Blog

Passkeys

A couple websites I occasionally use have changed the way their login works. Instead of the username (or e-mail address) and password system that have been in use for decades, I now just get a code sent to my inbox. No password. It's like 2-factor authentication, except one of the factors was skipped. Or perhaps they've come to the realisation that if you can reset the password with just an e-mailed link, then why bother asking for a password at all. I suppose it makes sense, but I don't feel like my inbox is a place for those codes - I'd rather use an authenticator.

(Speaking of authenticators, can I just air my grievance that Steam doesn't use the standard mechanism everyone else uses? To have 2-factor protection on Steam, you have to install their application on your phone. None of the others work because they only use numbers, whereas Steam uses letters and numbers. It seems everyone wants me to install their software on my phone (e.g. MSN's "continue reading in the app") and I hate that.)

Anyways I purport that this straight-to-email thing is a precursor to migrating people to passkeys. Get people used to not entering passwords, then introduce passkeys as a replacement to using codes.

The Case

Passkeys puzzled me when I first I heard about them two years ago. I think it's because they encompass phones, computers and dedicated FIDO security keys under one umbrella, and each one has its own little differences.

The benefits are reasonably clear: it's pretty much impossible to use your passkey on an imposter website. A typo-squatting domain can't ask the browser for the passkey to the actual domain because the addresses don't match. Scammers using e-mail to ask people to send their passwords will find the marks can't - there's no way to type it in. If a website loses the database that contains the authentication information, those passkeys are unique and can't be reused on other sites. Credential stuffing is practically impossible if passkeys are the only login method.

These are all very good things. However, there are some weaknesses too: backing up is typically only possible within the same ecosystem (e.g. Apple devices, Google devices, Microsoft software, or a third party program), using a key from one ecosystem in another is tricky, they are often treated like two separate authentication factors, and lastly you risk being locked out of an account if you disable the traditional password and lose all your passkeys. If you forget a password, you might remember it later.

Hello

On Microsoft Windows, "Hello" is the system used to safeguard your passkey store and it's encrypted using the TPM module (if you have one). The curious thing is, it's not necessarily ready to receive passkeys out of the box. If you have set your computer to login without a password, you can't set a PIN or use a biometric, and without that you can't save a passkey. You can still save the passkey to a phone or security key though, just not that machine. If you choose to use a phone, your computer must support Bluetooth 4.0 LE or newer since it checks for proximity.

Using Them

If you're using passkeys on a phone or tablet, things get super easy, as long as you use a lock screen (which I'd say most users do). On Apple IOS all you have to do is confirm your face or fingerprint, and it'll add it to the Keychain. On Android it'll probably be stored in Google's Password Manager, but it does depend on the device. Logging in just requires you to use your biometric to unlock the passkey.

This does create a new concern, but it's actually kinda an old one. If someone were to get into your Keychain by logging into your Apple account, they also have your highly-trusted passkeys that are considered two factors. If they'd accessed your account and used a saved username/password combo, I (at least) would expect a 2-factor challenge for this unusual new activity. To be fair, some websites like Amazon don't trust passkeys as much and will do the 2-factor as well.

So I suppose passkeys boil down to being an easy way for non-security-minded people to generate very secure "passwords" (if you consider the passkey's data to be that), combined with a "password" manager. Or what I'm trying to get at is it's functionally the same as using a password manager with a long complex password, except you can't write it down and could be locked out if you lose the passkey. (If Google decides to ban your account you lose access to everything, including the password manager... yikes.)

Physical Keys

To add fun to the mix, there are physical devices that can store passkeys. Almost all of them support USB-A/C, but some also have NFC and Lightning connectors. They are more intuitive to use on a computer, well in my opinion anyway.

Remember Hello? You can tell it that you want to use a security key instead, and it'll ask you to insert it. The NFC ones can be tapped on phone/tablet screens to access. Easy as pie, very secure and doesn't involve our digital overlords' password managers.

I think this is the best way to take advantage of passkeys. Buy at least two security keys, and create new passkeys on each for your important services (did I mention that you can create more than one?). Then put one in a safe place. If one fails, you've got the other.

Conclusion

It's still a bit of a mess for the most part. I don't think the average Joe should go out of their way to switch to passkeys and remove their password. If you think you are at a high risk of being hacked, then it might be worth considering.

Some browsers are offering to automatically create passkeys for websites that support them. As long as using a password remains as an option, I don't think this will cause any issues for the most part. Of course the idea is to replace passwords at some point, and when that happens things could get hairy. Until then, hopefully this gets more time in the oven.

Return to Blog Index