There has been a lot of talk about Passkeys.
Are they right for you and your company? Why the pushback?
Let’s have a look.
What are Passkeys?
Passkeys are credentials that replace passwords, relying on public key cryptography based on the WebAuthN protocol. The public key is stored with the company that creates your account, and the private key is stored on the same device you use to create the passkey.
How do they work?
Once the passkey is generated, you can log in to a passkey-enabled account. At login, the account server sends a challenge to the authenticator (a mobile device, computer, tablet, browser, or password manager). The authenticator uses the stored private key to solve the “challenge” and responds to the server. This is called “signing” the data to confirm you own the private key and are who you say you are.
Android, Apple, and Web APIs are now allowing Passkey authentication in mobile and web apps, and some password managers also offer Passkey creation and storage.
What’s the Problem?
1. Compatibility
Passkeys work on sites like Google, iCloud, Adobe, GitHub, Amazon, Office 365 … and with certain applications, but not yet everywhere.
2. Vendor Locks
Migrating a passkey from one location (service or wallet) to another is not easy. In fact, in many cases it’s impossible, and allowing that kind of activity can increase the risk of theft.
If you allow your iPhone to create the passkey for you when you log in to a site, for example, the iPhone will store the passkey to iCloud Keychain, and make it available on other Apple devices. But it won’t be available on a Windows or Android device. The same goes the other way around. It is very difficult to switch from one “sandbox” to another.
It can be challenging to know where your passkeys are without reviewing them individually – which is a lot of work.
One workaround is to add several passkeys to a site that supports them. However, it’s not easy to find where you’ve stored them. … If you want to switch from iPhone to Android, for example, on the Mac, you can review all your stored passkeys and passwords, one by one, in System Settings, but it’s a lot to browse through. If you’re trying to move from Android to iPhone, it’s a complicated process to determine what sites your old device is going to log into.
Many argue that Vendor Locks are by design. …
You can replace the passkeys with ones created by a cross-platform password manager. You’ll be locked in with those too, but at least it’ll be an app you can use anywhere. Still, to log in to each one to replace or add another passkey on them will be a heavy lift.
3. Company Security Policies
Passkeys are not quite there yet when it comes to enterprise security. Adoption has been slow.
Here are a few points to consider:
a. Passkeys are not the same as passwords. This is good because the security is typically Phishing-Resistant, but managing passkeys for IT departments can be tricky.
For IT teams, resetting a passkey is much more complicated than resetting a password. Support teams need to be properly trained.
b. Passkeys are not 2FA. The iPhone, Android, and password manager implementations make passkeys into a combination of something you have (device) and something you are (biometric). They eliminate the “knowledge factor” or something you know, which makes them Phishing-resistant. However, for most policies that require 2FA, a single passkey won’t be sufficient.
Many corporate policies require both a Passkey and a one-time passcode (OTP). We know that even a TOTP, or time-based one-time passcode, doesn’t strengthen security
c. Passkey Storage Staff often use personal devices, which means the authentication “secret” could be managed by that device and copied to personal accounts and wallets. This is risky.
If the policy requires staff to use a company password manager, that may be better for corporate policy, but if a personal passkey is tied to a company wallet, the user may not be able to recover it when no longer with that company.
4. Passkey Implementation and Account Vulnerability*
Most implementations offer at least one additional authentication method, and typically a push notification or email-based OTP. Unfortunately, you won’t likely be able to configure it so that your account is accessible only with a Passkey.
While Passkeys don’t require you to have the fallback of a password, most providers recommend a second method of authentication for the following reasons.
a. Not all devices are Passkey-compatible.
b. Compatibility from one environment to the other is not certain.
c. Some people simply choose not to use Passkeys … and companies don’t want to lose those users.
*This is the biggest problem of all, because:
a. App security is only as secure as its weakest link. If you are falling back on the password, why use passkeys at all?
b. IT won’t want to bother learning a new security mechanism if they need to implement a fallback alongside it (which they could have just chosen to begin with).
In Summary
Passkeys offer an improvement over passwords, but the problems lie primarily with compatibility and in the way they are being implemented today.
The good news is you can simplify and secure login with Phishing Resistant Passwordless Multi-Factor Authentication (MFA) plus Single Sign-On (SSO) with TraitWare’s enterprise solution.
For more information, contact us any time and we’ll be happy to walk you through it in just a few minutes.