About Passkey

KALM-150x150"

Ready for a passwordless life? Tom explains how Passkey will get us there and why it’s coming sooner than you think and later than you’d like.

Featuring Tom Merritt.

About the FIDO Alliance.
About Public Key Cryptography.

MP3

Please SUBSCRIBE HERE.

A special thanks to all our supporters–without you, none of this would be possible.

Thanks to Kevin MacLeod of Incompetech.com for the theme music.

Thanks to Garrett Weinzierl for the logo!

Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit

Send us email to [email protected]

Episode transcript:

I just figured out passwords and now they’re switching to passkeys!
And supposedly you just tap a thing on your phone and you’re in?
How is that even secure?
Confused? Don’t be.
Let’s help you know a little more about passkeys.

Passkeys are the hope for our passwordless future. They’re based on FIDO 2 from the FIDO Alliance.
FIDO stands for Fast Identity Online and the alliance includes Amazon, Apple, Google, Meta, Microsoft, Samsung, Intel, Qualcomm PayPal, Wells Fargo, US Bank, Visa 1Password, LastPass, RSA. the list is rather long but I think that gives you the flavor. It’s big tech companies, security provider’s chip makers and banks.
The FIDO alliance develops FIDO 2 as an open standard in cooperation with the World Wide Web Consortium or W3C.
I did an entire episode on FIDO 2, which aims to increase authentication security, but here’s the short version. FIDO 2 gives you single multi factor, meaning it doesn’t require a password. FIDO 2 is probably most familiar to folks in corporate enterprises that use things like Yubico’s Yubikeys. They’re the little USB dongles you insert or tap to provide a second factor.
Many of you may NOT be familiar with those and that’s the reason FIDO 2 hasn’t spread faster. As much as it would be great if everyone bought something like a Yubikey, most people just aren’t going to do that. And until you get most people to do it, sites aren’t going to want to pay developers to redo their authentication system.
That’s why you see it in a corporations right? The company CISO just makes everybody use the yubikey to log in. The devs have to implement it because every employee int he company is going to sue it. Also because the CISO told them to do it.
In the wider world you need a diverse array of websites and device manufacturers to support it AND a bunch of consumers who adopt it. And consumers won’t adopt something unless it’s easy.
So we’ve been in this holding pattern for awhile, waiting for adoption by devs who are waiting for adoption by consumers who are waiting for easy implementation which requires adoption by devs and now I’m dizzy.
But passkey seems about to get us off this merry-go-round. Because passkey is designed to be easy while also being secure.
Passkey is an implementation of FIDO 2, but instead of making you get another thing, like a USB key, it uses the devices you already have. They sort of turn your device into the yubikey.
Here’s how creating a passkey works.
Let’s say you have an iPhone and you’re using Chrome. You go to a website, let’s say passkeys.io. It probably will ask you for an email address. The email address is not necessary for passkey to work. So you can go ahead and give it a fake one or a spam one if you want. However the email address is likely going to be used for account recovery in case you lose the phone that has all your passkeys. So you might want to use a working email address.
After you enter the email address, you press “Set up passkey.” It then prompts you to use with whatever you use to protect your devices overall security. It could be FaceID, could be a fingerprint scanner. Maybe it’s a nice complex PIN. Let’s say it’s a fingerprint scan. Press your finger on the fingerprint scanner on your device and you’re in. That’s it. You just created a secure account.
Yep! WAY easier than enter a password twice, oh you don’t have enough character oh you didn’t use special characters. None of that. No adding it to the password manager. Email address. Create passkey. Fingerprint scan. Done. In the background your OS has stood the passkey securely and may be syncing it with other devices.
And you gave precious little to the company you created the passkey for! It knows whatever email you gave them and has created a token to match with your passkey in the future. It has NOT stored your passkey. An attacker cannot steal your password from the company because the company doesn’t have it.
The next time you go back to sign in on that same iPhone, you’ll just choose “Sign in with passkey,” swipe your fingerprint and you’ll be signed in.
But ah you say. What if I want to sign in on my Windows machine using the Edge browser?
Go to passkeys.io on Edge and select sign in with passkeys. Your passkey isn’t on that device so it gives you the option of using a QR code. Scan the QR code with your phone and the synced passkey tells the website that it’s you and logs you in on the Edge browser.
In the future once support is fully implemented it will get easier. Bluetooth LE from Windows can directly notify your iOS or Android phone of the login request through an encrypted tunnel. You see that notification on your phone. So you pick up your phone and unlock it.
OK so what happens if you lose your phone? One hedge against that is if you have multiple devices. You can store your passkeys on a laptop and a phone. Apple, Microsoft and Google provide end-to-end encrypted syncing of passkeys across devices. But there’s also good old account recovery by email which is why you want to give a working email along with your password. Right now account recovery is so much more secure than passwords that some sites only log you in by sending you an email. Keeping your email account secure is quite important of course and will continue to be so. And it will be important to have multiple ways to securely log in to your email. So you’ll want passkeys on more than one device.
In a world of passkeys you’ll need multiple ways of getting to your email of course, but also you’re device security becomes paramount. Unlocking a laptop or phone will serve the same step as entering a password used to. This will take some education for people who use insecure passwords on their devices. However, to steal passkeys will still require physical access which is much more secure than passwords are now. Still, best practice is to make sure you have a sufficiently complex PIN backing up face or fingerprint.
Is this really more secure? The full details are in our episode on FIDO 2 but think of it this way.
Right now, you might try to be secure by using a password manager to create a long complex password and store it in an encrypted vault. You then use another long complex password to unlock the vault and access the password for a website and enter it there. Then if you are using MFA you open an app generating codes and type a code in separately. Every one of those steps is phishable. Somebody could be tricking you into entering the password or the MFA code into the wrong box at the wrong time. It can happen to the most careful among us.
With Passkey, unlocking your device replaces unlocking your password manager. Except the password is an encrypted key much more complex than any your password generator would generate, and is automatically sent directly to the site requesting it. That site combines it with its token to validate it’s the right account and authenticate you. (See our episode on Public Key Cryptography to understand how this works securely)
Since during that process, you didn’t have to type anything anywhere there’s no chance it gets typed into the wrong place. Since only the site you’re trying to log into can make use of that key, there’s no risk of sending your passkey to the wrong location. To intercept the key and try to use it to pretend to be someone would require breaking some incredibly strong encryption. And there is no password stored by the site! So there is no password database to breach.
So where can you use passkeys?
Many browsers support it including Chrome on ChromeOS, Windows and macOS, Microsoft Edge on Windows and macOS and Safari on MacOS.
Apple started supporting passkeys in iOS 16, iPadOS 16 and macOS Ventura
Google supports passkeys in Android as of October 2022 and ChromeOS in beta with full support in 2023.
Windows will support passkey in 2023.
Passkeys are supported by PayPal, eBay, WordPress and a growing list of websites.
And here’s where a lot of folks see downside. In pursuit of the mass market of consumers passkey does leave folks out. If you’re on Linux you can use Fido 2 like a yubikey but you may not be able to use passkey, without also using a Mac, iOS, Android or Windows device.
That may make you upset and I get it. Passkey is meant to be the mass market version of FIDO 2 so it runs on the mass market platforms. Thankfully FIDO 2 is an open standard so passkey can be extended to other platforms, it’s just going to take someone doing the work.
But remember that even if you’re using the mass market platforms the keys are always stored locally. Their cloud services are used for sync not storage and are end-to-end encrypted. That may or may not make you feel better but it’s not as egregious as managing the keys for you.
So can we ditch passwords? Not yet.
By the end of 2023 all the operating systems will fully support it along with the major browsers and more websites will as well. At that point users will need to update their operating systems and start learning what passkey is and decide if they trust it. But we’re close. Within a couple of years we should start seeing passkeys become common and passwords less so.
In other words, I hope you know a little more about passkey.