Don’t Pass on Passkeys

By Dean H. Saxe

Last month, the IDPro newsletter published an OpEd entitled I’ll pass (for now) on Passkeys. In it, the author discusses their caution in adopting passkeys at this time due to perceived interoperability and usability challenges. Out of concern that those perceptions might hinder the growth of passkeys, and thereby limit options for users and relying parties who need better credentials than passwords, I’d like to share my own perspective below.

First, let’s clarify some language around passkeys.  Passkeys are defined as FIDO discoverable credentials.  Discoverable credentials reside within the authenticator, whether it is a hardware device, TPM, or passkey provider. Passkeys are distinguished from non-discoverable FIDO credentials, which are embedded in the credentialID returned to the relying party (RP) at registration and thus stored by the RP. Yubico has a good writeup on the concepts.

Passkey Options

Within the realm of passkeys, there are two additional options: device-bound passkeys and synced (synchronized) passkeys. Device-bound passkeys are inherently bound to the device – a Trusted Platform Module (TPM), Trusted Execution Environment (TEE), or Secure Element (SE).  These passkeys cannot be exported or backed up, if the device is lost, reset, or broken, the credentials are lost and cannot be recovered. Synchronized passkeys (synced passkeys) are stored within a passkey provider synchronization (sync) fabric and may be moved between devices, shared, and (in some cases) exported.  The sync fabric ensures high availability and reduces the risk of loss of the credential.

Fundamentally, all FIDO credentials – passkeys and non-discoverable credentials – have the same security model. The credentials are cryptographic key pairs that are origin-bound, enabling strong phishing resistance. Due to the use of asymmetric cryptography, there is no secret that can be stolen from the RP, unlike passwords or OTPs.  

More on Synced Passkeys

The introduction of passkeys —what we now call synced passkeys— in 2022 changed our approach to phishing-resistant credentials. With synced passkeys, users can create credentials that automatically sync across the cloud within a single ecosystem (e.g., iCloud). This synchronization ensured the availability of synced passkeys even if a device was lost. However, these credentials were only available within that vendor’s ecosystem in the initial deployment. Cross-device authentication partially solved this problem by allowing devices to be used across ecosystems for authentication without sharing the passkey. Synced passkeys alleviate the concerns for consumer and enterprise markets where managing device-bound credentials creates unacceptable user friction.

In 2023, we saw the emergence of third-party passkey providers, including traditional “password managers,” enabled on multiple platforms. Passkey providers offer alternatives to a platform’s passkey implementation, allowing cross-ecosystem syncing within the provider’s ecosystem. Today, there are 25 different passkey providers listed in the Passkey Authenticator AAGUIDs list from various providers, including small companies, large companies, and open-source implementations.  Today, passkey providers are available for all major browsers and operating systems. 

Security Spectrum

All credentials reside somewhere along a security spectrum; this is no different with passkeys.  

In a 2023 study by Bitwarden, only 30% of respondents use password managers (credential managers), while 84% of users reuse passwords across sites! Any increase in the use of a credential manager raises the bar for end-user security, whether the user chooses a password or a passkey. If users choose passkeys, let’s celebrate! We just reduced authentication friction for the user with a higher-quality, phishing-resistant credential, reducing risk for both the user and the relying party.   

Synced passkeys introduce new risks compared to the traditional FIDO hardware key deployment model. Synced passkeys may be leaked through credential sharing, insecure credential export, attacks against the passkey provider, or attacks on the provider’s client application. All of these attacks are possible against credential managers today, yet we broadly agree that using a credential manager effectively reduces the risks associated with passwords. 

Passkeys Support

Recently, NIST published NIST Special Publication 800-63Bsup1, which outlines the properties of passkeys that reach Authenticator Assurance Level 2 (AAL2).  Passkeys with demonstrable properties that meet or exceed the requirements outlined in Section 4 may meet the high bar of AAL2 credentials. Since passkeys are commonly considered a “password replacement”, it is reasonable to consider that all passkeys are AAL1. Yet this classification isn’t fine-grained enough to distinguish that even within AAL1, some credentials are better than others. Passkeys are clearly superior to passwords, even though they are both AAL1 credentials. 

In practical terms, vendor lock-in for passkeys does not exist. Any service supporting passkeys should allow the registration of multiple passkeys per account. Users operating across platforms or ecosystems can register multiple passkeys in different providers or use a cross-platform passkey provider. The Cross Device Authentication flow can be used to authenticate on a client that doesn’t have a passkey using their phone or tablet (“authenticator”), which has a passkey.

Today, some passkey providers allow you to export your passkeys to disk for backup as you see fit: KeepassXC, ProtonPass, and BitWarden. While I don’t recommend this option, it exists. 

What’s Next

The FIDO Alliance is developing a new Universal Credential Exchange protocol to allow the secure transport of passkeys and other credentials between different credential managers. I hope we’ll see public implementations of Universal Credential Exchange soon.

Passkeys are not perfect, but they continue to evolve through the hard work of members in the FIDO Alliance and W3C. Don’t let perfect be the enemy of good and overlook passkeys.  Identify use cases for passkeys in your environment as a password replacement, second factor, or even as an AAL2 multi-factor credential. Together, we can reduce the use of knowledge factors, phishing, and related fraud while delivering a better user experience.

Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.

Author

Dean H. Saxe is a Principal Engineer in the Office of the CTO of Beyond Identity, founding member of IDPro, IDPro Body of Knowledge author and reviewer, the first person to obtain the CIDPRO certification, and co-chair of the FIDO Alliance Enterprise Deployment Working Group (EDWG). Beyond the realm of Identity, Dean is passionate about traveling, cycling, camping, board games, cooking, and spending time with his wife, two kids, and two dogs.

Lets get in touch ...

Please use the below contact form to leave your message with us. We will be pleased to respond as soon as possible.

Contact Us

Name(Required)
You may contact us by filling in this form any time you need professional support or have any questions. You can also fill in the form to leave your comments or feedback.