Say Goodbye to Passwords, Hello Passkeys

My Thoughts on Passwords

In application security, passwords represent a significant vulnerability. No matter how stringent the rules for defining a password may be within an application, the fact remains that passwords must be remembered and entered by users, which inherently makes them susceptible to weakness. In today's world, where people use numerous applications, it’s impossible to remember all these passwords. As a result, many users often find themselves having to recover passwords for applications they haven’t accessed in a while.

 

Frustrated by the complexity of managing multiple passwords, people often resort to using simple, easily remembered passwords or, worse, the same password across multiple applications. This remains true even with the introduction of special character requirements, which have become standard. The situation worsens if a company with weak security practices is breached and user passwords are leaked. This is the worst situation you can imagine.

 

Even if users diligently follow best practices—using different passwords for each application and adhering to rules that require special characters—most passwords can still be easily compromised through brute-force attacks in a short amount of time. For a password to be truly secure, it would need to consist of a long string of dozens or even hundreds of characters, which is impractical. While there are tools like 1Password designed to manage this complexity, they are typically used by developers who are particularly security-conscious. Most people are unwilling to pay for such services.

From a critical perspective, requiring passwords for login can be seen as placing the burden of security on users. Although many companies are now employing technologies like OAuth, OTP, and MFA to enhance security, the reality is that many applications still rely on passwords.

 

Passkeys

Passkeys are a passwordless authentication method designed to address the issues associated with traditional passwords. Essentially, passkeys allow users to authenticate without needing to remember a password, using biometric methods or PINs instead.

 

Since the very existence of passwords can detract from an application's user experience (UX), Passkeys offer an excellent solution that enhances both security and user convenience. By replacing passwords, Passkeys eliminate many of the common bad cases associated with password management.

 

Passkeys inherently rely on the user, which helps mitigate phishing attacks that exploit SMS-based OTPs. Because Passkeys are based on standardized methods, they can be implemented once and used across all of a user’s devices. This makes Passkeys an excellent modern solution for providing robust security and a smooth UX.

Benefits for Users

• Users can simply select an account to log in without needing to enter additional information, leading to a better UX.
• Users can authenticate using their device's screen lock feature (fingerprint, facial recognition, PIN), making the process convenient.
• Once registered, Passkeys can be used on new devices immediately without requiring additional setup.

Benefits for Developers

• Since the private key resides on the user’s device and only the public key is stored on the server, even if the server is compromised, there is no useful information for attackers to steal, simplifying incident response.
• Passkeys only work with registered applications, reducing the risk of users falling victim to phishing attacks.
• They eliminate the need for SMS-based authentication, reducing costs, and can be used as a secure form of two-factor authentication.

Passkey Creation Process

https://www.youtube.com/watch?v=lZXGXxZIMTU

 

 

1. Click the Create Passkey Button: Start by clicking the button to create a passkey for the user account you’re logged into.
2. Review the Information Stored in the New Passkey: Check the details that will be stored in the new passkey.
3. Generate and Register the Passkey: Use your device's screen lock (e.g., fingerprint, facial recognition, PIN) to generate and register the passkey.
4. Authenticate Using the Passkey: From this point on, the passkey can be used for authentication.

Passkey Usage Process

https://www.youtube.com/watch?v=6GMDhF1eQOQ

 

1. Focus on the Input Field in the Application: Begin by selecting the input field in the application where you want to log in.
2. Choose the Passkey from the Modal or Tab: A modal or tab will appear, allowing you to select the passkey.
3. Authenticate Using the Device’s Screen Lock: Complete the authentication by unlocking your device using your screen lock method.

 

How Passkeys Work

Passkeys are designed to operate through the infrastructure of the operating system. On Android, for instance, Passkeys can be stored in sync with Google's Password Manager. If a user is logged into the same Google account on multiple devices, the system recognizes these as the user's devices and synchronizes the Passkeys across them.

 

Even if a device isn't synchronized, Passkeys can still be used as long as the devices are in proximity. In such cases, authentication can be performed on the device that holds the Passkey, which then approves the login on the other device.

 

Passkeys adhere to the FIDO (Fast Identity Online) standard, making them compatible with all major browsers.

 

cross-device passkey authentication

https://www.youtube.com/watch?v=ywQ8bFla-L8

 

Authentication Method

1. Authentication Request: The user's device sends an authentication request to the server.
2. Server Response: The server sends the authentication request back to the user's device, which then forwards it to the device's authentication mechanism.
3. User Intent Confirmation: The authentication mechanism checks whether the user intends to log in.
4. Signing the Request: If the request is valid, the device uses the private key to sign the authentication request and then sends this signed data back to the server.
5. Signature Verification: The server uses the user’s public key to verify the signature.
6. Successful Authentication: If the signature is valid, the authentication succeeds, and the user is logged in.

Overview of Public Key Encryption

Public key encryption is a cryptographic method that uses two keys: a private key and a public key.

• Private Key: Used for encrypting data, decrypting data, and creating digital signatures. The private key must be kept secret, as it can decrypt or sign data.
• Public Key: Used for encrypting data or verifying digital signatures created with the corresponding private key. The public key can be freely distributed since it cannot decrypt data or sign requests.

This two-key system is known as asymmetric encryption because it uses a pair of keys instead of a single key for encryption and decryption.

 

 

References

https://developers.google.com/identity/passkeys

https://passkeys.dev/docs/use-cases/bootstrapping/

https://www.youtube.com/watch?v=pK3AtW7Ov90

https://clerk.com/blog/what-are-passkeys