.jpg)
Traditional passwords have long been a weak link in online security, while passkeys have emerged as a revolutionary alternative, offering stronger authentication by eliminating the need for passwords altogether. But what exactly are passkeys, how do they work, and why should you consider using them? Let’s explore trust assumptions, potential risks, and best practices for secure passkeys implementation.
What Are Passkeys?
Passkeys are a passwordless authentication method based on public-key cryptography. Unlike traditional passwords, which can be stolen, guessed, or reused across multiple platforms, passkeys use a pair of cryptographic keys to authenticate users securely.
When a user creates a passkey, two keys are generated:
- Public Key: Stored on the service provider’s server, it is not sensitive and cannot be used alone to access the account.
- Private Key: Stored securely on the user’s device, it never leaves the device and is protected by a strong verification method such as biometrics (fingerprint or facial recognition).
When logging in, instead of entering a password, the user authenticates using their device, which signs the request with the private key. The server then verifies this signature using the stored public key, ensuring a highly secure authentication process.
Trust Assumptions in Passkeys
Every security system operates on certain trust assumptions. With passkeys, trust is placed in several key areas:
- Device Security: The private key is stored securely within specialized hardware components like Secure Enclave (Apple), Trusted Platform Module (Windows), or Samsung Knox.
- Biometric Protection: Since the private key is protected by biometric authentication, trust is placed in the security of fingerprint and facial recognition technologies.
- Cloud Synchronization: Multi-device passkeys rely on cloud ecosystems (iCloud, Google Password Manager) to sync keys across devices, meaning users must trust these providers to secure their passkeys properly.
- Service Providers: While service providers do not store private keys, they must ensure that public keys are not compromised and that authentication protocols remain intact.
Risks Involved in Passkeys
Passkeys offer significant security enhancements, reducing the risks associated with passwords. However, they are not without challenges. While WebAuthn, the protocol underlying passkeys, is inherently secure, its correct implementation is crucial to preventing security vulnerabilities. Failure to properly implement WebAuthn can expose users to attacks where unauthorized individuals gain access to their accounts. Below are the key risks associated with passkeys:
General Risks
- Loss of Device Access: If a user loses access to their devices without a backup recovery option, they may struggle to regain account access.
- Cloud Dependency: Users who rely on cloud-based synchronization are vulnerable if cloud services are compromised.
- Limited Adoption: Not all websites and services currently support passkeys, requiring users to maintain a mix of authentication methods.
- Biometric Spoofing: Although rare, advanced spoofing techniques could potentially bypass biometric authentication if not properly implemented.
Technical Risks
- Missing Signature Check: Each authentication request contains data signed by a private key generated by the authenticator. This signature must be verified by the relying party. If this check is not performed, an attacker can log in as any user.
- Origin Confusion: An attacker can trick a user into visiting a malicious website, such as evil.com, and attempt to use the victim’s passkey intended for a legitimate site. If the relying party does not check the origin during login, the attacker may gain unauthorized access. Correctly implemented authenticators help mitigate this risk by verifying the origin as well.
- Missing Checks for 'User Presence' and 'User Verification': Authenticators add flags for 'user presence' (confirming if the user is actively present) and 'user verification' (e.g., PIN or fingerprint authentication). Relying parties must verify both flags to ensure security.
- Cross-Site Request Forgery (CSRF) Attacks: In this attack, an attacker tricks a victim’s browser into authenticating or registering on the attacker's behalf. If CSRF can be exploited to add a new passkey to an account, the attacker may take control. WebAuthn does not inherently prevent such attacks, requiring additional security measures.
- Missing Counter Check: Authenticators send a signature counter that increments with each authorization request. If a relying party receives non-incremental counters (e.g., 17-11-18), it may indicate a cloned authenticator. Skipping this check allows attackers to use cloned devices without detection.
Best Practices for Using Passkeys Securely
To maximize the security and benefits of passkeys, both users and developers should follow these best practices:
For Users:
- Enable Multiple Recovery Methods: Ensure alternative authentication options, such as backup devices or recovery codes, are available in case of device loss.
- Use Trusted Cloud Providers: If relying on multi-device passkeys, choose reputable cloud providers with strong security measures.
- Regularly Review Device Access: Monitor which devices have access to passkeys and remove any that are no longer in use.
- Stay Updated on Security Best Practices: Follow security recommendations as passkey technology evolves.
- Adopt Passkeys Where Available: Use passkeys wherever possible to enhance security and reduce reliance on passwords.
For Developers:
- Plan for User Experience Challenges: Passkey experiences can vary across browsers and platforms, requiring flexible implementation to avoid frustrating users.
- Support Multiple Passkeys: Allow users to register multiple passkeys to mitigate risks from device loss or account recovery issues.
- Provide Passkey Labeling: Enable users to label their passkeys (e.g., device type or authenticator model) for easy management.
- Consider Discoverable vs. Non-Discoverable Credentials: Discoverable credentials simplify login but may introduce privacy concerns; provide users with options to choose what suits them best.
- Request Attestation When Necessary: Attestation helps verify whether a passkey is device-bound, aiding in security decision-making.
- Implement Proper Security Checks: Ensure the correct implementation of WebAuthn, including origin checks, signature validation, user presence verification, and counter checks.
- Detect Browser and Platform Support: Before altering login flows, check WebAuthn support using reliable detection methods.
- Be Cautious with Optional WebAuthn Features: Not all authenticators support every WebAuthn feature. Always verify returned data before enforcing requirements.
By following these best practices, both users and developers can ensure a secure and seamless experience with passkeys, maximizing their benefits while minimizing potential risks.
Passkeys represent the future of authentication, offering a more secure, convenient, and phishing-resistant alternative to passwords. By leveraging public-key cryptography and biometric authentication, passkeys eliminate many security vulnerabilities associated with traditional credentials. To mitigate risks, users and developers should ensure correct WebAuthn implementation, employ multiple recovery options, verify authentication requests rigorously, and stay informed about evolving security threats. While adoption is still growing, major companies such as Apple, Google, and Microsoft are leading the charge, making passkeys increasingly accessible. Understanding their trust assumptions, risks, and best practices ensures that users and businesses can implement passkeys effectively, paving the way for a safer digital future.
Secure your protocol today
Implementing passkeys? Don't let operational security gaps compromise your authentication framework. Cantina is your go-to for comprehensive end-to-end security. Looking to secure your crypto protocol? Let's talk. We can have a full quote turned around for you within 24 hours, catered exactly to your project's needs.