Goodbye Passwords, Hello Passkeys: The Future of Authentication

Written by radioactive | Published 2024/12/17
Tech Story Tags: passkeys | authentication | passwordless-login | public-key-cryptography | fido2-passkey-standards | passkeys-vs-passwords | passkey-security-benefits | biometric-authentication

TLDR Passkeys are a passwordless authentication method using public key cryptography. They enhance security, reduce risks like phishing, and simplify the login process.via the TL;DR App

Intro to Passkeys

Password-based authentication has been the default mode for many years. But who wants to remember the passwords for every website they register on? Most people use the same password in many places, something easy to remember. Password managers make it easier to autofill credentials, but they cannot overcome the security concerns present in the password-based authentication system by design. There comes the Passkeys. They are safer and easier to use, providing passwordless authentication with a new vision in the authentication space that seems promising.

As with everything, passkeys also come with their advantages and challenges which we are going to discuss in this article along with an idea of how this mode of authentication works, how secure it is, and many more.

How passkeys work?

Passkeys utilize public key cryptography to generate an authentication flow instead of relying on a single string-based password. The user’s device generates a Public/Private key pair and sends the public key to the server which stores it and later uses the key to authenticate the user, private key is stored on the user’s device.

Registration flow

  • User’s device generates a Public/Private key pair bound to the web service.
  • Public key is sent to the Web service and the Private key is stored on the user's device.
  • Web service stores the Public key against the user in their database.

Authentication flow

  • Web service sends a challenge nonce to the Client.
  • Users authenticate themselves locally using any method such as Biometrics, PIN, etc to access the private key.
  • User device signs the challenge using the private key for that particular Web service.
  • Web service receives the signed challenge and verifies it using the Public key. This ensures that the client device indeed has access to the private key.
  • After successful verification, the Web service authenticates the user.

Points to note

  • Public/Private key pair is unique to every service/website.
  • Public key is transmitted to the web service over the network only once during the registration.
  • Private key stays on the user's device all the time and is never transmitted over the network. (Exception is when you sync the passkeys using a password manager)
  • Signed payload generated by the user device is transmitted over the network, is session-specific, and changes every time the user authenticates.

How secure they are and how they can provide a better alternative than Passwords?

Increased security usually means decreased ease of use but this is not true in the case of passkeys. They are easier to use once the registration phase is complete. There is no burden to remember the passwords, the authentication is quick, easy and secure as well.

Passkeys reduce the attack surface and eliminate some common threats to passwords. Passwords are usually stored in encrypted form on a database. When you use a plaintext password to login to a web service, they generate the same encrypted text and compare it with the one they already have, this is how the users are authenticated. Now this leaves us with two most common threats.

  • Database breaches
  • Phishing attacks

Database breaches are common and when a service’s data is stolen, it is often sold on the dark web. Malicious actors who have access to the data can try to break encryption offline, and with the computing power available today it could take from weeks to months depending on the encryption. Passkeys eliminate this threat as there are no passwords to store. In case of a leak, only the Public key is exposed which is of not much use to the malicious actors.

In Phishing attacks, a clone of the target website is created and the user is tricked into entering their credentials mistaking it for a genuine site. This however also fails to work with Passkeys as there are no credentials to steal. Sophisticated Phishing attacks combined with Man in the Middle may still be operable but the attack surface is largely reduced.

Types of Passkeys

  • Single device or Device Bound
    • Private key never leaves the device.
    • Authentication can be done only on a specific device on which the private keys exist.
    • Since the key exists only on a single device, the recovery path needs to be triggered in case access to the device is lost.
  • Multi-Device or Synced
    • Private key is synced across user devices.
    • Common options include using Google password manager, iCloud keychain etc.
    • Keys are end-to-end encrypted which means the provider can not see or use your keys even though they store them.
    • This enhances usability as users need to register only one device and can reuse the same keys across their devices.

Portability of Passkeys

As we already learned in the last section, Passkeys can be synced across devices so we know they are portable. You can use the passkeys on all of your devices as long as you are signed in with the provider (Google, iCloud). This gets us to the question of how we are going to use passkeys on a device that does not belong to you, perhaps a Friend’s computer or the Library, essentially any device where you just want to use it a single time. Passkeys also cover this case, how this works is if two systems support passkeys they can communicate with each other over Bluetooth to share access. Let’s look at the step-by-step walkthrough of how it works.

  • You open a website xyz.com on a Desktop where you don’t have a passkey.
  • You can use the option to sign in with passkeys on a different device.
  • Desktop will show you options for nearby available devices, or a QR code.
  • You can select the device or scan the QR.
  • After that, you can use your mobile device to authenticate yourself and allow the desktop to use the passkey from your mobile.
  • Once authenticated, you also get an option to create a passkey on the desktop without going through the registration process. If opted, you will not need the mobile device next time onwards and a new set of passkeys will be created for the desktop.
  • If you opt to use one time only, no new passkeys will be created.

Takeaways on adoption

Passkeys are based on FIDO2 standards which combine the Client to Authenticator Protocol (CTAP) with the Web Authentication API (WebAuthn) and is a joint project between the FIDO alliance and W3C. These standardization efforts aim to increase adoption and proper implementation. Native support for passkeys is added by companies like Google, Apple Microsoft at the OS and Browser level which goes a long way in encouraging the adoption of Passkeys.

Due to the long reliance on Passwords in the industry, it is not just a technical challenge to adopt passkeys but a psychological one as well.  End users may initially feel uneasy about passkeys simply because they are accustomed to the familiarity of password-based systems. Even though passkeys are safer and easier to use than passwords, comfort with the known options wins over in most cases. User education is needed for passkeys to be adopted at a large scale, questions around recovery and ease of use will be there initially.

On the other hand, companies may be reluctant to offer passkey authentication if they don’t see sufficient user adoption. In the public sector, governments can encourage adoption through policy changes.

Conclusion

Passkeys have the potential to transform the Authentication space. They are secure and easier to use. They eliminate common threats that exist with password-based authentication, however, they also bring their challenges and limitations. Recovery of accounts and portability of credentials are some questions that need to be addressed properly. I feel the next step is to use a Hybrid mode of authentication i.e. use of passkeys along with the passwords. As the adoption in the real world increases we will see more arguments being made which would be a better point to decide where to move next, before moving to an entirely passwordless future.





**

Written by radioactive | Software engineer | Reader | Writer
Published by HackerNoon on 2024/12/17
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy