P@s$w0rdz: Passkeys -- No More Passwords?

Intro | Passkeys | Biometrics | Other Options


Introduction

thumbprint
"kesannya" via Wikimedia Commons
is licensed under CC0 1.0

Passkeys

  • Passkeys (aka 'multi-device FIDO credentials') authenticate you safely with a web service
  • using biometrics: fingerprint and iris scanners, voice and facial recognition
  • or other devices: phone, laptop, USB security tokens, smart cards
  • FIDO2 is a very secure standard, and interoperable across devices;
    it combines -- warning: geek speak!:
  • FIDO ("Fast IDentity Online") Alliance's Client to Authenticator Protocol 2 (CTAP2)
  • World Wide Web Consortium (W3C)'s Web Authentication (WebAuthn) standard
  • Benefits:
  • convenient: use biometric or device authentication with sites instead of a password
  • secure: client doesn't send password and sites don't store passwords -- no password-database breaches
  • standard: tech giants, e.g., Apple, Google, and Microsoft, are starting to introduce passkey support;
    e.g., Apple supports passkeys in iOS/iPadOS 16+, macOS 13+ (Ventura, Sonoma), watchOS 9+
  • interoperable: passkeys are synced to whatever cloud storage method your device uses,
    such as iCloud Keychain on Mac and iPhone or Google Password Manager on Android and ChromeOS
  • Drawbacks (current):
  • device PIN: your passkeys could be accessed if someone has/guesses your device's weak PIN/password
  • site support: limited number of web sites: passkeys.directory
  • mixed platforms/ecosystems: e.g., Apple, Microsoft and Google
    transferring credentials between different device families may not work smoothly (or at all)
  • older devices/OSes: you'll still need passwords if passkeys are unsupported
  • missing/lost device, unrecognized biometric, share with a friend: you'll still need a password
  • biometric spoofing: e.g., Attackers can bypass fingerprint authentication with an ~80% success rate
    via fake fingerprints, if enough login attempts allowed (only high-profile targets need worry?)
  • government intrusion: you can be compelled to provide something you have: biometrics, device.
    You currently can refuse to reveal something you know: PIN, password;
    US courts have interpreted the Constitution's 5th Amendment (self-incrimination) differently;
    Electronic Frontier Foundation (EFF) recommends using a PIN instead of biometric unlocks
    for your device if you’re concerned about potential legal (or illegal) access by law enforcement.
iris
"Multi-factor Authentication" by future.agenda
is licensed under CC BY-NC-SA 2.0

Biometrics

  • Even without passkeys, you can already use a fingerprint or face scan as a convenient shortcut,
    or to augment Multi-Factor Authentication (which we'll cover at the end)
  • For now, you still need a strong passcode
    for initial setup, after updates / restarts, and as a fallback.
  • Require passcode: periodically (set timeout preference), or immediately (after power off).
  • iOS: Settings > Passcode > Require Passcode: Immediately,
    or After ___ minutes/hours
  • When travelling (esp. internationally) or leaving device unattended, unlike macOS,
    there's no iOS 'Lock Screen' command to force a passcode prompt upon next wakeup.
  • Besides actually powering down the iPhone/iPad, another way to require a passcode:
    ~4 unrecognized fingerprint attempts, using a finger different from the ones used to train Touch ID.
  • Fingerprint sensor, e.g., Apple Touch ID: Accuracy? Strength? Injured digit? Gloves?
  • If compromised, you can't change. Spoofed?
  • video: Use Touch ID to unlock 1Password on your iPhone or iPad
  • Facial recognition, e.g., Apple Hardware Security & Biometrics: Face ID: Accuracy? Strength? Face mask?
    If compromised, you can't change. Spoofed?
  • Is vendor storing your biometric data, and how securely?
  • Allow 1Password (or other password manager) to open your password vault with biometrics?
    is it as strong as your primary password (and your device password) -- security vs. convenience tradeoff
  • Safer Internet: Browsing: Protect Passwords: Biometrics, Fingerprints, Facial Recognition; Passkeys

Other Options

  • When applicable/available, passkeys are a huge security improvement over many users' poor password practices
  • Some related current approaches are discussed under Storage: Apple Keychain, Single Sign-on
  • However, a good password manager (PM) can provide these and other benefits today
    while providing a transition to tomorrow:
  • central password: password for encrypted vault stronger than any device PIN/password
  • secure, universal: works on all sites
  • passkeys: included in newer PMs, e.g., 1Password
  • interoperable: works across different platforms and on older OSes
  • other info: store and fill-in, e.g., credit cards, personal info, etc.
  • 1Password is finally rolling out passkey management
    save passkeys and synchronize them across devices and platforms; Verge; 5/16/2023
  • The Best Password Managers to Secure Your Digital Life some discussion of passkeys; Wired; 3/27/23
  • We'll cover password managers more in upcoming sections.