P@s$w0rdz: Passkeys -- No More Passwords?

Intro | Passkeys | Biometrics | Other Options

Introduction

• You may think that there's no need for this course
  after seeing headlines like the following:
• Passkeys may not be for you, but they are safe and easy -- here's why
  answering common questions about how passkeys work; Ars; 5/12/2023
• Embrace the Passwordless Future of Passkeys LH; 5/9/2023
• Everything to Know About Passkeys for a Password-Free Future NYT; 1/11/2023
• Why Passkeys Will Be Simpler and More Secure Than Passwords TB; 6/27/2022
• A Big Bet to Kill the Password for Good Wired; 3/17/2022

Passkeys

• Passkeys (aka 'multi-device FIDO credentials') authenticate you safely with a web service
• using biometrics: fingerprint and iris scanners, voice and facial recognition
• or other devices: phone, laptop, USB security tokens, smart cards
• FIDO2 is a very secure standard, and interoperable across devices;
  it combines -- warning: geek speak!:
• FIDO ("Fast IDentity Online") Alliance's Client to Authenticator Protocol 2 (CTAP2)
• World Wide Web Consortium (W3C)'s Web Authentication (WebAuthn) standard
• Benefits:
• convenient: use biometric or device authentication with sites instead of a password
• secure: client doesn't send password and sites don't store passwords -- no password-database breaches
• standard: tech giants, e.g., Apple, Google, and Microsoft, are starting to introduce passkey support;
  e.g., Apple supports passkeys in iOS/iPadOS 16+, macOS 13+ (Ventura, Sonoma), watchOS 9+
• interoperable: passkeys are synced to whatever cloud storage method your device uses,
  such as iCloud Keychain on Mac and iPhone or Google Password Manager on Android and ChromeOS
• Drawbacks (current):
• device PIN: your passkeys could be accessed if someone has/guesses your device's weak PIN/password
• site support: limited number of web sites: passkeys.directory
• mixed platforms/ecosystems: e.g., Apple, Microsoft and Google
  transferring credentials between different device families may not work smoothly (or at all)
• older devices/OSes: you'll still need passwords if passkeys are unsupported
• missing/lost device, unrecognized biometric, share with a friend: you'll still need a password
• biometric spoofing: e.g., Attackers can bypass fingerprint authentication with an ~80% success rate
  via fake fingerprints, if enough login attempts allowed (only high-profile targets need worry?)
• government intrusion: you can be compelled to provide something you have: biometrics, device.
  You currently can refuse to reveal something you know: PIN, password;
  US courts have interpreted the Constitution's 5th Amendment (self-incrimination) differently;
  Electronic Frontier Foundation (EFF) recommends using a PIN instead of biometric unlocks
  for your device if you’re concerned about potential legal (or illegal) access by law enforcement.

Biometrics

• Even without passkeys, you can already use a fingerprint or face scan as a convenient shortcut,
  or to augment Multi-Factor Authentication (which we'll cover at the end)
• For now, you still need a strong passcode
  for initial setup, after updates / restarts, and as a fallback.
• Require passcode: periodically (set timeout preference), or immediately (after power off).
• iOS: Settings > Passcode > Require Passcode: Immediately,
or After ___ minutes/hours
• When travelling (esp. internationally) or leaving device unattended, unlike macOS,
  there's no iOS 'Lock Screen' command to force a passcode prompt upon next wakeup.
• Besides actually powering down the iPhone/iPad, another way to require a passcode:
  ~4 unrecognized fingerprint attempts, using a finger different from the ones used to train Touch ID.
• Fingerprint sensor, e.g., Apple Touch ID: Accuracy? Strength? Injured digit? Gloves?
• If compromised, you can't change. Spoofed?
• video: Use Touch ID to unlock 1Password on your iPhone or iPad
• Facial recognition, e.g., Apple Hardware Security & Biometrics: Face ID: Accuracy? Strength? Face mask?
  If compromised, you can't change. Spoofed?
• Is vendor storing your biometric data, and how securely?
• Allow 1Password (or other password manager) to open your password vault with biometrics?
  is it as strong as your primary password (and your device password) -- security vs. convenience tradeoff
• Safer Internet: Browsing: Protect Passwords: Biometrics, Fingerprints, Facial Recognition; Passkeys

Other Options

• When applicable/available, passkeys are a huge security improvement over many users' poor password practices
• Some related current approaches are discussed under Storage: Apple Keychain, Single Sign-on
• However, a good password manager (PM) can provide these and other benefits today
  while providing a transition to tomorrow:
• central password: password for encrypted vault stronger than any device PIN/password
• secure, universal: works on all sites
• passkeys: included in newer PMs, e.g., 1Password
• interoperable: works across different platforms and on older OSes
• other info: store and fill-in, e.g., credit cards, personal info, etc.
• 1Password is finally rolling out passkey management
  save passkeys and synchronize them across devices and platforms; Verge; 5/16/2023
• The Best Password Managers to Secure Your Digital Life some discussion of passkeys; Wired; 3/27/23
• We'll cover password managers more in upcoming sections.