Yesterday, unexpectedly, my personal Google account suggested using Passkeys for login. This is amazing, as Passkeys is the game-changer for cyber security because it could imply the solution to one of the biggest headaches in cyber security: password use.
The problem with passwords.
For decades, we have struggled with passwords as an authentication tool. They constitute a conceptually very weak solution for digital security. Using passwords is much more prone to abuse than most people realize. The intense use of digital applications caused users to juggle hundreds or thousands of passwords. Human behaviour led to poor practices: password re-use increased the risk of broad access breaches in case criminals stole a password. Increasing password length and complexity was circumvented by people keeping a paper list of passwords. The universal use of authentication to access a wide array of personal or business applications has created a situation where, to stay secure, a password manager and multi-factor authentication (MFA) are indispensable for critical services.
According to Google Cloud’s 2023 Threat Horizons Report, 86% of security breaches involve stolen credentials. IBM estimates the global average cost of a security breach was $4.45 million in 2023.
So how can we, in a structural way, eliminate the dangers associated with single password authentication per service and trust something more resilient, for both our private and personal digital life?
Why passkeys are a game-changer.
After its creation in 2013, the FIDO (Fast IDentity Online) alliance paved the way in 2018 for the introduction of FIDO2 keys. The size of USB sticks, they safely store a certificate, allowing authentication on any kind of device (laptops, smartphones, etc.) These are also known as YubiKeys (the most famous product leveraging this technology). These products have a good reputation and a reasonable adoption among users and institutions aware of the dangers of using passwords.
But while this key offers one of the best protections available on the market, the need to buy and manage a separate token is a showstopper for many individuals, although the daily use of passwords is ubiquitous. Passkeys offer a much better alternative.
So, why am I so enthusiastic about passkeys? Because they solve all the issues associated with passwords for both security professionals and everyday users.
Here’s how passkeys shine:
- Enhanced Security: Passkeys are resistant to phishing and brute-force attacks. They are complex in structure and length and cannot be guessed.
- Privacy: The private key never leaves the user’s device, reducing the risk of theft.
- Convenience: No need to remember complex passwords.
What exactly are passkeys?
Do not confuse passkeys with passphrases. Passphrases, like passwords, are secrets you need to remember and enter manually. They are just longer passwords. Passkeys, however, are fundamentally different.
Passkeys rely on asymmetric cryptography, meaning they consist of:
- A Private Key: Securely stored on the user’s device.
- A Public Key: Shared with the server to verify the user’s identity.
- A Challenge-Response Mechanism: Used to authenticate the user without exposing the private key.
Here is a simplified description of the logon process.
The private key is the crucial element to secure, often stored in a password vault or, even better, in the TPM chip of your computer. Any modern smartphone or computer offers a way to securely store a private key, making it straightforward to use passkeys. As a fallback, password managers offer a reliable storage solution.
Built on open standards.
Passkeys are based on open standards developed by the FIDO Alliance. Security keys like YubiKey are also based on those standards. However, earlier versions required buying a physical key and were often complicated to initialize. For companies, the cost of buying and managing large numbers of physical keys was also a barrier.
Modern passkeys no longer require a token but can be installed as software. Together with the widespread adoption of MFA, they offer a truly passwordless solution, compatible with state-of-the-art devices, and therefore easy to obtain and install.
For both personal and corporate use.
Tech giants like Google, Microsoft, Apple, Amazon, and Meta are now adopting passkeys. For users, logging in will be as simple as validating the connection on their phone, using a PIN or biometric authentication.
For companies, passkeys and FIDO standards represent an opportunity to enhance security by reducing risks associated with traditional password use and implementing a passwordless strategy. Passkeys are easy to use, easy to deploy, cost-effective, and robust. All major cloud vendors provide guidance on implementing passkeys or any other passwordless based on FIDO standards, and Microsoft is providing guidance on Active Directory implementation.
One more thing remains, where to keep your secrets?
When you use passkeys, keeping your certificates safe is crucial. You might be wondering where to put that secret, right? After all, you don’t want anyone else getting their hands on your private key. The good thing is that you have plenty of options! The not so good thing is that they all have their pros and cons. As always, you will have to balance security and convenience.
The table below shows your alternatives for storing your passkeys:
| Store your passkeys in: | PROS | CONS |
|---|---|---|
| TPM chip of your computer | High security, protection against hardware and software attacks with the integrated TPM Chip | Less flexible for multi-device access |
| Smartphone | Convenient and mobile, dedicated security modules (Apple Secure Enclave or Android Trust Zone) | Issues if lost or stolen without backups |
| IAM (Identity and Access Management) Solutions (Google Cloud IAM, Azure AD, AWS IAM) | Centralized management, advanced security, multi-factor support | Complex setup and management, dependency on cloud services |
| Password Managers (1Password, Dashlane, Bitwarden, … ) | Flexibility, multi-device access, robust encryption | Depends on the security of the manager, risk of compromise |
| Hardware Security Keys (YubiKey, Google Titan) | Maximum security, portable, compatible with many services | Need to carry the key, risk of loss or theft |
A natural choice for a company is to leverage an existing IAM solution. For instance, when using Microsoft EntraID, the built-in features enable the technology. For Apple users, there is a similar mechanism that works on both IOS and MacOS.
I do not use YubiKeys yet, but they are the best option to store my passkeys. Currently, I keep my passkeys in my favourite password manager, and I am hoping to change all my passwords soon!
The Future Norm ?
Passkeys will become the new norm in a few years. Users will realize that passkeys simplify their lives, and companies and users alike will appreciate the reduced risk of breaches from phishing or brute-force attacks. However, building user trust in passkeys remains a challenge, like the adoption of password managers. Employers and providers of digital services should find effective ways to explain the importance and benefits of adopting passkeys just as they previously advocated for the use of strong, complex passwords.
Looking ahead, passkeys will be particularly valuable in a quantum computing future. Although current passkeys do not yet utilize quantum-resistant cryptography, they offer a flexible and scalable solution. Updating and replacing passkeys will be significantly easier compared to traditional passwords (finally, no more trying to generate and remember new secret password). Personally, I am adopting passkeys for every service that offers them as an option. At NVISO, we are encouraging customers to include a password-less strategy into their zero-trust journey.
What about you? Is it the first time you are hearing about passkeys? Are you using them personally or have you seen companies successfully deploying them? Feel free to share your thoughts and questions in the comments below!
Alexandre Baratin
Alexandre Baratin is a Cyber Security Consultant active in the Cyber Security and Architecture team at NVISO. With a comprehensive background in IT and Cyber Security, he assists companies on their Cyber Security journey by enhancing security awareness, developing or refining GRC processes, and managing the security program through NVISO’s CISO as a Service offering.
Alexandre possesses the most recognized certifications in IT, project management, cybersecurity, and cloud computing.
Hi Alex, I also was very much looking forward to passkeys, however I am getting less and less hopeful as the rate of adoption was very slow from the start and now feels like it came to a complete halt.
I was especisally looking forward to have my familiy memvers abandon passwords and use passkeys but the complexity, unclear requirements and incompatibility across the environments of Apple, Google and Microsoft made this impossible.
I have a modern desktop computer with Windows 11 but cannot use Passkeys because I use fireFox and it does not support them (yet?)
On my company windows laptop I cannot use them because they require Bluetooth (I think but again thisis not clearly documented) which is deactivated. I now have some passkeys on my iOS device and some in Bitwarden and I was actually able to use those when I re-setup my phone the other day.
Still this is much too complicated for me an IT professionial, let alone my parents.
Then I came across this blog post which showed even bigger issues that made me think passkeys are doomed.
https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/
Here they talk about it on Twit extensivley.
https://youtu.be/fSNcUKphUtw?si=edEc-yduZkhP_tTI
What is your take on that?
Hi Christian,
Thank you for sharing your experience and concerns about passkeys. I completely understand your frustration, especially given the promise that passkeys held for simplifying authentication and enhancing security. The points you’ve raised are very valid, and they highlight some of the current challenges in the ecosystem that need addressing.
The slow adoption rate is indeed a significant hurdle. While tech giants like Apple, Google, and Microsoft have embraced passkeys, the integration across different platforms and environments hasn’t been seamless. The fragmentation you’ve experienced between different ecosystems (Apple, Google, Microsoft) is a known issue. It’s unfortunate that despite the push for interoperability through FIDO standards, we are still seeing gaps. Your point about Firefox not supporting passkeys yet is crucial. While Chrome and Safari have led the way in passkey support, other browsers like Firefox are still catching up. This inconsistency can be frustrating, especially when you’re using different devices or setups. As for the Bluetooth requirement, you’re right—it can be a stumbling block, particularly in corporate environments where device settings are often locked down. The documentation around this is sometimes vague, which doesn’t help users who are trying to navigate these new technologies.
Your experience with trying to get your family to adopt passkeys resonates with many of us. The process should be as simple as possible, yet the current state of implementation can feel overly complex, even for IT professionals like yourself. This complexity is a barrier to widespread adoption, and it’s something that both tech companies and the FIDO Alliance need to address. I took a look at the blog post you referenced, and I understand why it might make you feel less hopeful about the future of passkeys. The concerns raised about security gaps, potential vulnerabilities, and inconsistent implementation are real and should be taken seriously. However, I believe that the current issues with passkeys are not necessarily indicative of their long-term viability. We’re in the early stages of what could be a revolutionary shift in authentication. There will be bumps along the road, as with any new technology.
I’m still optimistic about the future of passkeys, but I also acknowledge that we’re not there yet. The industry needs to work on making the process more user-friendly and ensuring compatibility across all major platforms and devices. It’s clear that better documentation and more intuitive setup processes are necessary, especially for non-technical users. I hope that as adoption grows and feedback from users like yourself continues to pour in, these issues will be addressed, and the technology will mature.
For now, I think it’s important to continue pushing for better solutions while also being realistic about the current limitations. If you’re still interested in exploring passkeys, I’d recommend keeping an eye on updates from the FIDO Alliance and the major tech companies, as improvements are likely on the horizon. Meanwhile, sticking with a mix of passkeys and other secure methods like password managers might be the best approach until the ecosystem fully matures.
Thanks again for your thoughtful comment and the resources you shared. It’s discussions like these that help move the conversation forward.
Best regards,
Alexandre