Exploring The Growing Movement Towards A Password-Less World
In a noteworthy announcement last May, Apple, Google, and Microsoft indicated their support for the FIDO Standard for passwordless authentication and announced plans to keep evolving their capabilities to implement this standard.
While third-party solutions have been proposed in the past to strengthen authentication, this announcement has shown a willingness by major players to come together and standardize a solution that deserves a closer look.
So far, Passkey authentication has been adopted by a handful of companies, with Github, Paypal, and WordPress being some of the major ones. Support has slowly been growing, and the resulting awareness should promote this approach as the default authentication mechanism for many cloud-based applications that seek a more secure and user-friendly sign-in process.
This article explores the basic concept of Passkeys, how they work, and the problems they attempt to solve. Also discussed will be the current state of the technology and design and planning considerations to support Passkeys.
The Problem With Passwords
The username and password dialog has been a familiar sight on websites, apps, and various services since the dawn of the internet. Despite regular breaches, little has been done to fix the inherent vulnerabilities of this mechanism.
Best practices like creating strong passwords, frequently changing passwords, and keeping them unique are rarely followed by most users unless it is enforced by company policy for their employees. Security policies on personal accounts, such as banking, social media, etc., are often poorly enforced.
Additional layers of security like MFA or password managers come at the expense of inconveniencing users or presenting additional risks. As the recent breach at LastPass has shown, using password managers that store all your sensitive data in the cloud can lead to trading security for convenience.
Social engineering attacks have become more sophisticated and can lure targets into divulging sensitive information like OTPs, which can be used to log in to their accounts remotely.
Phishing attacks have also increased exponentially, with malicious actors constantly devising newer phishing scams. While some third-party security services can warn users, a default verification method does not exist to prevent these attacks. For example, browsers like Chrome and Firefox often warn us of malicious websites. Spam filters are also getting better at detecting phishing emails. There are, however, still a few instances of phishing attempts that slip through undetected.
Reusing passwords across different services is a common practice and leads to credential stuffing with attackers using previously known passwords to attempt logging into other websites. Reusing passwords is a difficult problem on the backend, as developers cannot detect these instances.
Besides poor user behavior regarding security practices, the other major problem is a lack of awareness among development and infrastructure teams, leading to practices like insecure storage of passwords. There have been cases of passwords not being hashed and encrypted at rest, which results in database breaches exposing sensitive information for thousands of users. Storing backups with third-party vendors that do not follow required security guidelines is another cause for significant security breaches.
The risks posed by passwords continue to be a major overhead to deal with in any organization's cybersecurity policy.
So What Are PassKeys?
The FIDO Alliance was launched in 2012 by Paypal, Lenovo, and other companies to promote open standards for passwordless authentication.
FIDO, which stands for Fast IDentity Online, has since grown with
Google, Microsoft, Samsung, and many big companies join and contribute to the specification's development.
As mentioned earlier, the commitment by these companies to the standards proposed by FIDO marks a significant milestone and the beginning of a joint effort to shift away from the current over-dependency on passwords.
Passkeys describe an approach to replace passwords by utilizing the hardware capabilities of a user's device to authenticate the user to a remote service. It uses public-key cryptography, stable and secure technology to store and exchange authentication information with an online service and establish user credentials.
The platform on the user's device handles the authentication transaction on the user's behalf and establishes the authenticity of the remote service requesting the authentication.
The below screenshots are from a PassKey demo website set up by Hanko.io that readers can try out for themselves.
Readers may be familiar with other solutions like Yubikey that also use their own implementation of the FIDO standard. Passkeys effectively use the existing hardware on user devices instead of third-party hardware like Yubikeys.
Users are already familiar with features on their devices like Face ID for iPhones, Windows Hello, and Google Password Manager, which use biometrics like facial recognition or a fingerprint to identify the device owner. Online services can now request the platform, for example- the Chrome browser, to authenticate the user without the need to enter a unique password.
It should be noted that the user's biometric information or any sensitive data like pin codes they enter are not sent to the remote service, also called a relying party.
The initial account creation using Passkeys requires provisioning a public-private key pair that provides the public key to the relying party for authentication. The user's device stores the remote service name, username, and key information locally and uses this data for future authentication requests.
This approach will be familiar to developers who have been using public keys to authenticate their SSH clients to remote servers. AWS, Github, and other primary infrastructure services recommend this best practice.
Things To Consider Before Adopting PassKeys
As expected, this approach provides several advantages over passwords.
Users do not need to remember passwords for every website, app, or online service they use.
The risk of phishing attacks is avoided as the user's device verifies that the request originates from an authentic service provider. For example, the user's device can examine the HTTPS certificate to determine that the request is coming from www.mybank.com and will reject any request from www.maliciousbank.com.
The Passkey standard can even enforce sub-domain level access and allows the relying party to provide access to only a single subdomain(example: accounts.mybank.com). All other sub-domains are blocked from requesting access.
The user's device creates a separate set of credentials for each online service, ensuring no duplication of keys.
Attackers cannot spoof the user from a remote device as the online service requires the keys on the user's device to authenticate. This negates any attempts to social engineer access to a resource from a remote location.
A server breach will not expose any passwords. In the event of a leak, the public keys cannot be used to login into a different domain.
There are still some corner cases being worked on that should be considered.
One primary requirement has been the ability for a user to log in to a service across multiple devices. Currently, users can sync accounts across Android and Chrome on Windows devices. Apple is working towards providing cross-compatibility with Google and Windows platforms.
Losing or damaging a device can result in a temporary loss of access for the user. The current approach is to re-authenticate the user on a different device using MFA, which can be cumbersome for multiple accounts.
A malicious actor can breach a server and wipe out the store of public keys, effectively launching a Denial of Service attack. Development teams must ensure secure backups can be deployed with minimal disruption.
Currently, syncing Passkeys across devices can be accomplished by storing the keys on a cloud backup which does pose a security risk. Workarounds include creating separate passkeys for each device and pairing the passkey with a unique device key for an additional layer of security. An alternate approach uses Bluetooth to sign into a new device from an already authenticated device in near proximity.
Passkeys can vastly strengthen the security of your systems as well as improve user-friendliness. Implementing Passkeys in your web application can be challenging as developers are still learning about this technology. Open-source libraries have been developed by Microsoft, Google, and Apple, among others, to provide the APIs for integrating Passkeys into your applications. Besides the learning curve, a strategy must be discussed to securely sync and store public keys, handle lost keys, educate users about using Passkeys, and determine if your system will continue supporting password authentication in parallel with PassKeys.
Passkeys and other critical security measures should be part of a multi-faceted cybersecurity policy. The organization should have a comprehensive approach to cybersecurity that ensures system hardening, monitoring, threat detection, and mitigation are well integrated into all processes and systems. Read more about RingStone’s work in the cybersecurity space here.
About the Author
Ashwin Ala has spent over 15 years leading the design and development of software systems on various platforms at enterprise and startup levels. As a senior practitioner at RingStone, he primarily conducts technical due diligence evaluations in the United States. Ashwin has worked in different domains, from critical infrastructure software projects, healthcare products, and accounting packages to home networking apps and gaming platforms. His expertise includes cloud solutions design, data analytics, agile delivery practices, and offshore team management. He holds a Master's in Engineering from San Jose State and certifications in Scrum and Secure Coding Practices.
Contact Ashwin at email@example.com