The Rise of Passkeys

Last week was World Password Day. Yet none of the events and announcements to mark the day mentioned passwords. All the discussion was about the technology that technology firms believe can replace passwords: passkeys.

Security professionals and big tech companies have been trying to get rid of passwords for many years. Poor password hygiene has long been the weakest link in online security. Extensive lists of commonly used passwords circulate the dark web, with new security breaches regularly added to that list. In the battle between users and hackers, the bad guys are winning, with reused passwords as their trump card.

A Question of Hygiene

Password managers are widely used among more tech-savvy users as well as in business contexts. Many less technical users maintain an offline list of passwords instead of using a LastPass or 1Password type service. Keeping a physical notebook full of passwords is particularly common among older users. Such solutions do significantly improve password uniqueness and complexity, even if they introduce other problems, not least the risk of losing access to whatever password management solution is in place.

Ultimately, maintaining good password hygiene is hard. We're required to create new accounts for numerous services - I have over a hundred saved to my password manager - and are expected to create a unique password for every website. It's simply not possible to remember all those passwords, and not everyone is willing to trust a password manager. As such, password reuse is rampant because many people have simply decided they won't try to maintain basic hygiene.

Existing Solutions

Faced with a losing security battle, tech firms have concluded that the only solution to password reuse is to eliminate passwords entirely. The replacement technology is called passkeys and follows similar principles to the public key infrastructure (PKI) technology long used by SSH connections and server authentication. Passkeys are an attempt to create a user-friendly version of PKI technology, with the passkey in effect being a private key used to authenticate with an online service.

In a traditional PKI scenario, users are given a private key file that needs to be stored securely on their device. This file is then shared with the remote server whenever the user needs to authenticate their connection. Passkeys merely hide the key file from the end user, storing it in the device's cryptographic keychain before retrieving it whenever the user logs in to the relevant website. This transparency reduces the likelihood of a successful phishing attack because it is the device that selects the applicable private key to use for authentication rather than the user.

Fear of the Unknown

Many early adopters have questioned the security and user experience of passkeys. This is often due to a lack of familiarity with key-based authentication. These are concerns that are more pertinent to technical users, who typically expect to understand how any new service works. Less technical users don't expect to understand the details and will be happier with the high-level concept. Technology firms have started pitching passkeys as a way of signing in to online services using a mobile device - conceptually it's an extension of iCloud Keychain type experiences. That's an approach which is simple at a high-level, but is more complicated at a technical level.

Indeed, Microsoft users have been using passwordless login for several years, including among both personal and corporate accounts. They did this by extending the number matching process in their Authenticator app so that it could be used for initial login as well as for second-factor verification. As a result, they've received very little pushback from users since their rollout of passwordless authentication, although there was plenty of scepticism when it was initially announced.

Lock-in

However, there are two common concerns with passkeys that are less easy to dismiss. The first of these questions relates to cross-device usage. At the moment, there is very limited cross-platform support for passkeys. Like many users, I regularly use a mix of Android, Apple and Windows devices - indeed, this article was partially written and edited across all three platforms. However, passkeys are generated and stored within the device they're created on. Apple and Google sync passkeys between devices within their ecosystems, using either Apple Keychain or Google Password Manager. However, that's not helpful if you're constantly switching between different OS ecosystems.

Thankfully, the leading password managers have been able to provide a solution. Third-party password managers such as 1Password or Bitwarden can store passkeys and share them across devices in place of the device's native keychain. That not only provides a valuable service for end users, but it also guarantees a future for password managers in a post-password environment.

Fallback

The second problem with passkeys is not so easy to solve. It concerns the question of lost or stolen devices. Passkeys make sense to people because they use the fact you're logged in on one device to access sites on any device. That works well until you lose your phone. Suddenly, you have no way to access your passkeys - at least not until you login to another phone using the passkey saved on another device. For people who use multiple devices, that isn't a problem. It is very much a problem for people such as my parents and the vast majority of non-technical folk who only own one mobile device. When these people lose their phone, they simply aren't able to access their passkeys until they've finished setting up a new phone.

Big tech firms have yet to find a satisfactory solution to the lost device problem. At the moment they're falling back to using passwords and SMS-based MFA. That's far from ideal because it keeps open the security holes that passkeys are designed to resolve. There will always be a weak link in any security model, but if passkeys aren't actually removing passwords from security infrastructure, then they're not really improving the security situation. They are more convenient, as people won't need to use passwords as often. The key to successfully adopting passkeys is to eliminate passwords entirely, but that will take time.