and are unlikely to lose all of them then I think it’s pretty safe, since it gets synced. Ditto if you are logged into Google on multiple devices. If you only have one device, or you bring them all with you when you go out and there’s risk of theft, you’ll need a recovery plan.
I don’t think Google will abandon it since it’s a web standard. They don’t remove the implementation of a web standard from Chrome unless usage is very low on the web, which basically means it failed. If they do there will be plenty of warning.
Another failure mode might be ether Google or Apple locking you out of your account, and that causing you to get locked out of some other accounts. It seems unlikely, particularly for Apple. But it might be covered by having a backup way of logging into whatever website you’re logging into. Maybe that means adding both Google and Apple passkeys to whatever account you’re logging into?
I expect password managers will support passkeys soon and that will cover people who don’t like either Google or Apple.
From my experience, Passkey isn't well supported enough on all the majors OSes and browsers, and the individual implementation by each services isn't always bug-free, latest example is Google not making a resident key when using Chrome on Windows, but making a resident key when using Chrome on macOS.
I test that kind of stuff for work as well, and IMO it's not business-ready yet.
But with that said, it is nonetheless a step in the right direction, and it will get better when it becomes adopted by many.
I am experimenting with passkeys, starting with the Google passkey sign in utilizing 1Password. I feel like 1Password's efforts to get passkeys up and running in their app is going to help make passkeys more prevalent. 1Password has also introduce Passage, which companies and other websites can utilize to implement passkey technology into their log in processes. Later this year, you will even be able to use a passkey to unlock your 1Password vault. I am excited for this technology and do hope that it becomes a lot more popular and eventually replaces passwords altogether. With that said, I do want them to take their time with it to ensure that it works as intended. I think for now, you're going to see places offering the ability to sign in with a multiple different methods, including passkeys (similar to how Google has started to implement it). I think as long as reputable 3rd party apps like 1Password are utilizing passkeys, you're going to see most big companies moving away from locking you into their system.
I'm not sure I understand how its more effective than a password. Can someone explain please? To me using someone's face to log into their account just doesn't feel as secure especially with things like deep-fakes becoming more popular. As for fingerprints, I can see how that MIGHT be harder but again one time your finger print gets out and its game over. Or am I just paranoid?
As I understand it, what Google's calling "passkeys" is really just an implementation of webauthn, which is (effectively) an extension of FIDO/U2F. It isn't using your biometrics directly, it's using a key generated by and securely stored in your device, which is only accessible if you authenticate to your device (with biometrics or with a PIN).
That is, it isn't taking a picture of your face and forwarding that to the website, so a deepfake wouldn't really help anyone out here. When you first register for the website, your device will securely generate a public/private key to use for that website and store it in its security processor ("secure enclave" as I think Apple likes to call it; TPM for desktops). That keypair will be used for authentication, similarly to how SSH keys work, if you're familiar with those.
And those keys are protected by your device, and only accessible through biometric/PIN unlock. In order to communicate with the chip where the keys are stored, your phone needs to authenticate with it, and it uses your biometrics as part of that authentication process. And because phones are generally pretty secure these days, that leaves very little opportunity to get at those keys without your biometrics, and in any case it will require physical access to your device.
And really, that means that for your average user, this is both much easier (you only need to remember your phone's PIN) and practically invulnerable to existing password attacks (because it uses public key cryptography, and the private keys are stored in a way that's practically inaccessible). If your threat model includes people with access to specialized mobile malware, or people targeting you specifically who have the resources and skills to steal your phone and break into it to extract the keys, then it might be less secure for you... but that's why threat modeling is important. No solution is perfect for everyone, but webauthn comes pretty close for your average user.
I'd be happy to discuss more too, if you've got more questions; this is a hastily written response that doesn't have all my attention, so it might not tell you as much as I hoped.
How is this better than just using an MFA code generator? Those can be locked down to a single device and biometrically secured.
Someone could make a phishing website or man-in-the middle attack to intercept your username+password+totp and pass it over to the real website. A fraudulent website will not be able to reproduce the authentication handshake from the original website with the secure element, so it is basically phishing-proof. Even if you were the average user and didn't know any better, you couldn't give them access through the phishing website even if you tried real hard.
The main way passkey protects your accounts is through a physical device acting as a key. It's like how a house key lets you unlock the door to your house. Passkey makes your smart phone into a key that gives you access to a website. (Or you can use any other device that the passkey implementation runs on.) Then it's impossible for a bad guy somewhere else in the world to trick you into giving them login access. You could tell someone your password or type it into the wrong place, but you can't hand them your phone if they're not in the same room.
Things like fingerprints are a second line of protection in case your phone gets stolen or you leave it lying around and someone tries to use it. But the website you're logging into doesn't care whether you use a fingerprint or some other method to unlock your smart phone. That's up to you and your device.
For this backup line of defense, the question is how concerned you are about your physical safety, and passkey itself doesn't do anything new to fix that. Someone who lives in a house and doesn't worry about anyone else who might come in can just leave their house keys lying around and it's fine, and similarly they don't really need to lock their phone while they're there. Other people have more challenging security concerns. It depends how you live.
There were previous schemes that did the same thing. Passkeys are a new standard that has the support of Apple and Google, so that's essentially all smart phones, and it can be implemented by anyone else, too.
Seconding this, although I don't think the concept of a passkey requires biometrics (i could be wrong though?).
When biometrics first started becoming popular, it seemed like the wisdom was "dear god don't use them". Easier than one would think to fake for fingerprints/facial recognition, and possibly not protected legally if you care about privacy (arguments that they can force you to use your face to unlock your phone because that hasn't been challenged, but can't force you to give up your password because that's settled).
That was quite some time ago, and I still think i'd be 100% no on facial locks (too easy for someone else to use that without me wanting them to), and i've been hearing about passkeys as eventually the future, but all of this is hard to keep up with. Just going down the rabbit hole of 2FA (email vs text vs auth app vs yubikey) felt confusing because there was a lot of "this is the only way to go 100%" rhetoric, even though it felt like there were some unanswered flaws with it.