- Thierry Spanjaard
Passkeys sign the end of passwords
All of us have been knowing for years passwords are not a satisfactory manner to protect access to information or services. Many users take them way too lightly and the list of most commonly used passwords always include “Password”, “123456”, “12345678”, “qwerty123”, etc.
While the end of passwords have been promised for years, passkeys, an initiative launched by the FIDO Alliance, with the support of many blue chip companies including Microsoft, Apple, Google, and others may signal it is time for change.
The FIDO Alliance, an association of tech companies, has been aiming at improving authentication methods since its launch, ten years ago, by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon and Agnitio. Now, the member list includes blue-chip companies Google, Microsoft, Intel, Thales, NTT Docomo, Apple, Amazon, American Express, Idemia, Feitian, Infineon, Visa, MasterCard, Lenovo, OneSpan, Qualcomm, RSA, … among many others. FIDO has published a set of specifications: Universal Authentication Framework (UAF), Universal 2nd Factor (U2F) and FIDO 2.0 that aim at improving interoperability between different solution providers.
Now, the industry association is coming up with passkeys, a password replacement based on FIDO Authentication, which uses biometrics and public key cryptography to create strong credentials. A passkey is a digital credential, tied to a user account and a website or application. When a user creates a passkey with a site or application, this generates a public–private key pair on the user's device. Only the public key is stored by the site. With passkeys, users can sign into apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, freeing them from having to remember and manage passwords. Developers can leverage either hardware keys (e.g. YubiKeys) or secure hardware on the device (e.g. secure elements on your phone, TPMs on your laptop) gated by biometric sensors to authenticate users without using passwords. FIDO passkeys are no longer bound to a specific device, but rather are automatically synced to the cloud. This makes them reusable across the multiple devices that a user may own on the same platform, making enrollment and account recovery simpler and more resilient.
For users, passkeys are managed by phone or computer operating systems and are automatically synced between the user’s devices via a cloud service. Then, when a user is asked to sign-in to an app or website, the user approves the sign-in with the same biometric or PIN that the user has to unlock the device (phone, computer or security key). These mechanisms bring consistency to the user experience as the same credentials, including biometrics, are used to access different services. These passkeys are based on FIDO Authentication which, according to FIDO Alliance, is proven to be resistant to threats of phishing, credential stuffing and other remote attacks. Of course, biometric material never leaves the user's personal device.
While the passkeys technology has taken a few years to standardize and develop, many leading players are now launching their actions for passkeys support across their various devices, operating systems, applications and services:
Microsoft introduced passkeys support for personal Microsoft accounts in September 2021. Microsoft passwordless solution can be used wherever you can install the Microsoft Authenticator app, including on iOS.
Google has just announced they are bringing passkey support to both Android and Chrome. Now, for passkeys to be widely accepted, Android developers have to code passkey support into their apps.
Apple announced that it would be implementing FIDO2 passwordless authentication at its recent WWDC (Worldwide Developers Conference). Apple is adding built-in support for passkeys in its operating systems, and even adds some specific twists: for instance, when creating the initial keypair, Apple uses Bluetooth to check proximity of the authenticator device. Once created, passkeys are synced with iCloud Keychain for security purposes, and logins are authenticated with Apple Face ID or Touch ID.PayPal just announced that it is adding support for passkeys to its app and website. They rely on passkeys generated at device level, but can also propose their own PayPal passkey, which can be unlocked on an already authenticated device by scanning a QRcode.
Online services such as Kayak, eBay, Best Buy and WordPress have announced passkeys support.
With these initiatives, passkeys are getting a much wider adoption. Making users change their habits will not happen overnight, and there may be some friction at the beginning. Change is for the better, for a more secure authentication mechanisms, while providing better user friendliness to all of us.