What Are Passkeys? - Are Passwords Going EOL?!
We need to have a discussion. About passkeys. Because yall have been ASKING NON STOP for me to talk about them for the past 3 months in my comments. And I get why: It can be confusing, because you have the terms passkey, password, passwordless, etc. So why are we introducing something else to this ecosystem that’s already confusing? Because we need better security. And that’s what passkeys give us.
Y’all, we hate passwords. You enter your username and your password for usual logins, and you log in. Hopefully that password is long and complicated or it could be figured out by a hacker. Hopefully it’s different than every other password or if it’s leaked, someone could use it to log into your other accounts.
On top of that, you have your two factor or multi factor authentication standards. Your Yubikey hardware key, your 2FA code sent via SMS, and your 2FA app like google authenticator or authy. I’ve covered the biggest misconceptions and questions about 2FA in a video posted late last year, but each of these includes an additional step after the username and password fields.
Yubikey’s, while used for 2FA, also have Passkeys built in. I’m happy to share that Yubico is sponsorsing this video, and Yubico as a company has been a leader in developing better security for the consumer and business industries, and they’re actively educating folks on how to use passkeys and why this will be a better choice over what we currently have. I’ll be delving into exactly how to use a Yubikey as a passkey in a future episode, but I will share some of those features in this video while explaining what passkeys are in general.
My intention with this series of videos is to not only educate myself on how they work as I research passkeys and share that info with you, but also help people who are most at risk. I’ve advocated for people to use hardware keys long before the term passkey was even a thing, and long before I ever worked with Yubico. Yubico wants to push this industry forward and that’s a belief I share. So you can get a head start by using my coupon code for $5 off a key - use the code SHANNONMORSE during checkout and see how Yubikeys can make security convenient and easy.
So the future is now, and it’s called Passkeys. Quite frankly, people are bad at password management - remembering them, saving them, not sharing them. Passwords are easy to steal or harvest from a site, they’re a pain to use and remember, especially on mobile or smarthome tech like TVs, and if you aren’t using a password manager, they can be tough to input without screwing up and having to type it in again.
So companies in the FIDO Alliance, which is an open industry association focused on the same mission - building better authentication standards - they’ve been working together on this problem with passwords. That includes companies like Apple, Google, and Yubico.
TLDR: Passkeys replace passwords. They’re made to provide a faster, easier, more secure sign in experience across websites and apps on your devices. Simply put, instead of using a username and password to sign in to an app or website, you’d use the same biometric or PIN that you use to unlock the device you’re on … and the app or website will authenticate with your device and be set up to use that same piece of information to let you sign in. It sounds confusing and I immediately had devil’s advocate questions so let’s delve further.
When you, the user, goes to a website and decides to enable passkeys, the passkey will create two keys - a private one and a public one. The private key is stored with you, on your device or local account. The public one will be saved via the website or a server or whatever product you’re accessing. This public key doesn’t have to be kept private because it’s only one part of a puzzle - and the website or server can’t do anything with it without your action. The private key, the one that’s stored on your device, is so private that you don’t even know what it is unlike you would a password. Just that alone makes it much harder to compromise.
So let’s say you try to login with a passkey. You send a request to sign in to the website. The website responds with a single one time use question asking your device to create a signature verifying that this websites public key matches with your private key. If they both match, that signature it sent back to the website and it lets you log in. The website never gets a copy of your key, it just gets a verification answer to that question. So the website checks that the answer is legit by checking it against the public key, and as long as they match, you get signed in.
Another way of looking at it - when you set up an account with a password - you send that password to the website and it’s either encrypted, or not - and as users, we usually hope for the best but have no idea how a website is storing our passwords. Thieves constantly target websites because it’s a literal goldmine even if they’re encrypted, because today’s tech does allow for some encryption standards to be reverse engineered in mere minutes.
Passkeys offer an alternative. Each passkey you create for each account will be unique. The private key is saved on your device, locally, and never leaves it. The public key is stored on the website server. One cannot work without the other. So when you attempt a login, the website will send your device a request to high five, but your device has to agree to the high five. This use of public key cryptography isn’t a new idea, but tacking it on top of a requirement for biometric authentication or something similar is.
All of this happens just as fast, if not faster, than a traditional log in and there’s nothing for you to remember or type.
So a fake site that’s spoofing a real one couldn’t try and send you a verification question, because your private key is gonna look at it and think it looks sus. There’s nothing you’re typing in, so keyboard loggers won’t work, nor could someone creep on you at a coffee shop since there isn’t any plaintext password. A thief would need to steal both your device and have your passkey to compromise an account - so if you’re using a biometric passkey, then that would surely stop most thieves unless they’re also out here stealing your Face or Fingerprint… ew.
That’s all fine and dandy for one device, but what if you have multiple devices? If you’re using a passkey to sign in with a provider like Google or Apple, those companies will sync your private key to your owned devices.
But if you want to share your passkey with another device or a spouse or someone else: In this case, passkeys should give that new device a request for you to approve, so your spouse’s device and the your device handshake and approve each other, while also looking at proximity, such as while using bluetooth to make sure the new device is actually nearby. This would happen P2P not on the server’s side, and the server shouldn’t care since all they need is the end verification signature and that public key. Your phone or computer would see a login notification you’d have to approve for the new device, and this part would authenticate with the server. Similarly, if you use a hardware passkey, you’d plug your hardware key into the device that you want to sign in on.
I know as soon as I said sync, the comments probably exploded: A hardware bound passkey, like the ones found on Yubikeys, are phishing resistant because they can’t be copied. But if you need cloud syncing, passkeys that offer that backup can be more convenient as you can move from device to device. Obviously, that isn’t as secure as a hardware bound key, but can be made to be secure for an average consumer if said consumer also takes steps to harden the security of their cloud account by locking it down with biometrics, auditing devices they’re logged in on, and forcing reauthentications. This totally depends on your threat modeling and your lifestyle, as some forms of security won’t be convenient for everyone. In some cases, a hardware key might be better if you use lots of different platforms. But if you only use Android or only use Apple, it might be more convenient to just use their cloud syncing.
And if you lose your device with the private key? Then hopefully you’ve setup a backup plan, like a hardware key or a recovery account, but the security has to trickle down to those products too, and your hardware key should be kept secret and safe, or your recovery account needs to be locked down too. Similar to hardware keys, 2 is 1, 1 is none: from the FIDO alliance: With passkeys, as long as the user has their device, they can sign in; there is nothing to forget. Because passkeys can be backed up, they can be better protected from loss.
Of course, this new authentication method is still in it’s infancy, so there are plenty of sites and devices that still don’t support it. If that’s the case, falling back on the best options we have, like Yubikeys for 2FA, an authenticator app, and password managers that generate strong unique passwords are all still a thing.
If you think all of this sounds familiar, that’s because it is - inherently, this is WebAuthn/FIDO standardization. AND if you’ve bought a Yubikey in recent years, it already has Passkey functionality built in since 2018. So you can use your Yubikey to store your device-bound passkeys, and let it hold the private FIDO credentials for up to 25 accounts, though Yubico has said they are evaluating increasing this in the future.
So now that we know how passkeys work and how they’re being implemented, what questions do you have? I’ve love to delve deeper into this topic with some tutorials maybe? Let me know if this is something you’d enjoy below!
Thanks for watching, bye yall!
