Customer Experience

Passwords are dead – long live passkeys

In this article, we evaluate the role of passkeys in modernising security practices for organisations without going into too many technicalities, acronyms, and terminologies, such as FIDO U2F, Fido2, etc. Here is what you need to know about passkeys.

7 minutes to read
With insights from...

Passwords are a liability. They are knowledge-based, a constant challenge to remember, and are often reused for multiple services. Passwords are easily phished, stolen, and abused. That’s why passwordless authentication is needed. Keep reading to explore the future of passwordless authentication and the added value that passkeys bring in terms of security and usability.

What are passkeys?

Passkeys are essentially a replacement for traditional passwords as they employ modern cryptographic public/private keys instead of a shared ‘word as a secret’. Instead of exchanging a ‘shared secret’ over the network, a challenge is signed with a private key and sent to the service requesting authentication (also known as the relying party). The relying party verifies the signature using the public key obtained during registration. The private key must be kept secret, it never leaves the device (device-bound passkey) or the vendor-specific ecosystem (synced passkey). This authentication paradigm significantly changes the security posture of the credentials used, as they never leave the defined perimeter.

Two prompts that illustrate the process of creating passkeys on Android. Figure 1: Creating a passkey on Android (FIDO UI Kit)

The Passkeys user experience is designed to be consistent across user devices. Figure 1 shows how a passkey is created by simply providing the username or email. Figure 2 shows the logon interaction pattern – a simple fingerprint or face verification, or a device PIN that users are familiar with and encounter frequently. Before an authenticator signs a given challenge, the relaying party is confirmed to match the domain for which the key was created, giving passkeys so called 'verifier impersonation resistance' and making it phishing-resistant. In addition, passkeys give organisations the peace of mind that their users' credentials will remain secure even if their database is compromised because all a relying party needs to store is a user's public certificate. Passkeys cannot be forgotten or mistyped leading to a 95% reduction in password reset tickets, eliminating expensive and potentially insecure password recovery tasks.

Because passkeys are discoverable by browsers, new and unique ways of interacting with users emerge. Soon, users may only be asked to select which authenticator (platform, password manager, USB device, etc.) they wish to authenticate to, using their stored passkey. But for this to happen, organisations need to adapt their authentication process.

iOS login prompt with various authenticator options Figure 2: iOS login prompt with various authenticator options (custom image based on the FIDO Alliance UI Kit)

FIDO – Fast Identity Online

Passkeys are essentially FIDO credentials used for FIDO authentication. Recognising the inherent weaknesses of password systems, the FIDO (Fast Identity Online) Alliance develops and promotes standards that help reduce the world's over-reliance on passwords. The core technology behind FIDO authentication is based on public key cryptography, setting a new standard for secure access across the digital landscape. FIDO authentication is considered multi-factor authentication. The credentials are stored on the user's device (something the user 'has') and can only be exercised by the user with a biometric or PIN (something the user 'is' or 'knows') when the relaying party requests user verification.

The collaboration between the World Wide Web Consortium (W3C) and the FIDO Alliance culminated in the launch of FIDO2 in 2018, marking a significant milestone in the quest for stronger and more user-friendly authentication methods. FIDO2 consists of WebAuthn and CTAP2, or Client to Authenticator Protocol version 2. CTAP2 introduced platform authenticators such as Touch ID, Face ID and Windows Hello. This allows users to not be dependent on third-party authenticators, but instead use their platform's trusted platform. CTAP2, which is widely supported across all major browsers and operating systems, including Android, iOS, macOS and Windows. This universal support and growing availability of platform authenticators lays the foundation for wider adoption of FIDO authentication, promising a more secure online environment for users and organisations alike.

What are synced passkeys?

In May 2022, Apple, Google, and Microsoft announced plans to support synced passkeys. As mentioned above, unlike device-bound passkeys, synced passkeys can be synchronised between devices within the same vendor ecosystem, such as iCloud for Apple devices or within a cloud-based password manager. While these credentials have a different need for security protection than device-bound passkeys, they share the same security and usability features and they offer significant benefits to both end users and organisations, balancing convenience with security.

The figure summarises the differences between synced and device-bound passkeys:

Diagram illustrating the difference between device-bound passkeys and synced passkeys Figure 3 Synced vs. device-bound passkeys. Image adapted from https://fidoalliance.org/wp-content/uploads/2022/03/How-FIDO-Addresses-a-Full-Range-of-Use-Cases-March24.pdf

Before the introduction of synced passkeys and platform authenticators (see box on CTAP2), physical external authenticators such as a YubiKey were commonly used. These external authenticators are difficult to manage. They are not scalable because a separate passkey has to be created for each relaying party and they only store a limited number of passkeys. To avoid losing access to services, it is advisable to create backup credentials on a backup authenticator, which increases cost and further reduces usability by requiring you to remember which passkey is on which authenticator. In addition, both the primary and backup authenticators can be lost or stolen. These usability issues, combined with the low acceptance of trusted parties offering passwordless authentication, have led to low adoption of passwordless authentication.

Since synced passkeys are secured within the authenticator provider's ecosystem, they represent a significant step forward in user convenience and security compared to passwords. Synced passkeys reduce the risk of users losing access to their accounts compared to device-bound passkeys. Recovery processes, which are often targeted by attackers, are less likely to be required with synced passkeys.

But wait, there is more …

The development does not stop at synced passkeys. CTAP2 supported connections to external authenticators via USB, NFC, or Bluetooth Low Energy (BLE). In March 2023, an extension to the protocol was proposed to enable Cross-Device Authentication Flows. This proposal is already supported by Apple and Android, allowing users to securely log in to their accounts on a shared computer (e.g. library) without risking exposure of private key material. 

Figure 4 shows the cross-device flow: (1) the client requires authentication (2) presents a QR code, which can then (3) be scanned by an authenticator. Next, the authenticator (4) interacts with the server, requiring authentication over the Internet and (5) signs the presented challenge to (6) prove possession of a valid passkey. The device presenting the QR code continuously checks whether an authenticator has signed the challenge (6). If so, a valid session is received.

The cross-device authentication flow allows authenticators with cameras to be used to authenticate users. BLE is used to confirm physical proximity, ensuring that the authentication process remains secure and seamless.

Cross-device authentication flow. (Own creation inspired by Sascha Preibisch, 2022) Figure 4: Cross-device authentication flow. (Own creation inspired by Sascha Preibisch, 2022, https://www.youtube.com/watch?v=et8vKy_ICog)

Passkeys are here to stay

Passkeys are quickly becoming the standard for consumer applications, as evidenced by their adoption by industry leaders. The key to the continued success of passkeys is user acceptance and enterprise adoption, led by the larger drivers behind passkeys. The Cybersecurity and Infrastructure Security Agency (CISA) encourages all organisations to implement phishing-resistant authentication and recognises that passkeys are the only widely available authentication form. The security benefits of passkeys are eminent, and with synced passkeys – especially for end-user applications – user adoption through a great user experience is paving the way for organisations to use passkeys for internal user authentication.

How can Zühlke help?

Zühlke is at the forefront of this transition, leveraging our extensive network of cybersecurity and user experience (UX) experts to guide organisations away from the vulnerabilities inherent in traditional password systems.

Specifically, our comprehensive passkey implementation approach includes:

Assessing your organisation’s need for passkeys:

tailoring solutions to meet your organisation's specific security and usability requirements.

Regulatory advice and implementation:

advising on the appropriate level of authentication assurance to meet regulatory and internal security mandates.

Improving the registration and logon experience:

making the process of registering and logging in with passkeys not only secure, but also enjoyable for users, thereby encouraging adoption.

Account recovery strategy consulting and implementation:

developing strategies that balance security and convenience, ensuring a seamless user experience while minimising the risk of unauthorised access.

Implementation of synced and device-bound passkey support in your IDP:

integrating passkey support into your Identity Provider (IDP) systems, providing both flexibility and security.

At Zühlke, we are committed to helping organisations transition to a more secure, user-friendly authentication framework. By integrating passkeys, organisations can significantly improve their security posture while providing a great user experience.

Contact person for Switzerland

Dr. Raphael Reischuk

Group Head Cybersecurity & Partner

Raphael Reischuk is the author of numerous scientific publications in various areas of IT security and cryptography, many of which have received awards. BILANZ and Handelszeitung listed him among the Top 100 Digital Shapers in Switzerland in 2021.

Reischuk is a member of multiple international programme committees for IT security and Vice-President of the Cybersecurity Committee at digitalswitzerland. He is also the co-founder and a board member of the National Test Institute for Cybersecurity (NTC).

In 2017, he joined Zühlke, where he channels the expertise he has gained in various industries into his role as Group Head Cybersecurity & Partner. As an experienced IT security expert, he is driven by curiosity, innovation, technology, a sense of commitment and a strong business ethos.

Contact
Thank you for your message.