Article updated 10 July 2024
Disclaimer: The views expressed in the content below are solely those of the author and do not necessarily reflect the views of the IDPro organization.
Increased security for identity is always welcome, especially when it is leveraging the latest standards and easy to use. However, for me I’ll be waiting for the dust to settle a little more before committing to passkeys. For clarity, I am referring to passwordless synced (or multi-device) passkeys [1] instead of the physical FIDO2 authenticators (now named device-bound passkeys). At the moment, I use the physical security key option as a second factor, both Webauthn and U2F, where I need that level of security and where they’re supported, along with a variety of MFA (software and hardware) options for the rest.
Reasons to be Cautious
Anyone working in identity will have heard the excitement around passkey, and the benefits certainly warrant jumping straight in:
- it just works (strong crypto-based authentication with no passwords)
- re-use existing phones/tablets/computers
- phishing resistant.[2]
Passkeys have been around since 2022.[3] However, the interoperability of their implementations has been, and still is, something to carefully consider. Depending on your preferred browser(s) and device(s) you may run into usability challenges or worse, unable to use the passkeys that you have already created on other devices [4]. Starting with passwords over half a century or more ago, through to modern authentication standards, authenticating across different hardware and software, old and new, has always been a basic expectation. It has also been a major factor in determining their success. Fortunately, this is changing, and there are plans to support the migration of passkeys between ecosystems [5].
Security Spectrum
FIDO2 authentication has provided a truly strong authentication solution, however purchasing, managing the recovery and taking responsibility for the (physical) keys seems to have been reason for lack of mass adoption. With passkeys, a provider will do all of this for you, with the trade-off being you are no longer the only one in possession of the keys [6]. With truly powerful security comes at least some level of ownership, effort, and responsibility. The hack of LastPass [7] demonstrates the risks when trusting a provider to manage your secrets, even when they are end-to-end encrypted.
It’s About Interoperability
Passkeys did seem like an initial positive middle ground, however the confusing marketing, implementation limitations, sometimes lack of transparency [4] and interoperability has so far, undermined their potential to be a truly great improvement on current password and MFA options. For me, I’ll be using physical FIDO2 authenticators for vital services, my password manager for passwords, and MFA for most others, and only when they’re truly cross-platform, I’ll slowly replace passwords with passkeys. Sometimes with security, it’s better to avoid the hype and appealing new features (great convenience) to make sure you have solid foundations.
1 https://corbado.com/blog/device-bound-synced-passkeys
2 https://docs.yubico.com/hardware/yubikey-guidance/best-practices/all-faq-passkeys.html
3 https://fidoalliance.org/white-paper-multi-device-fido-credentials/
4 https://proton.me/blog/big-tech-passkey
5 https://fidoalliance.org/specifications-overview/
6 https://www.yubico.com/blog/new-nist-guidance-on-passkeys-key-takeaways-for-enterprises/
7 https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/
Author
Jac Fowles is a security systems specialist with experience in deploying, securing and integrating core security services in large environments. Certified security, Linux and DevOps and cloud engineer – CISSP, CEH, RHCE, Azure, and AWS.