The problem with authentication is not new - it has been existing for at least 6000 years since the Egyptians and Mesopotamians invented the pin-tumbler locks. The challenge was simple: to deter people who are not supposed to take something from taking that. And in the 1960s, the problem came to the digital system, when Fernando Corbato designed the first password for the MIT CTSS. Just like any other lockpick, the digital systems also have vulnerabilities. Alan Scherr, one of the PhD students of Fernando Corbato, managed to dump the passwords file of the CTSS system to reveal the password of other users. The race to better locks and more efficient lockpics are as old as the tale of time.
In modern times, there are specific standards to authentication systems, defined by standardization authorities like the NIST. For example, the NIST Special Publication, SP 800-63 outlines the authentication and authenticator standards.
NIST outlines that the three authentication factors should be knowledge based secrets (something you know), possession based factors (something you have) and inherence based factors (something you are). Out of these three, NIST guidelines suggest inherence based factors to be used only in conjunction with any other type of factor only due to its probabilistic nature. Explaining this in simpler words, a computer cannot identify a human by his biometrics in a deterministic way. This is because humans continuously evolve and how you look one day is almost always different from how you look the next day. Even other biometric factors like fingerprints vary. I know it sounds weird because we have been following that fingerprints are unique to a person. While that is probably true (some medical studies have reported weird cases of Siamese twins having identical fingerprints), the way a computer reads the fingerprint differs day to day. If asked to put your finger on a fingerprint reader multiple times, it is very improbable for you to put your finger on the exact same angle, and put exactly the same pressure every single time. Thus biometric systems work on a probabilistic or confidence metric. A computer is never a hundred percent sure it is you when you use biometrics. A computer may be, say 90% or 95% sure that it is you and allow you access. This system is easier to be gamed with technologies like deepfakes or presentation attacks. Hence it is recommended to pair it with a deterministic factor. Now many developers still choose biometrics as a single factor authentication system and that is a story for another day.
The password problem is not new. And the big-tech have been effectively advertising about the same to market for the new passwordless technology called ‘Passkeys’. Yeah the problems include phishing, credential stuffing, password reuse etc. And big-tech have been effectively gaslighting the users into believing they are not capable enough to manage their secrets. Well, it may be partially true. Users do fall for social engineering attacks and reuse passwords. And that is an enterprise problem. But the passkey problem could be a bigger problem that nobody realizes.
Before going into the passkey problem, let’s have a brief on what passkeys are. It is a possession based authentication factor, and uses cryptographic authentication techniques. In lay man's terms, imagine it is a big secret random number (cryptographic secret or private key) saved on your computer or smartphone and services can verify the existence of this number on your computer to allow you access. FIDO2 standards let this list be saved on a special chip on the device or a special physical security key and users cannot share this with anyone. Every service you use has a different key associated with you and you cannot even willingly leak your secret to anyone. This seemed like a perfect solution to the password problem. It eliminated most social engineering attacks and password reuse.
But then came the usability problem. If your cryptographic secret is stored on one computer, you would effectively not be able to access the service from another computer that does not store the secret. Physical security keys are a good enterprise solution for it, you can plug it in to any computer but for daily users, this seemed to be a headache. The standard allowed you to even use your smartphone as a security key over bluetooth. If the secret is stored on your phone, you can use it on any computer as long as you have your phone around. But apparently, this was also a problem. The proposed solution was syncing these cryptographic secrets over proprietary-cloud. I still remember, it was around November or December 2022 when I was reading about it. The standards claimed the sync was done end-to-end encrypted with device keys and it was not possible for the proprietary cloud provider to access the secrets. iCloud Keychain was probably the first to roll it out, followed by Google Password Manager.
Personally, having seen the rise of big-tech and their influence on corporate surveillance, I take whatever big-tech claims with a pinch of salt. And it wasn’t difficult to quickly realize that it is a surveillance problem too. Sync over proprietary clouds raised an immediate red flag, even when the content was claimed to be encrypted. Back in 2022, when it was released, the last version of NIST SP-800-63B was v3. The standard document said single factor and multi-factor cryptographic authenticators were discouraged to export or sync their secrets. And the passkey standard completely violates the standard documentation. In January of 2023, I had the opportunity to meet the standards head of FIDO Alliance and discuss this with him. He assured me that the passkey standard was better than other cryptographic possession based authentication factors and they were discussing with NIST to update the standard documentation to allow for passkeys. And soon enough SP-800-63B v4 was published which did accommodate for the sync.
The bigger question that comes here is, is it really secure? Well obviously the secret being End to End encrypted meant it's there only on your devices, big-tech cannot read it and nobody else can authenticate to your account. Seems like it is working as intended on paper. Was it always the plan from the very beginning?
To answer this, we go back to the first publication of the FIDO Protocol by Dr. Rolf Lindermann from FIDO Alliance, Noknok labs. The paper emphasized on storing the cryptographic secrets on a secure storage only. It was an interesting period of time, in 2012, when the founding members included Nok Nok Labs, PayPal, Lenovo, Validity Sensors, Intel and Infineon. No big-tech was a part of the Alliance yet. The first standards included a field called ‘Signature Counter’ which basically ensured that the private key being used for the authentication was not cloned. Clearly there was no plan to sync it over proprietary clouds. It raises more concerns over the widespread adoption of Passkeys after the sync.
Now, let’s go on to the technical side of this problem. In synced passkeys, the cryptographic secrets are not only saved on your device, but also, though encrypted, on the cloud servers of big-tech. It is claimed they cannot access or use our secrets and let us assume that is true. But then, even if the data isn’t available, the metadata is a big surveillance tool. As we have noted in the 2013 Snowden leaks, metadata often painted an accurate picture of what was happening, even though the content of the communication was not collected.
Here, when the secrets for each service you use is stored with a passkey manager, often associated with big-tech, it becomes easier for them to know which services you use, when you login, and your access patterns. For example, you login to your work machine every day at 10AM with a Passkey, followed by your Email at 10:05 AM, Slack at 10:10 AM and so on. This allows the passkey provider to create a better picture of your standard workday than even your manager. Every re-authentication with passkeys paints your entire daily routine to the big-tech without even having to access your secrets.
Now let us look at a standard consumer. A person logs in to, say, a portal of a political party, immediately followed by their internet banking account. This could paint a picture of the person donating to that particular party and revealing his political views. Authentication metadata paints a very vivid picture of people’s daily lives, and increasingly more these days with the widespread adoption of passkeys. And it just does not end here. Theoretically, big tech could deny you access to your cryptographic secrets. And big tech could stop you from logging in to your accounts. For example, in 2025 there was a very good example of Visa and Mastercard preventing payments for virtual assets on Steam. Well Visa and Mastercard are just payment processors and the users were willingly trying to pay for in-game assets. Now imagine a similar scenario, you are denied access to your internet banking passkey if you are coming from specific websites. Authentication events are not just technical events, they are behavioral signals. The passkey provider can observe more or less everything you do in your daily lives, including when you start your workday, which services you access, your political views, your finances and much more.
Now let’s roll back to square one for some time. Did Passkeys really solve the password problem? Well, we mentioned, it did. But that was before the cloud-sync. Once the cloud sync was started, the user account of the passkey manager became a single point of failure for all passkeys. In my opinion, the condition is now worse than passwords in some aspects. If you maintained proper password hygiene and best practices, one account getting compromised usually did not affect your other accounts. But with passkeys, if the passkey manager is compromised, all accounts are. You could argue that the case was the same for password managers. The password manager compromised would leak all your passwords. That is true, but nobody forced you to use a password manager in the first place. You could remember the passwords and maintain best practices and you were safe. But with passkeys, the choice is stripped off systematically. If you try to create a passkey with ‘Authenticator attachment: platform’ and ‘Resident Keys: encouraged’’, Android devices do not provide you with an option to create it on the device. It will be created with a passkey manager only. The case might be similar with iOS and MacOS, I did not test with them. I personally had to go for other extensive work arounds which included using a third party passkey manager and disabling sync to achieve on-device passkeys.
Data sovereignty, especially with cryptographic secrets is very important for everyone, no matter how they use computers. And with the evolving geopolitical conditions, the risks of surveillance are increasing every day. Going back to the 2013 Snowden files, it showed big-tech and government surveillance was not just for anti-terrorism activities, but also facilitated economic espionage, political surveillance and more. Cryptographic secrets and even the metadata associated with them reveal much more information about us than even communication metadata.
The passkey revolution might be instrumental in facilitating surveillance more than ‘protecting users from phishing-attacks’. TL;DR, Assume you are one authorized to stay at your home. The password problem is analogous to you losing your home keys, or thieves copying your key to make duplicate keys. It is a standard problem and the solution was better password practices. The FIDO solution to the problem was making the key heavier and more complex so that it cannot be stolen and providing you with a lockbox where you can keep it safely and use it whenever you need to. That was almost the ideal solution with the flaw being you would be unable to get into your home if you forgot to carry the lockbox. The big-tech solution to this problem is assigning a watchman to you, who will roam around with you with the lockbox and he will unlock the doors for you with the key, but will never hand you over the key because you could lose it. But the downside to this was, the watchman started to note down your daily habits and tell it to the big-tech firms who have no business knowing your daily life. And the watchman is employed by the big-tech, meaning he may refuse to unlock your own home door for you if the firm tells him to do so.
Top comments (0)