Password Management: Passwordless Login

#password #habits #security #development

We keep hearing about the move to passwordless logins. What does all this mean? Does it mean that we're not going to have any way of checking who we are or that we're moving to the advanced technology where we have retina scanning? Let's delve into it in this blog post.

What Is Authentication?

Let's start with authentication. Auth0 defines authentication as the process of proving some fact or document is genuine. A user proves their identity by providing their credentials. A user can use different forms of information to prove their identity. That information could be:

Something they know, such as a password
Something they have, such as their phone
Something they are, some biometric marker, such as a fingerprint

A passkey is a new form of authentication and fits into something they have.

What Are Passkeys?

Over the last while, we've started to see passkeys as a way to log in to many familiar websites. Some examples are Google, GitHub, Uber, and LinkedIn, and the list continues to grow. Passkeys are becoming widely adopted as a secure way to log in, as they have some notable benefits:

Passkeys are always strong
We no longer have to remember long and complex passwords
Passkeys are phishing-resistant
In a data breach, passkeys are not exposed

How Have Passkeys Come About?

How did they come to be? Passkeys use two things:

FIDO (Fast IDentity Online) authentication
A means to securely retrieve the FIDO private keys for use

The evolution of security and, more specifically, authentication has led us to this elegant and simple authentication method for the user.

What is FIDO Authentication?

FIDO is a way to log in securely using a digital signature. How this happens is that FIDO is comprised of two pieces of information:

A private key
A public key

When we want to log in, let's say, to LinkedIn using a passkey, LinkedIn sends some information to our browser or application. The browser connects to the passkey store, which causes the user to perform biometric verification with a fingerprint or facial recognition. Once confirmed, LinkedIn sends a new, unique piece of information to the browser and passkey store. The passkey store uses the private key to encrypt it. The browser then sends the information back to LinkedIn. Then LinkedIn takes the public key, decrypts it, and checks if it matches what was initially sent. If it doesn't, the login request fails, but if it does match, we're allowed access to our individual LinkedIn account.

This process is called asymmetric encryption, in which two different keys are used for encrypting and decrypting. The private key is used for encrypting, and the public key is used for decrypting. The private key is kept secure in the passkey store and never disclosed, while the public key can be shared with anyone. In the case of authentication, the public key is stored in the app or website, requiring authentication. The public key cannot crack what the private key is.

Let's take an example to see that in action, where we have the spell hocus pocus as the private key and the spell alakazam as the public key:

We start logging in to LinkedIn using our browser with a passkey.
The browser then connects with the passkey store.
The passkey store prompts the user to authenticate with their fingerprint or facial recognition and lets the browser know when the passkey store is ready.
LinkedIn sends the message "rabbit" to our browser so that the browser can show it has the correct passkey.
Our passkey store gets the message from the browser and encrypts it, using the spell hocus pocus to get the new message "watermelon".
The passkey store forwards the message to the browser, which sends the message "watermelon" back to LinkedIn.
LinkedIn takes the message "watermelon" and decrypts it using the alakazam spell to get the message "rabbit".
LinkedIn verifies that it matches what it sent initially.
LinkedIn lets us log in to our LinkedIn account.

Where Is the Passkey Stored?

Updates are rolling out to support managing passkeys by Google, Apple, and Microsoft, along with password managers. There are some differences between what we can do with each:

Google allows us to use passkeys with all of its Android apps and Chrome browser
Apple allows use with Mac, iPad, and iPhone along with its Safari browser
Microsoft allows use with Windows devices and the Edge browser
Password managers will allow passkey use across all of the devices that support the password manager

Generally, each of the different stores allows the passkeys to be synced through the cloud, so once we have our passkey stored in the Google password manager, any mobile device we use that Google account with will have access to that passkey.

What if We Need the Passkey on Another Platform?

Let's say we've set up a passkey on Apple's keychain, and now we need to log into our Windows device. We can choose to use a passkey from another device.

Screenshot of the Passkey prompt from github.com

We can scan the QR code with our iPhone and choose the passkey to log in. We would then be given the option to save a passkey. Then, we would have different passkeys for Apple and Microsoft. Each allows us to log in, and each passkey is different.

What Does Setting Up a New Passkey Look Like?

Some websites and applications have made setting up passkeys simple. However, others require a little more work. The directory https://passkeys.directory lists all the websites, apps, and services that use passkeys for signing in. We can quickly check how to set up each app and website.

Example of the instructions for setting up a passkey for Adobe

How Secure Are Passkeys?

We talked about how authentication uses private and public keys earlier. When we set up a new passkey, a new private key and matching public key are generated. The private key is securely stored in the service we use to manage the passkeys, which could be Google's Password Manager, Apple's iCloud keychain, Microsoft's Password Manager, or the password manager we choose. The private key never leaves that store. The public key is stored on the website, app, or service that we're setting up. To make use of the passkey, we need to authenticate. The authentication to access the passkey is a biometric check, such as logging in with a fingerprint or facial recognition.

What Does It Mean in a Security Breach?

For a security breach of an application, the application would have the public key, which we're okay with anyone having, as it's public. The public key doesn't allow the "bad actor" to log into our account, so we remain secure. However, if we still have a password stored on the application, we must reset it immediately. If the password is not strong or re-used, we are left quite vulnerable while using a weak password.

How Do Each of the Authentication Types Compare?

The hardware security key is the most secure since it cannot be copied or shared; only the holder can use it. Using only a password is the weakest since it's one form of authentication that can be phished and set up weakly. Next, multi-factor authentication adds to the security level, while the passkey is seen as more secure again. For companies that want only one person to access a key, a hardware security key meets that need as it can only be easily used by co-located people. Passkeys and hardware security keys would ideally be used with Multi-Factor Authentication (MFA) to ensure one of the forms has not been stolen by a bad actor.

From weakest to most secure: the different types of authentication

Could We Use a Hardware Security Key as A Passkey?

Since both hardware security keys and passkeys use FIDO authentication, some websites let us register a passkey as a security key or register a hardware security key as a passkey. However, how each website or app intends to use them could differ, so it's worth noting how we log in. Passkeys could be designed to be used instead of a password, and then a second form of authentication could also be used. For a hardware security key, it may be that a password is entered first, and then the key is used as a second form of authentication. This could mean we must keep a password for a security key, while with a passkey, we could go passwordless.

Where Are We in Terms of Moving Fully Passwordless?

As of May 2024, we're seeing the adoption of passkeys by more applications and vendors. However, we're not at the point where every application has moved over to use passkeys. Dashlane is seeing a 70% conversion rate from passwords to passkeys as of October 2023, where users are jumping on board using passkeys. If we put that into perspective, those Dashlane users are already password savvy, have realized the need for a password manager, and have seen the benefits of passkeys. However, many users need to learn what passkeys are and why they should use them. So we have to work to educate people and update our applications to support passkeys. At some point, we will have widespread passkey adoption, and applications can start to test switching off their password support across the application or per user so that they no longer are needed.

Is MFA Going Away?

What does the move to passkeys and passwordless mean for MFA? From what we're seeing in the industry, MFA will continue as a way to ensure that users are who they say they are. Users can log in with the passkey and then use another form of authentication to verify their identity. We should continue to use additional forms of authentication along with our passkeys.

Conclusion

We've learned that a world in which we are passwordless is coming closer. While we may not be there just yet, a lot of work is being done to get us there. Since we still have passwords, we have to make sure they are secure, even if we start to primarily use passkeys, as the passwords could get exposed in a data breach. As we move on with our day, we should look for opportunities to use passkeys, set them up, and post comments on how our move to passkeys is going.