What’s behind the new passkeys

Passkeys could soon replace the classic combination of username and password. Google, Microsoft and Apple have already introduced them, but what makes them more secure than passwords?

In May 2023, Google announced the “beginning of the end of passwords”. Since then, the approximately two billion users registered with Google have been able to protect their accounts from misuse with passkeys. But many of them have never heard of passkeys before. Now we can help shed some light on that.

Where the dangers of classic passwords lurk

When passwords were introduced to protect online accounts, things were still pretty good in the IT world. The Compatible Time-Sharing System (CTSS), developed by the Massachusetts Institute of Technology (MIT) in the early 1960s, was the first computer that could be used by several users. For the first time, users protected their accounts with passwords.

However, it wasn't long before the first password attack took place. In 1962, researcher Allen Scherr wanted to use the computer for longer than his allotted time allowed. He started looking for a way to retrieve his colleagues' passwords. Eventually he used a punch card to print out the passwords stored in the CTSS and use them to log in.

Even though attacks on passwords today do not require punch cards, classic passwords are now considered to be largely outdated. There are several good reasons for this. For example, most people use simple passwords that they can easily remember. However, they are also easy to guess or crack with brute force attacks. On the other hand, hardly anyone can remember complicated passwords. They are therefore rarely used.

Many users also tend to use their passwords multiple times. This is exactly what makes the countless data leaks of recent years and months extremely dangerous. Once captured, stolen credentials often make it possible to log in to any services remotely where the user has used the same combination of user ID and password, rather than just compromising one system. Cyber attackers have already done a lot of damage in this way.

Solving the password problem

IT security experts have been aware of the password issue for a long time. They have therefore developed a number of improvements to make password handling more secure. These range from the use of password managers to multi-factor authentication (MFA) and time-based one-time passwords (TOTP). However, as we have already shown, even the much-praised MFA no longer offers complete protection. Fatigue attacks, real-time phishing and the theft of session cookies can all compromise MFA.

Several large Internet companies, including Google, Microsoft and Apple, have therefore joined forces to develop a secure alternative – so-called passkeys.

How passkeys work

Technically, passkeys are based on the FIDO2 method. Like FIDO2, passkeys also use a combination of private and public key. This is known as asymmetric encryption. As with FIDO2, when logging in, the server sends a challenge to the client, the client signs the challenge with its private key and sends it back. The server then validates the response with the user's public key. If it is correct, the client can log in.

In addition, several factors prevent misuse. Passkeys work completely without passwords. Instead, the private key on the end device of the user is usually protected biometrically or with a PIN. As a rule, the default login procedure for the operating system is used.

When using passkeys, new key pairs are generated for each service and application. Unlike passwords, passkeys cannot be used for multiple services. Since the keys are bound to the domain used, common phishing tricks such as very similar domain names no longer work.

The main difference between FIDO2 and passkeys is that the latter are no longer tied to a single device. Passkeys are usually stored in a security chip or a special password manager, so that they can be synchronized or secured across multiple devices. A separate security token as with FIDO2 is not required. Passkeys are also compatible with the WebAuthn standard. This has the advantage that website operators only have to implement one method to support both passkeys and FIDO2.

Benefits and drawbacks of passkeys

Passkeys reduce the risk of compromised accounts and promise an IT world without passwords. Although the widespread introduction takes a long time, the security advantages of this new authentication technology far outweigh the disadvantages:

(+) Passkeys guarantee more security than passwords, as they are much more difficult to hack or guess.

(+) Passkeys offer a higher level of convenience, as the user no longer has to remember them. Instead, for example, using a fingerprint is sufficient to log in securely.

(+) Passkeys prevent phishing, as a new key pair is automatically generated for each domain and application.

(-) Passkeys are not yet very widely used. For example, the Passkeys.directory lists only 80 companies that have implemented passkeys (as of: Fall 2023).

(-) Passkeys may require new hardware or software, resulting in additional costs. However, Microsoft and Apple have already integrated this technology into their operating systems, and other providers will follow.

(-) Some companies use backdoors in their implementations. For example, Google has not yet been able to completely dispense with passwords. In this way, attackers can still manage to bypass the secure passkeys.

Would you like to find out more about secure authentication methods? Please contact us with any questions: NCP has many years of experience in protecting data on the Internet and defending companies against cyber attacks.