parth@dev

Passkeys

By

Parth Inamdar

This blog aims to answer some questions around passkeys.

What are passkeys?

Passkey is an authentication method with which you can authenticate without needing a password. Technically, user uses cryptographic credentials (biometric / device PINs) instead of normal passwords leveraging public key cryptography to authenticate.

Are passkeys important?

To give you a context, when you create a passkey for a website/domain, you create a set of keys: public key – stored on the service’s server and private key – stored locally on you device.

Due to this setting, we get a number of benefits:

  • Phishing not possible: passkeys are bound to a specific domain so phishing with fake sites with similar looking domains is not possible
  • Eliminates password based attacks/ vulnerabilities: passkeys are passwordless so no password attacks like brute force, credential stuffing and password leak is possible.
  • Better UX: Everyone forgets passwords at some point and password managers are also prone to vulnerabilities so passkeys give a better alternative. As per google’s survey, it has proven 4x times easier than the normal password flow resulting in 68% successful logins compared to ~18% for normal flows.
  • Cost Effective: Passkeys remove the need of SMS based authentication and the password reset request, which alleviates resource cost.

What standard do passkeys follow?

Passkeys follow the FIDO2 standard which mainly consists of two main standards:

  1. WebAuthn (Web Authentication API):
    • This is a W3C standard defining a browser API for creating and using passkeys.
    • It handles the communication between the browser and the authenticator
    • It has two methods which are used for creating and retrieving the passkeys:
      • navigator.credentials.create(): Creates a passkey during registration
      • navigator.credentials.get(): Retrieves and uses a passkey during auth.
  2. CTAP2 (Client to Authenticator Protocol 2):
    • Provides standardized communication between client and the authenticators.
    • Main features:
      • Cross device authentication.
      • Proximity checks with BLE
      • Communication with the external authenticators.

FIDO alliance maintains these standards, with over 300 companies committed to streamlining secure authentication.

Summary

Passkeys are origin bound crypto-graphically and use public key cryptography making them secure against various password based attacks, phishing and leaks as only public keys are stored on the server which can’t be abused for valid authentication. Passkeys also ensure biometric data privacy as the biometric authentication happens locally and the data is enclosed in secure hardware (Trusted platform module for Windows / Android, secure enclave for Apple and Knox for Samsung). Overall, passkeys are a great security feature which significantly strengthens the security posture of the company.

For part 2 with passkey deep dive, stay tuned!

Posted In ,

Leave a comment