Passkey
Contents
Full Title or Meme
As the name Passkey suggests, it requires dual verification of an account before someone can sign-in to that account.
Context
With Passkeys there’s a subtle difference to FIDO 2.0 as it surrounds a multi-device Fast Identity Authentication with another protocol. Passkey uses a notification, which is generally sent to an individual’s smartphone during a log-in process and lets them authenticate their credentials. Often, this is done using a PIN or biometric process and thereby removes the need for conventional letter and number combination passwords.[1]
- State of Passkeys according to the guys that created the thing. 2024-04
Features
- Passkeys can be synced between devices where enabled by the device. This feature can be blocked by using device-bound Passkeys.
- The user must unlock the passkey on the device before it is used. Typically a Biometric Factor or pin is used.
Problems
- I Stopped Using Passwords. It’s Great—and a Total Mess Wired 2024-02
- The credentials created by a web connected user on a browser are completely useless when the underlying protocol insistes on some complex format like SD-JWT.
- Misconceptions about passkeys or not?
- FIDO requires secure origin binding and TLS. But that is not accessible to all password managers, so a man-in-the-middle-attack only requires spoofing the origin to be part of the origin used for the key. (in other words, the FIDO binding does not seem to apply to what happens in the xxx-manager unless the xxx-manager is fully integrated into a browser that is FIDO compliant)
Acceptance
- Passkeys support by both Apple and Google. See the website for details.
- By the end of 2023 it looks like more people are using passkeys than expected.[2]
1Password experienced a particular spike in October 2023, correlating with big companies like Amazon and WhatsApp rolling out their support for passkeys during this month, with over 70,000 created between October 16-22 alone.
Solutions
- 24-08-08 New CISA Guide Calls for Phishing-Resistant Forms of Authentication and Passkeys by Default.
- 24-08-05 passkeys.dev now has a hashtag#WebAuthn feature detection page for developers! This page will check for common features and capabilities used with hashtag#passkeys in the browser where it was loaded! Check it out WebAuthn Features and Capability Detection] (short URL is passkeys.dev/fd)
- 24-08-04 Chrome on Android now integrates the Credential Manager allowing third-party password managers provide passkeys on Android 14 and later.
With this update, your Chrome on Android 14 and later can create and save a passkey to a third-party password manager, or authenticate using a passkey saved there. Also, learn how a relying party can detect which password manager a passkey is created at.[3]
Portability
Vendor Relationship Management (via Doc Searls) is coming true but it is fully hidden behind terms like:
- Password Management,
- Credential Management,
- Portable Passkeys.
But the point is that a human being can move their access and metadata about the sites that they visit as a part of their daily life. I hope it works out! I hope they make the result extensible. See this video clip from Rew Isalm and Nick Steele.
References
- ↑ FIDO Passkeys - Accelerating the Availability of Simpler, Stronger Passwordless Sign-Ins https://fidoalliance.org/passkeys/
- ↑ Lewis Maddison, Looks like more people are using passkeys than expected 1Password sees passkeys exceed 700k (2023-12-21) https://www.techradar.com/pro/security/looks-like-more-people-are-using-passkeys-than-expected
- ↑ Eiji Kitaura, Passkeys UX updates on Chrome on Android https://developer.chrome.com/blog/passkeys-on-credential-manager
Other Material
- For a more generic solutions check out this wiki page: Vendor Relationship Manager,