Passkeys Proposed as Alternative to Traditional Passwords
/ 4 min read
Quick take - Passkeys, or discoverable credentials, are proposed as a modern alternative to traditional passwords for online security, utilizing public key cryptography to enhance security and reduce phishing risks, but their widespread adoption may be hindered by usability challenges and concerns regarding the initial authentication process.
Fast Facts
- Passkeys, or discoverable credentials, are a proposed alternative to traditional passwords, aiming to enhance online security and reduce phishing attacks through the WebAuthn specification by W3C.
- They utilize public key cryptography, where users create a unique private/public key pair for each website, with the public key stored by the site and the private key kept on the user’s device.
- Passkeys offer unique credentials for each site, reducing risks associated with password reuse and accidental use on fraudulent sites, but initial authentication may still rely on traditional passwords.
- There are two implementations of passkeys: hardware-bound keys (e.g., USB tokens) and cloud-based credential synchronization via password managers, each with distinct security implications.
- Usability challenges and inconsistent experiences during implementation may hinder widespread adoption of passkeys, necessitating improvements in user experience to avoid failure similar to past technologies like PGP.
Passkeys: A Modern Alternative to Passwords
Passkeys, also known as discoverable credentials, are being proposed as a modern alternative to traditional passwords in online security. These credentials are defined by the Web Authentication (WebAuthn) specification, developed by the World Wide Web Consortium (W3C). The primary goal of passkeys is to enhance security and reduce phishing attacks, contingent upon widespread adoption.
Development and Security Approach
The development of passkeys is influenced by prior initiatives from the FIDO Alliance, which emphasizes a systems approach to security. This approach focuses on the user’s interactions with the authentication system. Central to the concept of passkeys is the utilization of public key cryptography. In this model, users create a private/public key pair unique to each website. The public key is stored by the website, while the private key is securely retained on the user’s device. During authentication, the website issues a challenge that the user must respond to using their private key, with the public key serving to verify the user’s identity.
One significant advantage of passkeys is their uniqueness to each site. This helps prevent accidental use on fraudulent sites and mitigates the risks associated with password reuse. However, concerns remain regarding the initial authentication process, which often still relies on traditional password methods that may be vulnerable to attacks. To bolster security during this initial phase, multi-factor authentication (MFA) is recommended.
Implementations and Usability Challenges
There are two primary implementations of passkeys. One binds the key to specific hardware, such as USB keys like Yubikey. The other allows for credential synchronization across multiple devices via password managers. Hardware tokens significantly reduce the risk of phishing attacks due to the necessity of physical access to the credential. However, the cloud-based nature of many password managers can introduce vulnerabilities if compromised. The security of these password manager implementations can vary widely, with some exhibiting notable design flaws that could jeopardize user safety.
Usability issues have also been raised regarding passkeys. Personal experiences have highlighted confusion during processes like adding a passkey to a WordPress.com account. Users encountered inconsistent terminology and options across multiple software systems, leading to frustration. This raises an important consideration for passkeys and the WebAuthn specification: a balance between security and usability is crucial for widespread acceptance.
The Future of Passkeys
The aim of passkeys and the WebAuthn specification is to make public key cryptography accessible to non-technical users. This is achieved through a well-defined API that supports various authentication devices for managing key pairs. However, without significant improvements in user experience, there is a risk that passkeys may not gain the traction needed for widespread adoption. They could end up resembling earlier, less successful technologies like PGP (Pretty Good Privacy).
Original Source: Read the Full Article Here
