Passkey

Full Title or Meme

As the name Passkey suggests, it requires dual verification of an account before someone can sign-in to that account.

Context

With Passkeys there’s a subtle difference to FIDO 2.0 as it surrounds a multi-device Fast Identity Authentication with another protocol. Passkey uses a notification, which is generally sent to an individual’s smartphone during a log-in process and lets them authenticate their credentials. Often, this is done using a PIN or biometric process and thereby removes the need for conventional letter and number combination passwords.^[1]

FIDO2 specifies the Web Authentication JavaScript API standard — commonly referred to as WebAuthn — and FIDO’s corresponding Client-to-Authenticator Protocol (CTAP). See the wiki page for the latest WebAuthn 3.

Using the Javascript API, developers can leverage either hardware keys (known as roaming authenticators) or secure hardware on the device (known as platform authenticators), the latter of which are often gated by biometric sensors, to authenticate users in a passwordless manner.

• State of Passkeys according to the guys that created the thing. 2024-04
• Passkeys primer from Okta 2024-08

Features

• Originally Passkeys were device bound and could not be moved between devices.
• Passkeys since 2024 can be synced between devices that have enabled syncing. This feature can be blocked by using device-bound Passkeys. Multi-device credentials had been the name on introduction to distinguish it from the original device-bound Passkey.
• The user must unlock the passkey on the device before it is used. Typically a Biometric Factor or pin is used as a second Authentication Factor.
• On 2024-09, passkeys can be synced within the ecosystems of Google, Apple, and Microsoft, but cross-platform synchronization (between Google, Apple, and Microsoft) is not yet fully supported. Each company has its own system for managing and syncing passkeys:
• Google: Passkeys are synced across devices using Google Password Manager.
• Apple: Passkeys are synced across Apple devices using iCloud Keychain.
• Microsoft: Passkeys are managed and synced through Windows Hello.

While the FIDO Alliance is working towards a unified standard for password-less authentication, full interoperability between these ecosystems is still in progress. For now, you’ll need to manage passkeys separately within each ecosystem.

Problems

• I Stopped Using Passwords. It’s Great—and a Total Mess Wired 2024-02
• The credentials created by a web connected user on a browser are completely useless when the underlying protocol insistes on some complex format like SD-JWT.
• Misconceptions about passkeys or not?
• FIDO requires secure origin binding and TLS. But that is not accessible to all password managers, so a man-in-the-middle-attack only requires spoofing the origin to be part of the origin used for the key. (in other words, the FIDO binding does not seem to apply to what happens in the xxx-manager unless the xxx-manager is fully integrated into a browser that is FIDO compliant)

Acceptance

• Passkeys support by both Apple and Google. See the website for details.
• By the end of 2023 it looks like more people are using passkeys than expected.^[2]

  1Password experienced a particular spike in October 2023, correlating with big companies like Amazon and WhatsApp rolling out their support for passkeys during this month, with over 70,000 created between October 16-22 alone.

• Public preview: Expanding passkey support in Microsoft Entra ID 2024-05-02

Solutions

• 24-09 Allow passkey reuse across your sites with Related Origin Requests but what, exactly, is a related origin? See wiki page Browser Origin Policy.
• 24-08-08 New CISA Guide Calls for Phishing-Resistant Forms of Authentication and Passkeys by Default.
• 24-08-05 passkeys.dev now has a hashtag#WebAuthn feature detection page for developers! This page will check for common features and capabilities used with hashtag#passkeys in the browser where it was loaded! Check it out WebAuthn Features and Capability Detection] (short URL is passkeys.dev/fd)
• 24-08-04 Chrome on Android now integrates the Credential Manager allowing third-party password managers provide passkeys on Android 14 and later.

With this update, your Chrome on Android 14 and later can create and save a passkey to a third-party password manager, or authenticate using a passkey saved there. Also, learn how a relying party can detect which password manager a passkey is created at.^[3]

Portability

Vendor Relationship Management (via Doc Searls) is coming true but it is fully hidden behind terms like:

• Password Management,
• Credential Management,
• Portable Passkeys.

But the point is that a human being can move their access and metadata about the sites that they visit as a part of their daily life. I hope it works out! I hope they make the result extensible. See this video clip from Rew Isalm and Nick Steele.

References

1. ↑ FIDO Passkeys - Accelerating the Availability of Simpler, Stronger Passwordless Sign-Ins https://fidoalliance.org/passkeys/
2. ↑ Lewis Maddison, Looks like more people are using passkeys than expected 1Password sees passkeys exceed 700k (2023-12-21) https://www.techradar.com/pro/security/looks-like-more-people-are-using-passkeys-than-expected
3. ↑ Eiji Kitaura, Passkeys UX updates on Chrome on Android https://developer.chrome.com/blog/passkeys-on-credential-manager

Other Material

• For a more generic solutions check out this wiki page: Vendor Relationship Manager,